Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample Name:	file.exe
Analysis ID:	1313517
MD5:	2ba491f6b487017a1c58b647a7e05d3c
SHA1:	b5b7f44bf018de87168323cceb09a0934ea661e0
SHA256:	e46720cac2a8956c652db483c7dd7b7fe0bcf7cdf8653d9687159e6355a17d7b
Tags:	exe
Infos:

Detection

Babuk, Clipboard Hijacker, Djvu, Fabookie, Glupteba, RedLine, SmokeLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected RedLine Stealer

Detected unpacking (overwrites its own PE header)

Found ransom note / readme

Yara detected Babuk Ransomware

Yara detected SmokeLoader

Yara detected Glupteba

System process connects to network (likely due to code injection or exploit)

Detected unpacking (changes PE section rights)

Antivirus detection for URL or domain

Antivirus detection for dropped file

Sigma detected: Drops script at startup location

Yara detected Clipboard Hijacker

Detected unpacking (creates a PE file in dynamic memory)

Found malware configuration

Yara detected Fabookie

Benign windows process drops PE files

Malicious sample detected (through community Yara rule)

Yara detected onlyLogger

Antivirus / Scanner detection for submitted sample

Yara detected Djvu Ransomware

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Maps a DLL or memory area into another process

Creates multiple autostart registry keys

Found Tor onion address

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Machine Learning detection for sample

Allocates memory in foreign processes

Modifies existing user documents (likely ransomware behavior)

Injects a PE file into a foreign processes

Contains functionality to inject code into remote processes

Writes many files with high entropy

Deletes itself after installation

Drops script or batch files to the startup folder

Writes a notice file (html or txt) to demand a ransom

Creates a thread in another existing process (thread injection)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Checks if the current machine is a virtual machine (disk enumeration)

Tries to harvest and steal browser information (history, passwords, etc)

PE file contains section with special chars

Writes to foreign memory regions

Tries to detect sandboxes / dynamic malware analysis system (file name check)

Yara detected Generic Downloader

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Machine Learning detection for dropped file

C2 URLs / IPs found in malware configuration

Contains functionality to query locales information (e.g. system language)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Stores files to the Windows start menu directory

Found evasive API chain (may stop execution after checking a module file name)

Contains functionality to dynamically determine API calls

Contains long sleeps (>= 3 min)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Drops files with a non-matching file extension (content does not match file extension)

Drops PE files

Tries to load missing DLLs

Contains functionality to read the PEB

Checks if the current process is being debugged

Binary contains a suspicious time stamp

Creates a start menu entry (Start Menu\Programs\Startup)

Registers a DLL

PE file contains more sections than normal

Creates a process in suspended mode (likely to inject code)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Contains functionality to check if a debugger is running (IsDebuggerPresent)

PE file contains sections with non-standard names

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to call native functions

Found dropped PE file which has not been started or loaded

Contains functionality to record screenshots

Contains functionality which may be used to detect a debugger (GetProcessHeap)

PE file contains executable resources (Code or Archives)

Contains functionality for execution timing, often used to detect debuggers

Entry point lies outside standard sections

Creates a DirectInput object (often for capturing keystrokes)

Sample file is different than original file name gathered from version info

PE file contains an invalid checksum

Extensive use of GetProcAddress (often used to hide API calls)

Uses cacls to modify the permissions of files

Connects to several IPs in different countries

Contains functionality to launch a program with higher privileges

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Uses Microsoft's Enhanced Cryptographic Provider

Contains functionality to query network adapater information

Classification

Process Tree

System is w10x64

svchost.exe (PID: 6248 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

file.exe (PID: 6580 cmdline: C:\Users\user\Desktop\file.exe MD5: 2BA491F6B487017A1C58B647A7E05D3C)

explorer.exe (PID: 3524 cmdline: C:\Windows\Explorer.EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D)

4A15.exe (PID: 4692 cmdline: C:\Users\user\AppData\Local\Temp\4A15.exe MD5: 0511A0C819ADE47392A2F3A51EAF1F0B)

4A15.exe (PID: 3164 cmdline: C:\Users\user\AppData\Local\Temp\4A15.exe MD5: 0511A0C819ADE47392A2F3A51EAF1F0B)

icacls.exe (PID: 5452 cmdline: icacls "C:\Users\user\AppData\Local\d11683cc-0d8b-41c4-a224-c03c55bb751f" /deny *S-1-1-0:(OI)(CI)(DE,DC) MD5: FF0D1D4317A44C951240FAE75075D501)

4A15.exe (PID: 5976 cmdline: "C:\Users\user\AppData\Local\Temp\4A15.exe" --Admin IsNotAutoStart IsNotTask MD5: 0511A0C819ADE47392A2F3A51EAF1F0B)

4A15.exe (PID: 6392 cmdline: "C:\Users\user\AppData\Local\Temp\4A15.exe" --Admin IsNotAutoStart IsNotTask MD5: 0511A0C819ADE47392A2F3A51EAF1F0B)

regsvr32.exe (PID: 3416 cmdline: regsvr32 /s C:\Users\user\AppData\Local\Temp\3958.dll MD5: D78B75FC68247E8A63ACBA846182740E)

regsvr32.exe (PID: 6780 cmdline: /s C:\Users\user\AppData\Local\Temp\3958.dll MD5: 426E7499F6A7346F0410DEAD0805586B)

A388.exe (PID: 6820 cmdline: C:\Users\user\AppData\Local\Temp\A388.exe MD5: 3240F8928A130BB155571570C563200A)

conhost.exe (PID: 6852 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

AddInProcess32.exe (PID: 4944 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe MD5: EFBCDD2A3EBEA841996AEF00417AA958)

AddInProcess32.exe (PID: 4948 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe MD5: EFBCDD2A3EBEA841996AEF00417AA958)

AddInProcess32.exe (PID: 4972 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe MD5: EFBCDD2A3EBEA841996AEF00417AA958)

i4PHS5R0iEKcuu4uBuaRKA3v.exe (PID: 6864 cmdline: "C:\Users\user\Pictures\i4PHS5R0iEKcuu4uBuaRKA3v.exe" MD5: 2D05CB7FB4726BB51C6059540F0E013E)

Pwp3yspp3pM97CCYpnZxEaEs.exe (PID: 5488 cmdline: "C:\Users\user\Pictures\Pwp3yspp3pM97CCYpnZxEaEs.exe" /SP- /VERYSILENT /SUPPRESSMSGBOXES /PID=5333 MD5: 3E74B7359F603F61B92CF7DF47073D4A)

Pwp3yspp3pM97CCYpnZxEaEs.tmp (PID: 6028 cmdline: "C:\Users\user\AppData\Local\Temp\is-23R8R.tmp\Pwp3yspp3pM97CCYpnZxEaEs.tmp" /SL5="$1044C,4692544,832512,C:\Users\user\Pictures\Pwp3yspp3pM97CCYpnZxEaEs.exe" /SP- /VERYSILENT /SUPPRESSMSGBOXES /PID=5333 MD5: 5B1D2E9056C5F18324FA9DD4041B5463)

4GAUQKCdkFpttJoyS2YGgxr9.exe (PID: 7012 cmdline: "C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe" MD5: 823B5FCDEF282C5318B670008B9E6922)

t3PINyJoW83t7JJSZ5BPE6bi.exe (PID: 7032 cmdline: "C:\Users\user\Pictures\t3PINyJoW83t7JJSZ5BPE6bi.exe" MD5: 45B35CD3B6D3BF79D6880813EBCF1717)

t3PINyJoW83t7JJSZ5BPE6bi.exe (PID: 1360 cmdline: "C:\Users\user\Pictures\t3PINyJoW83t7JJSZ5BPE6bi.exe" MD5: 45B35CD3B6D3BF79D6880813EBCF1717)

YRhJ9y7wcq2JenN54ladams2.exe (PID: 6296 cmdline: "C:\Users\user\Pictures\YRhJ9y7wcq2JenN54ladams2.exe" MD5: A2CC32A235869FF08CE951A7C159D2A3)

YRhJ9y7wcq2JenN54ladams2.tmp (PID: 6660 cmdline: "C:\Users\user\AppData\Local\Temp\is-O59IV.tmp\YRhJ9y7wcq2JenN54ladams2.tmp" /SL5="$30434,491750,408064,C:\Users\user\Pictures\YRhJ9y7wcq2JenN54ladams2.exe" MD5: 83827C13D95750C766E5BD293469A7F8)

U58dhzMU8ddvYuIUxUkOSiON.exe (PID: 6200 cmdline: "C:\Users\user\Pictures\U58dhzMU8ddvYuIUxUkOSiON.exe" MD5: E4FA45F80EC75D24124D434010023355)

941caPIfMmGnCq8PWe7WWHEk.exe (PID: 7140 cmdline: "C:\Users\user\Pictures\941caPIfMmGnCq8PWe7WWHEk.exe" MD5: 64E22A1C0959444E0D23AE1977FB1075)

V1NdDWPeq5yoU55PUCrHuT1N.exe (PID: 1048 cmdline: "C:\Users\user\Pictures\V1NdDWPeq5yoU55PUCrHuT1N.exe" /s MD5: AA3602359BB93695DA27345D82A95C77)

f8hJzDp1zQtAPJgciyNSoGpb.exe (PID: 6776 cmdline: "C:\Users\user\Pictures\f8hJzDp1zQtAPJgciyNSoGpb.exe" MD5: 659F20996F8E561EDEF3227A4407A3C8)

svchost.exe (PID: 7016 cmdline: C:\Windows\System32\svchost.exe -k netsvcs -p MD5: 32569E403279B3FD2EDB7EBD036273FA)

jwjrtuw (PID: 6932 cmdline: C:\Users\user\AppData\Roaming\jwjrtuw MD5: 2BA491F6B487017A1C58B647A7E05D3C)

4A15.exe (PID: 2456 cmdline: C:\Users\user\AppData\Local\d11683cc-0d8b-41c4-a224-c03c55bb751f\4A15.exe --Task MD5: 0511A0C819ADE47392A2F3A51EAF1F0B)

4A15.exe (PID: 2884 cmdline: C:\Users\user\AppData\Local\d11683cc-0d8b-41c4-a224-c03c55bb751f\4A15.exe --Task MD5: 0511A0C819ADE47392A2F3A51EAF1F0B)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Babuk	Babuk Ransomware is a sophisticated ransomware compiled for several platforms. Windows and ARM for Linux are the most used compiled versions, but ESX and a 32bit old PE executable were observed over time. as well It uses an Elliptic Curve Algorithm (Montgomery Algorithm) to build the encryption keys.	No Attribution	http://chuongdong.com/reverse%20engineering/2021/01/03/BabukRansomware/ https://blog.cyble.com/2022/05/06/rebranded-babuk-ransomware-in-action-darkangels-ransomware-performs-targeted-attack/ https://blog.morphisec.com/babuk-ransomware-variant-major-attack https://blog.talosintelligence.com/2021/11/babuk-exploits-exchange.html https://chuongdong.com/reverse%20engineering/2021/01/16/BabukRansomware-v3/	https://malpedia.caad.fkie.fraunhofer.de/details/win.babuk

Name	Description	Attribution	Blogpost URLs	Link
STOP, Djvu	STOP Djvu Ransomware it is a ransomware which encrypts user data through AES-256 and adds one of the dozen available extensions as marker to the encrypted file's name. It is not used to encrypt the entire file but only the first 5 MB. In its original version it was able to run offline and, in that case, it used a hard-coded key which could be extracted to decrypt files.	No Attribution	https://angle.ankura.com/post/102het9/the-stop-ransomware-variant https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/ https://cybergeeks.tech/a-detailed-analysis-of-the-stop-djvu-ransomware/ https://cybleinc.com/2021/06/21/djvu-malware-of-stop-ransomware-family-back-with-new-variant/ https://drive.google.com/file/d/1L8mkylrCJyd-817-45RA6gIFCCX4oaOv/view	https://malpedia.caad.fkie.fraunhofer.de/details/win.stop

Name	Description	Attribution	Blogpost URLs	Link
Fabookie	Fabookie is facebook account info stealer.	No Attribution	https://ics-cert.kaspersky.com/publications/reports/2021/12/16/pseudomanuscrypt-a-mass-scale-spyware-attack-campaign/ https://medium.com/@lcam/updates-from-the-maas-new-threats-delivered-through-nullmixer-d45defc260d1	https://malpedia.caad.fkie.fraunhofer.de/details/win.fabookie

Name	Description	Attribution	Blogpost URLs	Link
Glupteba	Glupteba is a trojan horse malware that is one of the top ten malware variants of 2021. After infecting a system, the Glupteba malware can be used to deliver additional malware, steal user authentication information, and enroll the infected system in a cryptomining botnet.	No Attribution	http://resources.infosecinstitute.com/tdss4-part-1/ https://blog.chainalysis.com/reports/2022-crypto-crime-report-preview-malware/ https://blog.google/technology/safety-security/new-action-combat-cyber-crime/ https://blog.google/threat-analysis-group/disrupting-glupteba-operation/ https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/	https://malpedia.caad.fkie.fraunhofer.de/details/win.glupteba

Name	Description	Attribution	Blogpost URLs	Link
RedLine Stealer	RedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.	No Attribution	https://apophis133.medium.com/redline-technical-analysis-report-5034e16ad152 https://asec.ahnlab.com/en/30445/ https://asec.ahnlab.com/en/35981/ https://asec.ahnlab.com/ko/25837/ https://bartblaze.blogspot.com/2021/06/digital-artists-targeted-in-redline.html	https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Name	Description	Attribution	Blogpost URLs	Link
SmokeLoader	The SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body.	SMOKY SPIDER	http://security.neurolabs.club/2019/08/smokeloaders-hardcoded-domains-sneaky.html http://security.neurolabs.club/2019/10/dynamic-imports-and-working-around.html http://security.neurolabs.club/2020/04/diffing-malware-samples-using-bindiff.html http://security.neurolabs.club/2020/06/unpacking-smokeloader-and.html https://0xc0decafe.com/2020/12/23/detect-rc4-in-malicious-binaries	https://malpedia.caad.fkie.fraunhofer.de/details/win.smokeloader

Malware Configuration

Threatname: SmokeLoader

{"Version": 2022, "C2 list": ["http://bulimu55t.net/", "http://soryytlic4.net/", "http://bukubuka1.net/", "http://novanosa5org.org/", "http://hujukui3.net/", "http://newzelannd66.org/", "http://golilopaster.org/"]}

Threatname: Djvu

{"Download URLs": ["http://colisumy.com/dl/build2.exe", "http://zexeq.com/files/1/build3.exe"], "C2 url": "http://zexeq.com/raud/get.php", "Ransom note file": "_readme.txt", "Ransom note": "ATTENTION!\r\n\r\nDon't worry, you can return all your files!\r\nAll your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.\r\nThe only method of recovering files is to purchase decrypt tool and unique key for you.\r\nThis software will decrypt all your encrypted files.\r\nWhat guarantees you have?\r\nYou can send one of your encrypted file from your PC and we decrypt it for free.\r\nBut we can decrypt only 1 file for free. File must not contain valuable information.\r\nYou can get and look video overview decrypt tool:\r\nhttps://we.tl/t-e5pgPH03fe\r\nPrice of private key and decrypt software is $980.\r\nDiscount 50% available if you contact us first 72 hours, that's price for you is $490.\r\nPlease note that you'll never restore your data without payment.\r\nCheck your e-mail \"Spam\" or \"Junk\" folder if you don't get answer more than 6 hours.\r\n\r\n\r\nTo get this software you need write on our e-mail:\r\nsupport@freshmail.top\r\n\r\nReserve e-mail address to contact us:\r\ndatarestorehelp@airmail.cc\r\n\r\nYour personal ID:\r\n0793", "Ignore Files": ["ntuser.dat", "ntuser.dat.LOG1", "ntuser.dat.LOG2", "ntuser.pol", ".sys", ".ini", ".DLL", ".dll", ".blf", ".bat", ".lnk", ".regtrans-ms", "C:\\SystemID\\", "C:\\Users\\Default User\\", "C:\\Users\\Public\\", "C:\\Users\\All Users\\", "C:\\Users\\Default\\", "C:\\Documents and Settings\\", "C:\\ProgramData\\", "C:\\Recovery\\", "C:\\System Volume Information\\", "C:\\Users\\%username%\\AppData\\Roaming\\", "C:\\Users\\%username%\\AppData\\Local\\", "C:\\Windows\\", "C:\\PerfLogs\\", "C:\\ProgramData\\Microsoft\\", "C:\\ProgramData\\Package Cache\\", "C:\\Users\\Public\\", "C:\\$Recycle.Bin\\", "C:\\$WINDOWS.~BT\\", "C:\\dell\\", "C:\\Intel\\", "C:\\MSOCache\\", "C:\\Program Files\\", "C:\\Program Files (x86)\\", "C:\\Games\\", "C:\\Windows.old\\", "D:\\Users\\%username%\\AppData\\Roaming\\", "D:\\Users\\%username%\\AppData\\Local\\", "D:\\Windows\\", "D:\\PerfLogs\\", "D:\\ProgramData\\Desktop\\", "D:\\ProgramData\\Microsoft\\", "D:\\ProgramData\\Package Cache\\", "D:\\Users\\Public\\", "D:\\$Recycle.Bin\\", "D:\\$WINDOWS.~BT\\", "D:\\dell\\", "D:\\Intel\\", "D:\\MSOCache\\", "D:\\Program Files\\", "D:\\Program Files (x86)\\", "D:\\Games\\", "E:\\Users\\%username%\\AppData\\Roaming\\", "E:\\Users\\%username%\\AppData\\Local\\", "E:\\Windows\\", "E:\\PerfLogs\\", "E:\\ProgramData\\Desktop\\", "E:\\ProgramData\\Microsoft\\", "E:\\ProgramData\\Package Cache\\", "E:\\Users\\Public\\", "E:\\$Recycle.Bin\\", "E:\\$WINDOWS.~BT\\", "E:\\dell\\", "E:\\Intel\\", "E:\\MSOCache\\", "E:\\Program Files\\", "E:\\Program Files (x86)\\", "E:\\Games\\", "F:\\Users\\%username%\\AppData\\Roaming\\", "F:\\Users\\%username%\\AppData\\Local\\", "F:\\Windows\\", "F:\\PerfLogs\\", "F:\\ProgramData\\Desktop\\", "F:\\ProgramData\\Microsoft\\", "F:\\Users\\Public\\", "F:\\$Recycle.Bin\\", "F:\\$WINDOWS.~BT\\", "F:\\dell\\", "F:\\Intel\\"], "Public Key": "-----BEGIN PUBLIC KEY-----\\\\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEArBrneEIQdBFXZaeBUAS8\\\\nwH7aMn3xZ2P0+v6VCnLGeU0C+9nPdY0vEKTGhmQmX5mTPxHx0YOio0MNfJigIngF\\\\nUurP7GwIzjiA9Vhh+E4oU4l3QncQbThKRZ3+N6k71ySVwL+15TJ00FBKk\\/z41dQu\\\\nQZqSgIS0T\\/7wW4CWCTLD3dewnt9CTD6UUN9A5dXBa3pxJf6gQeGgcF9MGkbaYsFn\\\\nucGyW1ppYe\\/4pPXENEo7OYgQDnJgch+X4BgMzRga6ix18adWGZj41gMHdRpFkjHE\\\\nsNZtuU5QQIgVkfWjmhv3PWTRQ5raftzMIvvycBmhiPeFwoDt8w3u1DFrAi65hWiD\\\\nWQIDAQAB\\\\n-----END PUBLIC KEY-----"}

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\s51[1]	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\s51[1]	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 7D 88 44 24 2B 88 44 24 2F B0 45 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
C:\Users\user\AppData\Local\4204bcd2-893f-40a6-aea5-23bed3094b06\build3.exe	JoeSecurity_Clipboard_Hijacker	Yara detected Clipboard Hijacker	Joe Security
C:\Users\user\AppData\Local\4204bcd2-893f-40a6-aea5-23bed3094b06\build3.exe	Windows_Trojan_Clipbanker_f9f9e79d	unknown	unknown	0x1203:$a1: 7E 7E 0F B7 04 77 83 F8 41 74 69 83 F8 42 74 64 83 F8 43 74 5F 83
C:\Users\user\AppData\Local\4204bcd2-893f-40a6-aea5-23bed3094b06\build3.exe	Windows_Trojan_Clipbanker_787b130b	unknown	unknown	0xefa:$mutex_setup: 55 8B EC 83 EC 18 53 56 57 E8 F8 F4 FF FF 68 30 30 40 00 6A 00 6A 00 FF 15 40 40 40 00 FF 15 2C 40 40 00 3D B7 00 00 00 75 08 6A 00 FF 15 10 30 40 00 0xf87:$new_line_check: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0xf87:$regex1: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0x12ad:$regex2: 6A 34 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E 66 3B C1 74 19 83 F8 35 74 14 83 F8 36 74 0F 83 F8 37 74 ... 0x1335:$regex3: 56 8B F1 56 FF 15 20 40 40 00 83 F8 5F 0F 85 84 00 00 00 6A 38 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E ...
C:\Users\user\Pictures\Minor Policy\oM7t40xLe0OgCrSQGKhQ7p6Z.exe	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
C:\Users\user\Pictures\Minor Policy\oM7t40xLe0OgCrSQGKhQ7p6Z.exe	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x3f258:$v2_1: ListOfProcesses 0x3ee12:$v4_3: base64str 0x40eec:$v4_4: stringKey 0x3ac79:$v4_5: BytesToStringConverted 0x3a0bc:$v4_6: FromBase64 0x3b8a1:$v4_8: procName 0x3a83c:$v5_9: BCRYPT_KEY_LENGTHS_STRUCT
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\build3[1].exe	JoeSecurity_Clipboard_Hijacker	Yara detected Clipboard Hijacker	Joe Security
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\build3[1].exe	Windows_Trojan_Clipbanker_f9f9e79d	unknown	unknown	0x1203:$a1: 7E 7E 0F B7 04 77 83 F8 41 74 69 83 F8 42 74 64 83 F8 43 74 5F 83
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\build3[1].exe	Windows_Trojan_Clipbanker_787b130b	unknown	unknown	0xefa:$mutex_setup: 55 8B EC 83 EC 18 53 56 57 E8 F8 F4 FF FF 68 30 30 40 00 6A 00 6A 00 FF 15 40 40 40 00 FF 15 2C 40 40 00 3D B7 00 00 00 75 08 6A 00 FF 15 10 30 40 00 0xf87:$new_line_check: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0xf87:$regex1: 0F B7 C2 89 45 EC 0F B7 C2 83 F8 0A 74 43 BA 0D 0A 00 00 66 3B C2 74 39 83 F8 0D 74 34 83 F8 20 74 2F 83 F8 09 74 2A 0x12ad:$regex2: 6A 34 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E 66 3B C1 74 19 83 F8 35 74 14 83 F8 36 74 0F 83 F8 37 74 ... 0x1335:$regex3: 56 8B F1 56 FF 15 20 40 40 00 83 F8 5F 0F 85 84 00 00 00 6A 38 59 66 39 0E 75 7C 0F B7 46 02 6A 30 5A 83 F8 41 74 37 83 F8 42 74 32 66 3B C2 74 2D 83 F8 31 74 28 83 F8 32 74 23 83 F8 33 74 1E ...
C:\Users\user\AppData\Local\Temp\BB52.exe	MALWARE_Win_DLInjector04	Detects downloader / injector	ditekSHen	0x68867f:$s1: Runner 0x6887e4:$s3: RunOnStartup 0x688693:$a1: Antis 0x6886c0:$a2: antiVM 0x6886c7:$a3: antiSandbox 0x6886d3:$a4: antiDebug 0x6886dd:$a5: antiEmulator 0x6886ea:$a6: enablePersistence 0x6886fc:$a7: enableFakeError
Click to see the 6 entries

Memory Dumps

Source	Rule	Description	Author	Strings
00000021.00000003.469268991.00000000056E7000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000021.00000003.468431350.0000000005643000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000021.00000003.469512589.00000000057D7000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0000001A.00000003.621914047.00000000039FF000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Fabookie	Yara detected Fabookie	Joe Security
00000021.00000003.470885243.0000000005859000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000021.00000003.469454471.000000000564C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0000001A.00000003.507939167.0000000003A33000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Fabookie	Yara detected Fabookie	Joe Security
00000021.00000003.483991106.00000000057FC000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000021.00000003.516044938.00000000057E8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000025.00000002.457133950.00000000004E1000.00000004.10000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000025.00000002.457133950.00000000004E1000.00000004.10000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x2f4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000021.00000003.472304844.0000000005778000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000021.00000003.470469816.000000000581B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000021.00000003.507376862.0000000005644000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000021.00000003.470206409.0000000005645000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000021.00000003.485627593.000000000564A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000021.00000003.482035496.000000000597E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000021.00000003.496675989.00000000057BD000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000021.00000003.496428031.00000000056DB000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000021.00000003.506833901.0000000005641000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000021.00000003.481731356.00000000057D9000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000021.00000003.510356408.0000000005642000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0000001A.00000003.497133342.00000000039C1000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Fabookie	Yara detected Fabookie	Joe Security
00000021.00000003.471354546.000000000576B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000021.00000003.467924288.0000000005041000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000021.00000003.505042457.000000000574D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000001.00000002.376788233.0000000004111000.00000004.10000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000001.00000002.376788233.0000000004111000.00000004.10000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x3d4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000021.00000003.474548520.000000000591A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000021.00000003.509183662.0000000005641000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000021.00000003.473692356.0000000005641000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000021.00000003.476789219.0000000005648000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000021.00000003.497850220.0000000005649000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000021.00000003.507439123.0000000005772000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000021.00000003.471831991.0000000005644000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000021.00000003.496379528.0000000005640000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000021.00000003.507822905.0000000005BA8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000021.00000003.473229721.00000000058DC000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000021.00000003.494997611.000000000506D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0000001A.00000003.487597561.00000000039C1000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Fabookie	Yara detected Fabookie	Joe Security
00000022.00000002.542182071.00000000046F2000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x798:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000021.00000003.496490328.0000000005643000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000021.00000003.472464804.00000000058AC000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0000001A.00000003.529764912.0000000003A33000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Fabookie	Yara detected Fabookie	Joe Security
00000021.00000003.467980289.000000000508B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000021.00000003.468510767.00000000056D5000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000021.00000003.494027534.0000000005041000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000021.00000003.506566555.0000000005858000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000021.00000003.509036426.0000000005BA8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000024.00000002.541185132.0000000004B20000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000021.00000003.500072033.0000000005724000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000021.00000003.470706005.000000000574C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0000001B.00000002.521657270.00000000042E3000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x798:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000021.00000003.468398950.0000000005145000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000021.00000003.505246801.0000000005646000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000021.00000003.507273041.0000000005885000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000021.00000003.482427984.000000000564C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0000001A.00000003.557010087.0000000003A32000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Fabookie	Yara detected Fabookie	Joe Security
00000021.00000003.506178613.0000000005740000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0000001F.00000002.446630399.0000000002858000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x6003:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000021.00000003.513208460.000000000564D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000021.00000003.493953689.00000000027BB000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0000000A.00000002.419357601.0000000004470000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
0000000A.00000002.419357601.0000000004470000.00000040.00001000.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105ac8:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xe38f:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000021.00000003.481357469.0000000005640000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000021.00000003.467436264.00000000027BA000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000021.00000003.473342046.0000000005647000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000021.00000003.468889858.0000000005767000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000018.00000002.436925476.0000000004380000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000018.00000002.436925476.0000000004380000.00000040.00001000.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105ac8:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xe38f:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000021.00000003.507966249.0000000005647000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000021.00000003.473782346.00000000057A8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000021.00000003.469115055.0000000005646000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0000001A.00000003.540745976.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Fabookie	Yara detected Fabookie	Joe Security
00000021.00000003.469602619.0000000005712000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000022.00000002.550001229.0000000004AF0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000019.00000002.528674260.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
00000019.00000002.528674260.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000019.00000002.528674260.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
0000001A.00000003.555251999.0000000003A32000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Fabookie	Yara detected Fabookie	Joe Security
00000001.00000002.376743466.0000000002659000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x5e06:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000022.00000002.525875413.0000000000843000.00000040.00000001.01000000.00000017.sdmp	JoeSecurity_Glupteba	Yara detected Glupteba	Joe Security
0000001A.00000003.540098239.0000000003A02000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Fabookie	Yara detected Fabookie	Joe Security
0000000A.00000002.419328976.000000000429C000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x798:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000021.00000003.496104252.0000000005644000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000001.00000002.376714688.0000000002600000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000001.00000002.376714688.0000000002600000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x7d4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000021.00000003.469476494.000000000570E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000021.00000003.496455854.0000000005781000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000021.00000003.522960258.0000000005BAF000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000021.00000003.473123019.0000000005789000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0000001A.00000003.555268660.00000000039CF000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Fabookie	Yara detected Fabookie	Joe Security
0000001A.00000003.529294566.0000000003A32000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Fabookie	Yara detected Fabookie	Joe Security
00000007.00000002.428763684.00000000026F8000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x5e16:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000021.00000003.511094027.0000000005BAB000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000021.00000003.496888012.00000000057FE000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000007.00000002.428808631.00000000040F1000.00000004.10000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000007.00000002.428808631.00000000040F1000.00000004.10000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x3d4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
0000001A.00000003.624585849.0000000003A10000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Fabookie	Yara detected Fabookie	Joe Security
00000021.00000003.496634961.00000000056F9000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000018.00000002.436833878.0000000004194000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x798:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000021.00000003.444125965.0000000004260000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_onlyLogger	Yara detected onlyLogger	Joe Security
00000021.00000003.444125965.0000000004260000.00000004.00001000.00020000.00000000.sdmp	MALWARE_Win_OnlyLogger	Detects OnlyLogger loader variants	ditekSHen	0x36738:$s2: " /f & erase " 0x36748:$s3: /c taskkill /im " 0x36060:$s5: C:\Windows\System32\cmd.exe 0x35e08:$h1: Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1 0x35e88:$h2: Accept-Language: ru-RU,ru;q=0.9,en;q=0.8 0x35eb4:$h3: Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1 0x35ee8:$h4: Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0 0x35f98:$h5: Content-Type: application/x-www-form-urlencoded
00000021.00000003.469550002.0000000005648000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000021.00000003.470580270.000000000564E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000021.00000003.509627314.00000000057AD000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0000001D.00000002.665875140.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
0000001D.00000002.665875140.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
0000001D.00000002.665875140.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
00000024.00000002.541185132.0000000004F63000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Glupteba	Yara detected Glupteba	Joe Security
00000021.00000003.496838267.000000000571E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000021.00000003.509729277.0000000005BA3000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000021.00000003.496201408.00000000056DD000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000024.00000002.522431758.0000000000843000.00000040.00000001.01000000.00000019.sdmp	JoeSecurity_Glupteba	Yara detected Glupteba	Joe Security
00000021.00000003.509922852.00000000057C1000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000021.00000003.470309156.0000000005728000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0000001A.00000003.565892568.00000000039EF000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Fabookie	Yara detected Fabookie	Joe Security
00000021.00000003.472618978.0000000005642000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000007.00000002.428745109.00000000026D0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000021.00000003.509816939.000000000564A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000021.00000003.504449157.0000000005647000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000022.00000002.550001229.0000000004F33000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Glupteba	Yara detected Glupteba	Joe Security
00000024.00000002.531504418.0000000004625000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x798:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000021.00000003.507153782.0000000005763000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0000001B.00000002.521687562.0000000004390000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
0000001B.00000002.521687562.0000000004390000.00000040.00001000.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105ac8:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xe38f:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
00000021.00000003.496753788.0000000005647000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000021.00000003.471595724.000000000588F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000021.00000003.468158250.00000000050DE000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000021.00000003.479409950.000000000595A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000021.00000003.471064264.000000000564D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000021.00000003.518524175.0000000005BAB000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0000001A.00000003.587270076.0000000003A24000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Fabookie	Yara detected Fabookie	Joe Security
00000021.00000003.508451891.000000000579B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000001.00000002.376709250.00000000025F0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000007.00000002.428789330.00000000040C0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000007.00000002.428789330.00000000040C0000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x7d4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000021.00000003.473582112.00000000057A5000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000021.00000003.510464244.00000000057C1000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000021.00000003.469421690.000000000579A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000021.00000003.522225873.00000000057F4000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000025.00000002.457074870.00000000004B0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000025.00000002.457074870.00000000004B0000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x6f4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000021.00000003.477931726.00000000057CA000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000021.00000003.469945364.00000000057E2000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
0000000B.00000002.435887482.0000000000400000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
0000000B.00000002.435887482.0000000000400000.00000040.00000400.00020000.00000000.sdmp	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
0000000B.00000002.435887482.0000000000400000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
00000021.00000003.486685012.000000000580D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000021.00000003.485093495.00000000059BE000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000021.00000003.502766048.0000000005801000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
00000021.00000003.521207744.0000000005649000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
Process Memory Space: 4A15.exe PID: 4692	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
Process Memory Space: 4A15.exe PID: 4692	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x38f68:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
Process Memory Space: 4A15.exe PID: 3164	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
Process Memory Space: 4A15.exe PID: 3164	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x5abaa:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
Process Memory Space: 4A15.exe PID: 5976	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
Process Memory Space: 4A15.exe PID: 5976	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x32c31:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
Process Memory Space: 4A15.exe PID: 6392	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
Process Memory Space: 4A15.exe PID: 6392	JoeSecurity_babuk	Yara detected Babuk Ransomware	Joe Security
Process Memory Space: 4A15.exe PID: 6392	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x171edb:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
Process Memory Space: i4PHS5R0iEKcuu4uBuaRKA3v.exe PID: 6864	JoeSecurity_Fabookie	Yara detected Fabookie	Joe Security
Process Memory Space: 4A15.exe PID: 2456	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
Process Memory Space: 4A15.exe PID: 2456	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x48f6f:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
Process Memory Space: 4A15.exe PID: 2884	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
Process Memory Space: 4A15.exe PID: 2884	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x471a2:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb
Process Memory Space: U58dhzMU8ddvYuIUxUkOSiON.exe PID: 6200	JoeSecurity_onlyLogger	Yara detected onlyLogger	Joe Security
Process Memory Space: 941caPIfMmGnCq8PWe7WWHEk.exe PID: 7140	JoeSecurity_Glupteba	Yara detected Glupteba	Joe Security
Click to see the 163 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
33.3.U58dhzMU8ddvYuIUxUkOSiON.exe.50dd858.3.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
33.3.U58dhzMU8ddvYuIUxUkOSiON.exe.50dd858.3.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 7D 88 44 24 2B 88 44 24 2F B0 45 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
25.2.4A15.exe.400000.0.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
25.2.4A15.exe.400000.0.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
25.2.4A15.exe.400000.0.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
25.2.4A15.exe.400000.0.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
25.2.4A15.exe.400000.0.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
25.2.4A15.exe.400000.0.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
24.2.4A15.exe.43815a0.1.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
24.2.4A15.exe.43815a0.1.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x102f28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xc1ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
24.2.4A15.exe.43815a0.1.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfd288:$x1: C:\SystemID\PersonalID.txt 0xfd734:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfd0f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x102f28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfd6ec:$s1: " --AutoStart 0xfd700:$s1: " --AutoStart 0x101348:$s2: --ForNetRes 0x101310:$s3: --Admin 0x101790:$s4: %username% 0x1018b4:$s5: ?pid= 0x1018c0:$s6: &first=true 0x1018d8:$s6: &first=false 0xfd7f4:$s7: delself.bat 0x1017f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x101820:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x101848:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
14.2.A388.exe.21354a5ff10.0.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
24.2.4A15.exe.43815a0.1.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
24.2.4A15.exe.43815a0.1.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
24.2.4A15.exe.43815a0.1.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
33.3.U58dhzMU8ddvYuIUxUkOSiON.exe.27c2060.6.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
10.2.4A15.exe.44715a0.1.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
10.2.4A15.exe.44715a0.1.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
10.2.4A15.exe.44715a0.1.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
11.2.4A15.exe.400000.0.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
11.2.4A15.exe.400000.0.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
11.2.4A15.exe.400000.0.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
33.3.U58dhzMU8ddvYuIUxUkOSiON.exe.50dd858.3.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
33.3.U58dhzMU8ddvYuIUxUkOSiON.exe.50dd858.3.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x81868:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x17b8a0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x64838:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x64eb8:$s3: 83 EC 38 53 B0 7D 88 44 24 2B 88 44 24 2F B0 45 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x83542:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x17d57a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x83188:$s5: delete[] 0x17d1c0:$s5: delete[] 0x82640:$s6: constructor or from DllMain. 0x17c678:$s6: constructor or from DllMain.
33.3.U58dhzMU8ddvYuIUxUkOSiON.exe.4260000.0.raw.unpack	JoeSecurity_onlyLogger	Yara detected onlyLogger	Joe Security
33.3.U58dhzMU8ddvYuIUxUkOSiON.exe.4260000.0.raw.unpack	MALWARE_Win_OnlyLogger	Detects OnlyLogger loader variants	ditekSHen	0x36738:$s2: " /f & erase " 0x36748:$s3: /c taskkill /im " 0x36060:$s5: C:\Windows\System32\cmd.exe 0x35e08:$h1: Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1 0x35e88:$h2: Accept-Language: ru-RU,ru;q=0.9,en;q=0.8 0x35eb4:$h3: Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1 0x35ee8:$h4: Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0 0x35f98:$h5: Content-Type: application/x-www-form-urlencoded
37.2.t3PINyJoW83t7JJSZ5BPE6bi.exe.400000.0.unpack	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
18.2.AddInProcess32.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
33.3.U58dhzMU8ddvYuIUxUkOSiON.exe.508b050.2.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
33.3.U58dhzMU8ddvYuIUxUkOSiON.exe.508b050.2.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 7D 88 44 24 2B 88 44 24 2F B0 45 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
33.3.U58dhzMU8ddvYuIUxUkOSiON.exe.4260000.0.unpack	JoeSecurity_onlyLogger	Yara detected onlyLogger	Joe Security
33.3.U58dhzMU8ddvYuIUxUkOSiON.exe.4260000.0.unpack	MALWARE_Win_OnlyLogger	Detects OnlyLogger loader variants	ditekSHen	0x35738:$s2: " /f & erase " 0x35748:$s3: /c taskkill /im " 0x35060:$s5: C:\Windows\System32\cmd.exe 0x34e08:$h1: Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, /;q=0.1 0x34e88:$h2: Accept-Language: ru-RU,ru;q=0.9,en;q=0.8 0x34eb4:$h3: Accept-Charset: iso-8859-1, utf-8, utf-16, ;q=0.1 0x34ee8:$h4: Accept-Encoding: deflate, gzip, x-gzip, identity, ;q=0 0x34f98:$h5: Content-Type: application/x-www-form-urlencoded
27.2.4A15.exe.43915a0.1.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
27.2.4A15.exe.43915a0.1.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x102f28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xc1ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
27.2.4A15.exe.43915a0.1.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfd288:$x1: C:\SystemID\PersonalID.txt 0xfd734:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfd0f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x102f28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfd6ec:$s1: " --AutoStart 0xfd700:$s1: " --AutoStart 0x101348:$s2: --ForNetRes 0x101310:$s3: --Admin 0x101790:$s4: %username% 0x1018b4:$s5: ?pid= 0x1018c0:$s6: &first=true 0x1018d8:$s6: &first=false 0xfd7f4:$s7: delself.bat 0x1017f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x101820:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x101848:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
33.3.U58dhzMU8ddvYuIUxUkOSiON.exe.506d050.7.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
33.3.U58dhzMU8ddvYuIUxUkOSiON.exe.506d050.7.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 7D 88 44 24 2B 88 44 24 2F B0 45 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
31.2.t3PINyJoW83t7JJSZ5BPE6bi.exe.27d15a0.1.raw.unpack	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
33.3.U58dhzMU8ddvYuIUxUkOSiON.exe.508b050.2.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
33.3.U58dhzMU8ddvYuIUxUkOSiON.exe.508b050.2.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1bcb0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0xd4070:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0xb7040:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0xb76c0:$s3: 83 EC 38 53 B0 7D 88 44 24 2B 88 44 24 2F B0 45 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1d98a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0xd5d4a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1d5d0:$s5: delete[] 0xd5990:$s5: delete[] 0x1ca88:$s6: constructor or from DllMain. 0xd4e48:$s6: constructor or from DllMain.
33.3.U58dhzMU8ddvYuIUxUkOSiON.exe.506d050.7.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
33.3.U58dhzMU8ddvYuIUxUkOSiON.exe.506d050.7.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x370b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0xf2070:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0xd5040:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0xd56c0:$s3: 83 EC 38 53 B0 7D 88 44 24 2B 88 44 24 2F B0 45 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x38d8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0xf3d4a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x389d0:$s5: delete[] 0xf3990:$s5: delete[] 0x37e88:$s6: constructor or from DllMain. 0xf2e48:$s6: constructor or from DllMain.
11.2.4A15.exe.400000.0.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
11.2.4A15.exe.400000.0.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
11.2.4A15.exe.400000.0.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
33.3.U58dhzMU8ddvYuIUxUkOSiON.exe.5146010.5.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
33.3.U58dhzMU8ddvYuIUxUkOSiON.exe.5146010.5.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 7D 88 44 24 2B 88 44 24 2F B0 45 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
33.3.U58dhzMU8ddvYuIUxUkOSiON.exe.27c1058.1.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
29.2.4A15.exe.400000.0.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
29.2.4A15.exe.400000.0.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x105b28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xd9ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
29.2.4A15.exe.400000.0.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xffe88:$x1: C:\SystemID\PersonalID.txt 0x100334:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xffcf0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x105b28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0x1002ec:$s1: " --AutoStart 0x100300:$s1: " --AutoStart 0x103f48:$s2: --ForNetRes 0x103f10:$s3: --Admin 0x104390:$s4: %username% 0x1044b4:$s5: ?pid= 0x1044c0:$s6: &first=true 0x1044d8:$s6: &first=false 0x1003f4:$s7: delself.bat 0x1043f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x104420:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x104448:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
33.3.U58dhzMU8ddvYuIUxUkOSiON.exe.5146010.4.raw.unpack	JoeSecurity_RedLine	Yara detected RedLine Stealer	Joe Security
33.3.U58dhzMU8ddvYuIUxUkOSiON.exe.5146010.4.raw.unpack	MALWARE_Win_RedLine	Detects RedLine infostealer	ditekSHen	0x1d0b0:$s1: 23 00 2B 00 33 00 3B 00 43 00 53 00 63 00 73 00 0x80:$s2: 68 10 84 2D 2C 71 EA 7E 2C 71 EA 7E 2C 71 EA 7E 32 23 7F 7E 3F 71 EA 7E 0B B7 91 7E 2B 71 EA 7E 2C 71 EB 7E 5C 71 EA 7E 32 23 6E 7E 1C 71 EA 7E 32 23 69 7E A2 71 EA 7E 32 23 7B 7E 2D 71 EA 7E 0x700:$s3: 83 EC 38 53 B0 7D 88 44 24 2B 88 44 24 2F B0 45 88 44 24 30 88 44 24 31 88 44 24 33 55 56 8B F1 B8 0C 00 FE FF 2B C6 89 44 24 14 B8 0D 00 FE FF 2B C6 89 44 24 1C B8 02 00 FE FF 2B C6 89 44 24 ... 0x1ed8a:$s4: B\|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B 0x1e9d0:$s5: delete[] 0x1de88:$s6: constructor or from DllMain.
27.2.4A15.exe.43915a0.1.raw.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
27.2.4A15.exe.43915a0.1.raw.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
27.2.4A15.exe.43915a0.1.raw.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
10.2.4A15.exe.44715a0.1.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
10.2.4A15.exe.44715a0.1.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x102f28:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xc1ef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
10.2.4A15.exe.44715a0.1.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfd288:$x1: C:\SystemID\PersonalID.txt 0xfd734:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfd0f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x102f28:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfd6ec:$s1: " --AutoStart 0xfd700:$s1: " --AutoStart 0x101348:$s2: --ForNetRes 0x101310:$s3: --Admin 0x101790:$s4: %username% 0x1018b4:$s5: ?pid= 0x1018c0:$s6: &first=true 0x1018d8:$s6: &first=false 0xfd7f4:$s7: delself.bat 0x1017f8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x101820:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x101848:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
29.2.4A15.exe.400000.0.unpack	JoeSecurity_Djvu	Yara detected Djvu Ransomware	Joe Security
29.2.4A15.exe.400000.0.unpack	Windows_Ransomware_Stop_1e8d48ff	unknown	unknown	0x104528:$a: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb 0xcdef:$b: 68 FF FF FF 50 FF D3 8D 85 78 FF FF FF 50 FF D3 8D 85 58 FF
29.2.4A15.exe.400000.0.unpack	MALWARE_Win_STOP	Detects STOP ransomware	ditekSHen	0xfe888:$x1: C:\SystemID\PersonalID.txt 0xfed34:$x2: /deny *S-1-1-0:(OI)(CI)(DE,DC) 0xfe6f0:$x3: e:\doc\my work (c++)\_git\encryption\ 0x104528:$x3: E:\Doc\My work (C++)\_Git\Encryption\ 0xfecec:$s1: " --AutoStart 0xfed00:$s1: " --AutoStart 0x102948:$s2: --ForNetRes 0x102910:$s3: --Admin 0x102d90:$s4: %username% 0x102eb4:$s5: ?pid= 0x102ec0:$s6: &first=true 0x102ed8:$s6: &first=false 0xfedf4:$s7: delself.bat 0x102df8:$mutex1: {1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D} 0x102e20:$mutex2: {FBB4BCC6-05C7-4ADD-B67B-A98A697323C1} 0x102e48:$mutex3: {36A698B9-D67C-4E07-BE82-0EC5B14B4DF5}
36.2.f8hJzDp1zQtAPJgciyNSoGpb.exe.4b20e67.10.unpack	JoeSecurity_Glupteba	Yara detected Glupteba	Joe Security
34.2.941caPIfMmGnCq8PWe7WWHEk.exe.400000.5.unpack	JoeSecurity_Glupteba	Yara detected Glupteba	Joe Security
36.2.f8hJzDp1zQtAPJgciyNSoGpb.exe.400000.0.unpack	JoeSecurity_Glupteba	Yara detected Glupteba	Joe Security
34.2.941caPIfMmGnCq8PWe7WWHEk.exe.4af0e67.13.unpack	JoeSecurity_Glupteba	Yara detected Glupteba	Joe Security
Click to see the 61 entries

Sigma Signatures

Data Obfuscation

Sigma detected: Drops script at startup location

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe, ProcessId: 4972, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QIttVglwj2HtPQeFbGsTsTBG.bat

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Yara detected Glupteba

Source: Yara match	File source: 36.2.f8hJzDp1zQtAPJgciyNSoGpb.exe.4b20e67.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.941caPIfMmGnCq8PWe7WWHEk.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.2.f8hJzDp1zQtAPJgciyNSoGpb.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.941caPIfMmGnCq8PWe7WWHEk.exe.4af0e67.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000022.00000002.525875413.0000000000843000.00000040.00000001.01000000.00000017.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.541185132.0000000004F63000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.522431758.0000000000843000.00000040.00000001.01000000.00000019.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.550001229.0000000004F33000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 941caPIfMmGnCq8PWe7WWHEk.exe PID: 7140, type: MEMORYSTR

Antivirus detection for URL or domain

Source: http://app.nnnaajjjgc.com/	URL Reputation: Label: malware
Source: http://app.nnnaajjjgc.com/check/safe	URL Reputation: Label: malware
Source: http://app.nnnaajjjgc.com/check/?sid=1134664&key=5a5e7537a8885a65fb2b4176d4c48e2c	Avira URL Cloud: Label: malware
Source: http://app.nnnaajjjgc.com/check/?sid=1134940&key=9c360413b20472b92e1b278c2654cd9bec507f97304d55a	Avira URL Cloud: Label: malware
Source: http://app.nnnaajjjgc.com/check/?sid=1135340&key=86810d751c0aa0fa28346472918311d6	Avira URL Cloud: Label: malware
Source: http://colisumy.com/dl/build2.exe$run	Avira URL Cloud: Label: malware
Source: http://app.nnnaajjjgc.com/check/?sid=1134718&key=abd6c79d9cdea0adf3c5fbb50faa6372y	Avira URL Cloud: Label: malware
Source: http://app.nnnaajjjgc.com/check/?sid=1134916&key=3167af0b34b5a44fdec507f97304d55aad23e1	Avira URL Cloud: Label: malware
Source: http://app.nnnaajjjgc.com/check/?sid=1134916&key=3167af0b34b5a44fdec507f97304d55a	Avira URL Cloud: Label: malware
Source: http://novanosa5org.org/	Avira URL Cloud: Label: malware
Source: http://app.nnnaajjjgc.com/check/safebt	Avira URL Cloud: Label: malware
Source: http://app.nnnaajjjgc.com/check/?sid=1135418&key=af1ae34227e74b84877a2b0bbf3bee9bmi	Avira URL Cloud: Label: malware
Source: http://app.nnnaajjjgc.com/check/?sid=1135340&key=86810d751c0aa0fa28346472918311d61:ut	Avira URL Cloud: Label: malware
Source: http://app.nnnaajjjgc.com/check/?sid=1134790&key=72224396aab18bba753981c520d8b1a5Gh	Avira URL Cloud: Label: malware
Source: http://app.nnnaajjjgc.com/check/?sid=1135652&key=52a1fa091a2d98cce516cbabc104bbb1	Avira URL Cloud: Label: malware
Source: http://app.nnnaajjjgc.com:80/check/safe	Avira URL Cloud: Label: malware
Source: http://app.nnnaajjjgc.com/check/?sid=1134916&key=3167af0b34b5a44fdec507f97304d55a#	Avira URL Cloud: Label: malware
Source: http://5.42.64.10/api/files/software/s5.exe	Avira URL Cloud: Label: malware
Source: http://script.google.cpp.nnnaajjjgc.com/check/safe	Avira URL Cloud: Label: malware
Source: http://app.nnnaajjjgc.com/check/?sid=1134940&key=9c360413b20472b92e1b278c2654cd9b6C92	Avira URL Cloud: Label: malware
Source: http://app.nnnaajjjgc.com/check/?sid=1135340&key=86810d751c0aa0fa28346472918311d66C92	Avira URL Cloud: Label: malware
Source: http://app.nnnaajjjgc.com/check/?sid=1136320&key=f4073b8c48cdf506608aafebc7c710bd	Avira URL Cloud: Label: malware
Source: http://app.nnnaajjjgc.com/check/?sid=1136118&key=18166b66b4c087f47773dacf194063c06C92	Avira URL Cloud: Label: malware
Source: http://app.nnnaajjjgc.com/check/?sid=1136118&key=18166b66b4c087f47773dacf194063c0	Avira URL Cloud: Label: malware
Source: https://downloads.digitalpulsedata.com/0.16.16/DigitalPulse.exe	Avira URL Cloud: Label: malware
Source: http://app.nnnaajjjgc.com/check/?sid=1135184&key=e2b003b01e4d0eb6ffeb7affbde6d54b	Avira URL Cloud: Label: malware
Source: http://app.nnnaajjjgc.com/check/safe7OM	Avira URL Cloud: Label: malware
Source: https://potatogoose.com/03ea740ea772f2ff2218e4ed0bfbac4b/baf14778c246e15550645e30ba78ce1c.exe	Avira URL Cloud: Label: malware
Source: https://digitalpulsedata.com/pp/	Avira URL Cloud: Label: malware
Source: http://app.nnnaajjjgc.com/check/?sid=1135324&key=7d66a132c21ba63fc78546c9d24589f2	Avira URL Cloud: Label: malware
Source: http://app.nnnaajjjgc.com/check/?sid=1134966&key=0fd5f12a596a555ef492fb98f379fab8	Avira URL Cloud: Label: malware
Source: http://app.nnnaajjjgc.com/check/?sid=1135184&key=e2b003b01e4d0eb6ffeb7affbde6d54b5	Avira URL Cloud: Label: malware
Source: http://ji.alie3ksgbb.com/m/ss29	Avira URL Cloud: Label: malware
Source: http://app.nnnaajjjgc.com/check/?sid=1134718&key=abd6c79d9cdea0adf3c5fbb50faa6372	Avira URL Cloud: Label: malware
Source: http://app.nnnaajjjgc.com/check/?sid=1134752&key=b91eaeee1ec96f7344a52c72e78649e0w	Avira URL Cloud: Label: malware
Source: http://app.nnnaajjjgc.com/check/?sid=1136320&key=f4073b8c48cdf506608aafebc7c710bdkO	Avira URL Cloud: Label: malware
Source: http://soryytlic4.net/	Avira URL Cloud: Label: malware
Source: http://zexeq.com/files/1/build3.exe$run	Avira URL Cloud: Label: malware
Source: https://desktop-netinspp.nnnaajjjgc.com/check/?sid=1136320&key=f4073b8c48cdf506608aafebc7c710bd	Avira URL Cloud: Label: malware
Source: http://app.nnnaajjjgc.com/check/?sid=1134966&key=0fd5f12a596a555ef492fb9	Avira URL Cloud: Label: malware
Source: http://app.nnnaajjjgc.com/check/?sid=1135184&key=e2b003b01e4d0eb6ffeb7affbde6d54b30	Avira URL Cloud: Label: malware
Source: http://zexeq.com/filespp.nnnaajjjgc.com/	Avira URL Cloud: Label: malware
Source: http://app.nnnaajjjgc.com/check/	Avira URL Cloud: Label: malware
Source: http://app.nnnaajjjgc.com/check/?sid=1134810&key=2e80054952ba0f1faf1a5db7f7ffcc01G	Avira URL Cloud: Label: malware
Source: https://potatogoose.com	Avira URL Cloud: Label: malware
Source: http://app.nnnaajjjgc.com/check/?sid=1134630&key=a7f738ef34a58abfd14b211f7ae4d75a;	Avira URL Cloud: Label: malware
Source: http://app.nnnaajjjgc.com/0vx	Avira URL Cloud: Label: malware
Source: http://app.nnnaajjjgc.com/check/?sid=1135652&key=52a1fa091a2d98cce516cbabc104bbb1081221o	Avira URL Cloud: Label: malware
Source: http://zexeq.com/files/1/build3.exerun	Avira URL Cloud: Label: malware
Source: http://app.nnnaajjjgc.com/check/?sid=1134810&key=2e80054952ba0f1faf1a5db7f7ffcc01;	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\FJSjysH5UVVCzLZbTWiurcoJ.exe	Avira: detection malicious, Label: TR/Spy.Stealer.hpqrg
Source: C:\Users\user\AppData\Local\3R8Ck5RbDm3DwHyYiEHPdMPU.exe	Avira: detection malicious, Label: TR/AD.Swrort.wizll
Source: C:\Users\user\AppData\Local\4204bcd2-893f-40a6-aea5-23bed3094b06\build3.exe	Avira: detection malicious, Label: TR/Crypt.XPACK.Gen8
Source: C:\Users\user\AppData\Local\C2TkN5RHqTOX5vO30NGDVLbB.exe	Avira: detection malicious, Label: HEUR/AGEN.1338858
Source: C:\Users\user\AppData\Local\4204bcd2-893f-40a6-aea5-23bed3094b06\build2.exe	Avira: detection malicious, Label: TR/Crypt.Agent.oqzji
Source: C:\Users\user\AppData\Local\2lVdyQwPNGbHgZp4B3rD4Yqg.exe	Avira: detection malicious, Label: TR/AD.Swrort.wizll
Source: C:\Users\user\AppData\Local\0lRbbbWcsJKvfly5UKkRLgWl.exe	Avira: detection malicious, Label: HEUR/AGEN.1312455
Source: C:\Users\user\AppData\Local\71FtIFRHiuIrBlnLJFT3ZXQN.exe	Avira: detection malicious, Label: HEUR/AGEN.1312455
Source: C:\Users\user\AppData\Local\7NPiD49RQYuqr08A8L1me5Vl.exe	Avira: detection malicious, Label: TR/AD.Swrort.wizll
Source: C:\Users\user\AppData\Local\2mAvooCfaVYrwjbi8P7aQwd5.exe	Avira: detection malicious, Label: HEUR/AGEN.1338858
Source: C:\Users\user\AppData\Local\LhPgYqY29jVhDYACkOwz5AiJ.exe	Avira: detection malicious, Label: HEUR/AGEN.1312455
Source: C:\Users\user\AppData\Local\4nmbyTUdyzoQS5v44sOkHxgO.exe	Avira: detection malicious, Label: HEUR/AGEN.1312455

Found malware configuration

Source: 00000001.00000002.376788233.0000000004111000.00000004.10000000.00040000.00000000.sdmp	Malware Configuration Extractor: SmokeLoader {"Version": 2022, "C2 list": ["http://bulimu55t.net/", "http://soryytlic4.net/", "http://bukubuka1.net/", "http://novanosa5org.org/", "http://hujukui3.net/", "http://newzelannd66.org/", "http://golilopaster.org/"]}
Source: 0000000A.00000002.419357601.0000000004470000.00000040.00001000.00020000.00000000.sdmp	Malware Configuration Extractor: Djvu {"Download URLs": ["http://colisumy.com/dl/build2.exe", "http://zexeq.com/files/1/build3.exe"], "C2 url": "http://zexeq.com/raud/get.php", "Ransom note file": "_readme.txt", "Ransom note": "ATTENTION!\r\n\r\nDon't worry, you can return all your files!\r\nAll your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.\r\nThe only method of recovering files is to purchase decrypt tool and unique key for you.\r\nThis software will decrypt all your encrypted files.\r\nWhat guarantees you have?\r\nYou can send one of your encrypted file from your PC and we decrypt it for free.\r\nBut we can decrypt only 1 file for free. File must not contain valuable information.\r\nYou can get and look video overview decrypt tool:\r\nhttps://we.tl/t-e5pgPH03fe\r\nPrice of private key and decrypt software is $980.\r\nDiscount 50% available if you contact us first 72 hours, that's price for you is $490.\r\nPlease note that you'll never restore your data without payment.\r\nCheck your e-mail \"Spam\" or \"Junk\" folder if you don't get answer more than 6 hours.\r\n\r\n\r\nTo get this software you need write on our e-mail:\r\nsupport@freshmail.top\r\n\r\nReserve e-mail address to contact us:\r\ndatarestorehelp@airmail.cc\r\n\r\nYour personal ID:\r\n0793", "Ignore Files": ["ntuser.dat", "ntuser.dat.LOG1", "ntuser.dat.LOG2", "ntuser.pol", ".sys", ".ini", ".DLL", ".dll", ".blf", ".bat", ".lnk", ".regtrans-ms", "C:\\SystemID\\", "C:\\Users\\Default User\\", "C:\\Users\\Public\\", "C:\\Users\\All Users\\", "C:\\Users\\Default\\", "C:\\Documents and Settings\\", "C:\\ProgramData\\", "C:\\Recovery\\", "C:\\System Volume Information\\", "C:\\Users\\%username%\\AppData\\Roaming\\", "C:\\Users\\%username%\\AppData\\Local\\", "C:\\Windows\\", "C:\\PerfLogs\\", "C:\\ProgramData\\Microsoft\\", "C:\\ProgramData\\Package Cache\\", "C:\\Users\\Public\\", "C:\\$Recycle.Bin\\", "C:\\$WINDOWS.~BT\\", "C:\\dell\\", "C:\\Intel\\", "C:\\MSOCache\\", "C:\\Program Files\\", "C:\\Program Files (x86)\\", "C:\\Games\\", "C:\\Windows.old\\", "D:\\Users\\%username%\\AppData\\Roaming\\", "D:\\Users\\%username%\\AppData\\Local\\", "D:\\Windows\\", "D:\\PerfLogs\\", "D:\\ProgramData\\Desktop\\", "D:\\ProgramData\\Microsoft\\", "D:\\ProgramData\\Package Cache\\", "D:\\Users\\Public\\", "D:\\$Recycle.Bin\\", "D:\\$WINDOWS.~BT\\", "D:\\dell\\", "D:\\Intel\\", "D:\\MSOCache\\", "D:\\Program Files\\", "D:\\Program Files (x86)\\", "D:\\Games\\", "E:\\Users\\%username%\\AppData\\Roaming\\", "E:\\Users\\%username%\\AppData\\Local\\", "E:\\Windows\\", "E:\\PerfLogs\\", "E:\\ProgramData\\Desktop\\", "E:\\ProgramData\\Microsoft\\", "E:\\ProgramData\\Package Cache\\", "E:\\Users\\Public\\", "E:\\$Recycle.Bin\\", "E:\\$WINDOWS.~BT\\", "E:\\dell\\", "E:\\Intel\\", "E:\\MSOCache\\", "E:\\Program Files\\", "E:\\Program Files (x86)\\", "E:\\Games\\", "F:\\Users\\%username%\\AppData\\Roaming\\", "F:\\Users\\%username%\\AppData\\Local\\", "F:\\Windows\\"

Antivirus / Scanner detection for submitted sample

Source: file.exe

Avira: detected

Multi AV Scanner detection for domain / URL

Source: http://colisumy.com/dl/build2.exe$run	Virustotal: Detection: 17%	Perma Link
Source: http://novanosa5org.org/	Virustotal: Detection: 18%	Perma Link
Source: http://app.nnnaajjjgc.com:80/check/safe	Virustotal: Detection: 20%	Perma Link
Source: http://5.42.64.10/api/files/software/s5.exe	Virustotal: Detection: 13%	Perma Link
Source: https://downloads.digitalpulsedata.com/0.16.16/DigitalPulse.exe	Virustotal: Detection: 14%	Perma Link
Source: https://digitalpulsedata.com/pp/	Virustotal: Detection: 7%	Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\0lRbbbWcsJKvfly5UKkRLgWl.exe	ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\2lVdyQwPNGbHgZp4B3rD4Yqg.exe	ReversingLabs: Detection: 70%
Source: C:\Users\user\AppData\Local\2mAvooCfaVYrwjbi8P7aQwd5.exe	ReversingLabs: Detection: 22%
Source: C:\Users\user\AppData\Local\3R8Ck5RbDm3DwHyYiEHPdMPU.exe	ReversingLabs: Detection: 70%
Source: C:\Users\user\AppData\Local\3e7TFXuOpvanKkAtgXUBsjg5.exe	ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\4204bcd2-893f-40a6-aea5-23bed3094b06\build2.exe	ReversingLabs: Detection: 95%
Source: C:\Users\user\AppData\Local\4204bcd2-893f-40a6-aea5-23bed3094b06\build3.exe	ReversingLabs: Detection: 81%
Source: C:\Users\user\AppData\Local\4nmbyTUdyzoQS5v44sOkHxgO.exe	ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\7NPiD49RQYuqr08A8L1me5Vl.exe	ReversingLabs: Detection: 70%
Source: C:\Users\user\AppData\Local\90MmY3vsUc9ABzZegEZBdNOJ.exe	ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\AboFkE91gGtC0jX22BS3GOn1.exe	ReversingLabs: Detection: 34%
Source: C:\Users\user\AppData\Local\BYpvSgsqBQF2e9VWX5DwhO9b.exe	ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\C2TkN5RHqTOX5vO30NGDVLbB.exe	ReversingLabs: Detection: 22%
Source: C:\Users\user\AppData\Local\FJSjysH5UVVCzLZbTWiurcoJ.exe	ReversingLabs: Detection: 69%
Source: C:\Users\user\AppData\Local\HZmkan0RtnpmEbbLPyds7uQ6.exe	ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\s51[1]	ReversingLabs: Detection: 16%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\build2[1].exe	ReversingLabs: Detection: 95%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\build3[1].exe	ReversingLabs: Detection: 81%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\s51[1]	ReversingLabs: Detection: 16%
Source: C:\Users\user\AppData\Local\Mrqt0LPomy7YxUAwjV5w1C4Z.exe	ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\N5fklblcsXVYu4JmfhsKVoFv.exe	ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\OdBy5UCgwCs2zOQ5hgwqYDDW.exe	ReversingLabs: Detection: 78%
Source: C:\Users\user\AppData\Local\PEETw0QK3zD9r7HEE5AR45AO.exe	ReversingLabs: Detection: 34%
Source: C:\Users\user\AppData\Local\QmwuUY15y0L4DcEZ4ogFMHTp.exe	ReversingLabs: Detection: 22%
Source: C:\Users\user\AppData\Local\SXfcayqkk1DZ7GAEIik6FBEC.exe	ReversingLabs: Detection: 22%
Source: C:\Users\user\AppData\Local\TNzDEBB9FdUrEB9ZmBfj0vTU.exe	ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\TUpbZ8vU8BuCVac1Gcxet4HJ.exe	ReversingLabs: Detection: 69%
Source: C:\Users\user\AppData\Local\Tc3J3MYPBvAb1zFAQ5lDv3bp.exe	ReversingLabs: Detection: 78%
Source: C:\Users\user\AppData\Local\Temp\2629.exe	ReversingLabs: Detection: 52%
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	ReversingLabs: Detection: 55%
Source: C:\Users\user\AppData\Local\Temp\5838081746.exe	ReversingLabs: Detection: 16%
Source: C:\Users\user\AppData\Local\Temp\A388.exe	ReversingLabs: Detection: 69%
Source: C:\Users\user\AppData\Local\Temp\BB52.exe	ReversingLabs: Detection: 77%
Source: C:\Users\user\AppData\Local\Temp\is-23R8R.tmp\Pwp3yspp3pM97CCYpnZxEaEs.tmp	ReversingLabs: Detection: 30%
Source: C:\Users\user\AppData\Local\TtG5py94KsXzXSkP3RqVlzUB.exe	ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\VWecoOkiAKSpFQMeoTrTyGCa.exe	ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\WQ1sXS4A8SPQ3OH5qUwmsfK7.exe	ReversingLabs: Detection: 78%
Source: C:\Users\user\AppData\Local\X4G1qMGsevrGDCsTxtK3q3TA.exe	ReversingLabs: Detection: 69%
Source: C:\Users\user\AppData\Local\ZMVfke3FfhAYexvtpGaP7QO0.exe	ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\c8KXUlVEBLWKm0FvrBR7FzOQ.exe	ReversingLabs: Detection: 70%
Source: C:\Users\user\AppData\Local\cIYKpG6eQ8E5shW60pciCDk9.exe	ReversingLabs: Detection: 34%

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\G2DNcZFdbZ5vEmNAUVLs9Ohf.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\s51[1]	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\4204bcd2-893f-40a6-aea5-23bed3094b06\build2.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\0lRbbbWcsJKvfly5UKkRLgWl.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\71FtIFRHiuIrBlnLJFT3ZXQN.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\CluIFFuzrOPmXrVReYWFXWkl.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\DFhwCIhHEDQ5pEOtcRuwyHkl.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\LhPgYqY29jVhDYACkOwz5AiJ.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\45jOwggrSgiiBeW99lMmxS6j.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\4nmbyTUdyzoQS5v44sOkHxgO.exe	Joe Sandbox ML: detected

Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Code function: 11_2_00411178 CryptDestroyHash,CryptReleaseContext,	11_2_00411178
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Code function: 11_2_0040E870 CryptAcquireContextW,__CxxThrowException@8,CryptCreateHash,__CxxThrowException@8,CryptHashData,__CxxThrowException@8,CryptGetHashParam,CryptGetHashParam,__CxxThrowException@8,_memset,CryptGetHashParam,__CxxThrowException@8,_sprintf,CryptDestroyHash,CryptReleaseContext,	11_2_0040E870
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Code function: 11_2_0040EA51 CryptDestroyHash,CryptReleaseContext,	11_2_0040EA51
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Code function: 11_2_0040EAA0 CryptAcquireContextW,__CxxThrowException@8,CryptCreateHash,__CxxThrowException@8,CryptHashData,__CxxThrowException@8,CryptGetHashParam,CryptGetHashParam,__CxxThrowException@8,_memset,CryptGetHashParam,__CxxThrowException@8,_sprintf,CryptDestroyHash,CryptReleaseContext,	11_2_0040EAA0
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Code function: 11_2_0040EC68 CryptDestroyHash,CryptReleaseContext,	11_2_0040EC68
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Code function: 11_2_00410FC0 CryptAcquireContextW,__CxxThrowException@8,CryptCreateHash,__CxxThrowException@8,lstrlenA,CryptHashData,__CxxThrowException@8,CryptGetHashParam,CryptGetHashParam,__CxxThrowException@8,_memset,CryptGetHashParam,__CxxThrowException@8,CryptGetHashParam,_malloc,CryptGetHashParam,_memset,_sprintf,lstrcatA,CryptDestroyHash,CryptReleaseContext,	11_2_00410FC0

Bitcoin Miner

Yara detected Glupteba

Source: Yara match	File source: 36.2.f8hJzDp1zQtAPJgciyNSoGpb.exe.4b20e67.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.941caPIfMmGnCq8PWe7WWHEk.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.2.f8hJzDp1zQtAPJgciyNSoGpb.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.941caPIfMmGnCq8PWe7WWHEk.exe.4af0e67.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000022.00000002.525875413.0000000000843000.00000040.00000001.01000000.00000017.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.541185132.0000000004F63000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.522431758.0000000000843000.00000040.00000001.01000000.00000019.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.550001229.0000000004F33000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 941caPIfMmGnCq8PWe7WWHEk.exe PID: 7140, type: MEMORYSTR

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Unpacked PE file: 11.2.4A15.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Unpacked PE file: 25.2.4A15.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\d11683cc-0d8b-41c4-a224-c03c55bb751f\4A15.exe	Unpacked PE file: 29.2.4A15.exe.400000.0.unpack
Source: C:\Users\user\Pictures\941caPIfMmGnCq8PWe7WWHEk.exe	Unpacked PE file: 34.2.941caPIfMmGnCq8PWe7WWHEk.exe.400000.5.unpack
Source: C:\Users\user\Pictures\f8hJzDp1zQtAPJgciyNSoGpb.exe	Unpacked PE file: 36.2.f8hJzDp1zQtAPJgciyNSoGpb.exe.400000.0.unpack

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\Users\user\Pictures\i4PHS5R0iEKcuu4uBuaRKA3v.exe

Unpacked PE file: 26.2.i4PHS5R0iEKcuu4uBuaRKA3v.exe.3840000.2.unpack

Source: file.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\_readme.txt
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\adc91a0e0132170ee1c9ace67d4b\_readme.txt
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\adc91a0e0132170ee1c9ace67d4b\1025\_readme.txt
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\adc91a0e0132170ee1c9ace67d4b\1028\_readme.txt
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\adc91a0e0132170ee1c9ace67d4b\1029\_readme.txt
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\adc91a0e0132170ee1c9ace67d4b\1030\_readme.txt
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\adc91a0e0132170ee1c9ace67d4b\1031\_readme.txt
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\adc91a0e0132170ee1c9ace67d4b\1032\_readme.txt
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\adc91a0e0132170ee1c9ace67d4b\1033\_readme.txt
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\adc91a0e0132170ee1c9ace67d4b\1035\_readme.txt
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\adc91a0e0132170ee1c9ace67d4b\1036\_readme.txt
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\adc91a0e0132170ee1c9ace67d4b\1037\_readme.txt
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\adc91a0e0132170ee1c9ace67d4b\1038\_readme.txt
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\adc91a0e0132170ee1c9ace67d4b\1040\_readme.txt
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\adc91a0e0132170ee1c9ace67d4b\1041\_readme.txt
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\adc91a0e0132170ee1c9ace67d4b\1042\_readme.txt
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\adc91a0e0132170ee1c9ace67d4b\1043\_readme.txt
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\adc91a0e0132170ee1c9ace67d4b\1044\_readme.txt
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\adc91a0e0132170ee1c9ace67d4b\1045\_readme.txt
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\adc91a0e0132170ee1c9ace67d4b\1046\_readme.txt
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\adc91a0e0132170ee1c9ace67d4b\1049\_readme.txt
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\adc91a0e0132170ee1c9ace67d4b\1053\_readme.txt
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\adc91a0e0132170ee1c9ace67d4b\1055\_readme.txt
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\adc91a0e0132170ee1c9ace67d4b\2052\_readme.txt
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\adc91a0e0132170ee1c9ace67d4b\2070\_readme.txt
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\adc91a0e0132170ee1c9ace67d4b\3082\_readme.txt
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\adc91a0e0132170ee1c9ace67d4b\Graphics\_readme.txt
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\Users\user\_readme.txt

Source: C:\Users\user\Desktop\file.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-23R8R.tmp\Pwp3yspp3pM97CCYpnZxEaEs.tmp

Registry value created: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\{64F4736C-6169-4520-9368-BE1C9EAE552A}_is1

Source:	Binary string: P:\Target\x64\ship\groove\x-none\grooveex.pdbeex.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 source: explorer.exe, 00000002.00000000.376312472.00007FFC2B141000.00000020.00000001.01000000.00000005.sdmp
Source:	Binary string: Loader.pdb source: 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.525875413.0000000000843000.00000040.00000001.01000000.00000017.sdmp, 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.550001229.0000000004F33000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\cr4shed\Desktop\MyHealthLoader\obj\Debug\MyHealthLoader.pdb source: 4GAUQKCdkFpttJoyS2YGgxr9.exe, 0000001E.00000002.699952372.0000000003735000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: EfiGuardDxe.pdb7 source: 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.542182071.00000000046F2000.00000040.00000020.00020000.00000000.sdmp
Source:	Binary string: Unrecognized pdb formatThis error indicates attempting to access a .pdb file with source: 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.550001229.00000000051BB000.00000040.00001000.00020000.00000000.sdmp, 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.525875413.0000000000ACC000.00000040.00000001.01000000.00000017.sdmp, f8hJzDp1zQtAPJgciyNSoGpb.exe, 00000024.00000002.541185132.00000000051EB000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: A connection with the server could not be establishedAn extended error was returned from the WinHttp serverThe .pdb file is probably no longer indexed in the symbol server share location. source: 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.550001229.00000000051BB000.00000040.00001000.00020000.00000000.sdmp, 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.525875413.0000000000ACC000.00000040.00000001.01000000.00000017.sdmp, f8hJzDp1zQtAPJgciyNSoGpb.exe, 00000024.00000002.541185132.00000000051EB000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: Age does not matchThe module age and .pdb age do not match. source: 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.550001229.00000000051BB000.00000040.00001000.00020000.00000000.sdmp, 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.525875413.0000000000ACC000.00000040.00000001.01000000.00000017.sdmp, f8hJzDp1zQtAPJgciyNSoGpb.exe, 00000024.00000002.541185132.00000000051EB000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: symsrv.pdb source: 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.525875413.0000000000C79000.00000040.00000001.01000000.00000017.sdmp, 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.550001229.0000000005369000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: Cvinfo is corruptThe .pdb file contains a corrupted debug codeview information. source: 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.550001229.00000000051BB000.00000040.00001000.00020000.00000000.sdmp, 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.525875413.0000000000ACC000.00000040.00000001.01000000.00000017.sdmp, f8hJzDp1zQtAPJgciyNSoGpb.exe, 00000024.00000002.541185132.00000000051EB000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: SetupUtility.pdb source: 4A15.exe, 00000019.00000003.473464201.0000000009A20000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: Downloading symbols for [%s] %ssrvsymsrvhttp://https://_bad_pdb_file.pdb source: 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.550001229.00000000051BB000.00000040.00001000.00020000.00000000.sdmp, 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.525875413.0000000000ACC000.00000040.00000001.01000000.00000017.sdmp, f8hJzDp1zQtAPJgciyNSoGpb.exe, 00000024.00000002.541185132.00000000051EB000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: Setup.pdb source: 4A15.exe, 00000019.00000003.473294254.0000000009A20000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: The symbol server has never indexed any version of this symbol fileNo version of the .pdb file with the given name has ever been registered. source: 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.550001229.00000000051BB000.00000040.00001000.00020000.00000000.sdmp, 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.525875413.0000000000ACC000.00000040.00000001.01000000.00000017.sdmp, f8hJzDp1zQtAPJgciyNSoGpb.exe, 00000024.00000002.541185132.00000000051EB000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: PDB not foundUnable to locate the .pdb file in any of the symbol search path locations. source: 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.550001229.00000000051BB000.00000040.00001000.00020000.00000000.sdmp, 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.525875413.0000000000ACC000.00000040.00000001.01000000.00000017.sdmp, f8hJzDp1zQtAPJgciyNSoGpb.exe, 00000024.00000002.541185132.00000000051EB000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb source: 4A15.exe, 4A15.exe, 0000000B.00000002.435887482.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 4A15.exe, 00000018.00000002.436925476.0000000004380000.00000040.00001000.00020000.00000000.sdmp, 4A15.exe, 00000019.00000002.528674260.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 4A15.exe, 0000001B.00000002.521687562.0000000004390000.00000040.00001000.00020000.00000000.sdmp, 4A15.exe, 0000001D.00000002.665875140.0000000000400000.00000040.00000400.00020000.00000000.sdmp
Source:	Binary string: c:\Users\Admin\documents\visual studio 2015\Projects\Winmon\Release\Winmon.pdb source: 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.525875413.0000000000843000.00000040.00000001.01000000.00000017.sdmp, 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.550001229.0000000004F33000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: Magnify.pdb source: 4A15.exe, 00000019.00000003.526084395.0000000003170000.00000004.00001000.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000000.437080358.00007FF77A411000.00000020.00000001.01000000.0000000F.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000002.683131767.00007FF77A411000.00000020.00000001.01000000.0000000F.sdmp
Source:	Binary string: P:\Target\x64\ship\groove\x-none\grooveex.pdb source: explorer.exe, 00000002.00000000.376312472.00007FFC2B141000.00000020.00000001.01000000.00000005.sdmp
Source:	Binary string: C:\vbox\branch\w64-1.6\out\win.amd64\release\obj\src\VBox\HostDrivers\VBoxDrv\VBoxDrv.pdb source: 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.525875413.0000000000843000.00000040.00000001.01000000.00000017.sdmp, 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.550001229.0000000004F33000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\Users\Admin\documents\visual studio 2015\Projects\Winmon\x64\Release\Winmon.pdb source: 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.525875413.0000000000843000.00000040.00000001.01000000.00000017.sdmp, 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.550001229.0000000004F33000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: Drive not readyThis error indicates a .pdb file related failure. source: 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.550001229.00000000051BB000.00000040.00001000.00020000.00000000.sdmp, 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.525875413.0000000000ACC000.00000040.00000001.01000000.00000017.sdmp, f8hJzDp1zQtAPJgciyNSoGpb.exe, 00000024.00000002.541185132.00000000051EB000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: Error while loading symbolsUnable to locate the .pdb file in any of the symbol search source: 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.550001229.00000000051BB000.00000040.00001000.00020000.00000000.sdmp, 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.525875413.0000000000ACC000.00000040.00000001.01000000.00000017.sdmp, f8hJzDp1zQtAPJgciyNSoGpb.exe, 00000024.00000002.541185132.00000000051EB000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: zzz_AsmCodeRange_*FrameDatainvalid string positionstring too long.pdb source: 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.550001229.00000000051BB000.00000040.00001000.00020000.00000000.sdmp, 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.525875413.0000000000ACC000.00000040.00000001.01000000.00000017.sdmp, f8hJzDp1zQtAPJgciyNSoGpb.exe, 00000024.00000002.541185132.00000000051EB000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: Magnify.pdb@WH source: 4A15.exe, 00000019.00000003.526084395.0000000003170000.00000004.00001000.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000000.437080358.00007FF77A411000.00000020.00000001.01000000.0000000F.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000002.683131767.00007FF77A411000.00000020.00000001.01000000.0000000F.sdmp
Source:	Binary string: mscorlib.pdb source: 4GAUQKCdkFpttJoyS2YGgxr9.exe, 0000001E.00000002.699952372.0000000003735000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: Pdb read access deniedYou may be attempting to access a .pdb file with read-only attributes source: 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.550001229.00000000051BB000.00000040.00001000.00020000.00000000.sdmp, 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.525875413.0000000000ACC000.00000040.00000001.01000000.00000017.sdmp, f8hJzDp1zQtAPJgciyNSoGpb.exe, 00000024.00000002.541185132.00000000051EB000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: Unable to locate the .pdb file in this location source: 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.550001229.00000000051BB000.00000040.00001000.00020000.00000000.sdmp, 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.525875413.0000000000ACC000.00000040.00000001.01000000.00000017.sdmp, f8hJzDp1zQtAPJgciyNSoGpb.exe, 00000024.00000002.541185132.00000000051EB000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Admin\documents\visual studio 2015\Projects\WinmonFS\x64\Release\WinmonFS.pdb source: 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.525875413.0000000000843000.00000040.00000001.01000000.00000017.sdmp, 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.550001229.0000000004F33000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: The module signature does not match with .pdb signature. source: 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.550001229.00000000051BB000.00000040.00001000.00020000.00000000.sdmp, 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.525875413.0000000000ACC000.00000040.00000001.01000000.00000017.sdmp, f8hJzDp1zQtAPJgciyNSoGpb.exe, 00000024.00000002.541185132.00000000051EB000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: .pdb.dbg source: 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.550001229.00000000051BB000.00000040.00001000.00020000.00000000.sdmp, 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.525875413.0000000000ACC000.00000040.00000001.01000000.00000017.sdmp, f8hJzDp1zQtAPJgciyNSoGpb.exe, 00000024.00000002.541185132.00000000051EB000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: '(EfiGuardDxe.pdbx source: 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.550001229.00000000051BB000.00000040.00001000.00020000.00000000.sdmp, 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.525875413.0000000000ACC000.00000040.00000001.01000000.00000017.sdmp, f8hJzDp1zQtAPJgciyNSoGpb.exe, 00000024.00000002.541185132.00000000051EB000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: symsrv.pdbGCTL source: 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.525875413.0000000000C79000.00000040.00000001.01000000.00000017.sdmp, 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.550001229.0000000005369000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\admin\source\repos\driver-process-monitor-master\Release\WinmonProcessMonitor.pdb source: 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.525875413.0000000000843000.00000040.00000001.01000000.00000017.sdmp, 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.550001229.0000000004F33000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Admin\documents\visual studio 2015\Projects\WinmonFS\Release\WinmonFS.pdb source: 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.525875413.0000000000843000.00000040.00000001.01000000.00000017.sdmp, 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.550001229.0000000004F33000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: or you do not have access permission to the .pdb location. source: 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.550001229.00000000051BB000.00000040.00001000.00020000.00000000.sdmp, 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.525875413.0000000000ACC000.00000040.00000001.01000000.00000017.sdmp, f8hJzDp1zQtAPJgciyNSoGpb.exe, 00000024.00000002.541185132.00000000051EB000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: An Exception happened while downloading the module .pdbPlease open a bug if this is a consistent repro. source: 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.550001229.00000000051BB000.00000040.00001000.00020000.00000000.sdmp, 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.525875413.0000000000ACC000.00000040.00000001.01000000.00000017.sdmp, f8hJzDp1zQtAPJgciyNSoGpb.exe, 00000024.00000002.541185132.00000000051EB000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\admin\source\repos\driver-process-monitor-master\x64\Release\WinmonProcessMonitor.pdb source: 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.525875413.0000000000843000.00000040.00000001.01000000.00000017.sdmp, 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.550001229.0000000004F33000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: EfiGuardDxe.pdb source: 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.550001229.00000000051BB000.00000040.00001000.00020000.00000000.sdmp, 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.525875413.0000000000ACC000.00000040.00000001.01000000.00000017.sdmp, f8hJzDp1zQtAPJgciyNSoGpb.exe, 00000024.00000002.541185132.00000000051EB000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdbI source: 4A15.exe, 0000000A.00000002.419357601.0000000004470000.00000040.00001000.00020000.00000000.sdmp, 4A15.exe, 0000000B.00000002.435887482.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 4A15.exe, 00000018.00000002.436925476.0000000004380000.00000040.00001000.00020000.00000000.sdmp, 4A15.exe, 00000019.00000002.528674260.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 4A15.exe, 0000001B.00000002.521687562.0000000004390000.00000040.00001000.00020000.00000000.sdmp, 4A15.exe, 0000001D.00000002.665875140.0000000000400000.00000040.00000400.00020000.00000000.sdmp
Source:	Binary string: eex.pdb source: explorer.exe, 00000002.00000000.376312472.00007FFC2B141000.00000020.00000001.01000000.00000005.sdmp
Source:	Binary string: C:\vmagent_new\bin\joblist\615425\out\Release\360Installer.pdb0pH\| source: V1NdDWPeq5yoU55PUCrHuT1N.exe, 00000023.00000002.445804410.0000000000471000.00000002.00000001.01000000.00000018.sdmp
Source:	Binary string: SetupUtility.pdb5 source: 4A15.exe, 00000019.00000003.473464201.0000000009A20000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: Signature does not matchThe module signature does not match with .pdb signature source: 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.550001229.00000000051BB000.00000040.00001000.00020000.00000000.sdmp, 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.525875413.0000000000ACC000.00000040.00000001.01000000.00000017.sdmp, f8hJzDp1zQtAPJgciyNSoGpb.exe, 00000024.00000002.541185132.00000000051EB000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: dbghelp.pdb source: 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.550001229.00000000051BB000.00000040.00001000.00020000.00000000.sdmp, 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.525875413.0000000000ACC000.00000040.00000001.01000000.00000017.sdmp, f8hJzDp1zQtAPJgciyNSoGpb.exe, 00000024.00000002.541185132.00000000051EB000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\vmagent_new\bin\joblist\615425\out\Release\360Installer.pdb source: V1NdDWPeq5yoU55PUCrHuT1N.exe, 00000023.00000002.445804410.0000000000471000.00000002.00000001.01000000.00000018.sdmp
Source:	Binary string: dbghelp.pdbGCTL source: 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.550001229.00000000051BB000.00000040.00001000.00020000.00000000.sdmp, 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.525875413.0000000000ACC000.00000040.00000001.01000000.00000017.sdmp, f8hJzDp1zQtAPJgciyNSoGpb.exe, 00000024.00000002.541185132.00000000051EB000.00000040.00001000.00020000.00000000.sdmp

Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Code function: 11_2_00410160 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,FindNextFileW,FindClose,	11_2_00410160
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Code function: 11_2_0040F730 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,_wcsstr,_wcsstr,FindNextFileW,FindClose,	11_2_0040F730
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Code function: 11_2_0040FB98 PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,FindNextFileW,FindClose,	11_2_0040FB98

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 104.21.18.99 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 79.137.192.18 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 213.6.54.58 443	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 189.232.123.108 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 195.201.202.58 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 162.159.133.233 443	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 193.42.32.101 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 144.76.136.153 443	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 194.169.175.127 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 77.91.68.78 80	Jump to behavior

Yara detected onlyLogger

Source: Yara match	File source: 33.3.U58dhzMU8ddvYuIUxUkOSiON.exe.4260000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.3.U58dhzMU8ddvYuIUxUkOSiON.exe.4260000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000021.00000003.444125965.0000000004260000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: U58dhzMU8ddvYuIUxUkOSiON.exe PID: 6200, type: MEMORYSTR

Found Tor onion address

Source: 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.557680058.000000000DCE0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cvwwajk56uu2la7jl4e2fdxy56veg5hqlaondeb7whvy2vlmreq6jnid.onionPROCESSOR_IDENTIFIER=Intel64 Family 6 Model 85 Stepping 7, GenuineIntel
Source: 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.550001229.0000000004AF0000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: Nyiakeng_Puachue_HmongPakistan Standard TimeParaguay Standard TimeRoGetActivationFactoryRtlDeleteFunctionTableRtlGetNtVersionNumbersSafeArrayGetRecordInfoSafeArraySetRecordInfoSakhalin Standard TimeSao Tome Standard TimeSeImpersonatePrivilegeSetupDiEnumDriverInfoWSetupDiGetClassDevsExWTasmania Standard TimeTor bootstrap progressTor service is runningUnsupported Media TypeWSAGetOverlappedResultWSALookupServiceBeginWWaitForMultipleObjectsWget/1.12 (freebsd8.1)Xenu Link Sleuth/1.3.8access-control-max-ageaddress already in useadvapi32.dll not foundargument list too longassembly checks failedbad g->status in readybad sweepgen in refillbitcoin3nqy3db7c.onionbody closed by handlercannot allocate memoryclient not initializedcompileCallabck: type couldn't create devicecouldn't get file infocouldn't start servicecoulnd't write to filecreate main window: %wdecode and decrypt: %wdriver: bad connectionduplicated defer entryelectrum.leblancnet.uselectrum3.hodlister.coelectrum5.hodlister.coelectrumxhqdsmlu.onionencrypt and encode: %werror decoding messageerror parsing regexp: failed to get UUID: %wfailed to hide app: %wfailed to open key: %wfailed to open src: %wfailed to register: %wfailed to set UUID: %wframe_data_pad_too_bigfreeIndex is not validgenerate challenge: %wgetenv before env initgzip: invalid checksumheadTailIndex overflowheader field %q = %q%shpack: string too longhsmiths4fyqlw5xw.onionhsmiths5mjk6uijs.onionhttp2: frame too largehttp://localhost:3433/https://duniadekho.baridna: invalid label %qinappropriate fallbackinteger divide by zerointegrity check failedinterface conversion: internal inconsistencyinvalid Trailer key %qinvalid address familyinvalid number base %djson: unknown field %qkernel32.dll not foundmalformed HTTP versionminpc or maxpc invalidmissing ']' in addressmultiple :: in addressndndword5lpb7eex.onionnetwork is unreachableno connection providednon-Go function at pc=oldoverflow is not niloperation was canceledoverflowing coordinateozahtqwp25chjdjd.onionprotocol not availableprotocol not supportedqtornadoklbgdyww.onionread response body: %wreflect.Value.MapIndexreflect.Value.SetFloatreflectlite.Value.Elemreflectlite.Value.Typeremote address changedruntime.main not on m0runtime: work.nwait = runtime:scanstack: gp=s.freeindex > s.nelemss7clinmo4cazmhul.onionscanstack - bad statussecure boot is enabledsend on closed channelserver.peers.subscribeservice does not existservice is not runningset Tor mode to %s: %wskipping Question Nameskipping Question Typespan has no free spacesql: no Rows availablestack not a power of 2status/bootstrap-phasetrace reader (blocked)trace: alloc too largetransaction is stoppedtransaction not existsunexpected length codeunexpected method stepwirep: invalid p statewrite on closed bufferx509: malformed issuerzero length BIT STRINGzlib: invalid checksum into Go value of type ) must be a power of 2
Source: 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.525875413.0000000000400000.00000040.00000001.01000000.00000017.sdmp	String found in binary or memory: Nyiakeng_Puachue_HmongPakistan Standard TimeParaguay Standard TimeRoGetActivationFactoryRtlDeleteFunctionTableRtlGetNtVersionNumbersSafeArrayGetRecordInfoSafeArraySetRecordInfoSakhalin Standard TimeSao Tome Standard TimeSeImpersonatePrivilegeSetupDiEnumDriverInfoWSetupDiGetClassDevsExWTasmania Standard TimeTor bootstrap progressTor service is runningUnsupported Media TypeWSAGetOverlappedResultWSALookupServiceBeginWWaitForMultipleObjectsWget/1.12 (freebsd8.1)Xenu Link Sleuth/1.3.8access-control-max-ageaddress already in useadvapi32.dll not foundargument list too longassembly checks failedbad g->status in readybad sweepgen in refillbitcoin3nqy3db7c.onionbody closed by handlercannot allocate memoryclient not initializedcompileCallabck: type couldn't create devicecouldn't get file infocouldn't start servicecoulnd't write to filecreate main window: %wdecode and decrypt: %wdriver: bad connectionduplicated defer entryelectrum.leblancnet.uselectrum3.hodlister.coelectrum5.hodlister.coelectrumxhqdsmlu.onionencrypt and encode: %werror decoding messageerror parsing regexp: failed to get UUID: %wfailed to hide app: %wfailed to open key: %wfailed to open src: %wfailed to register: %wfailed to set UUID: %wframe_data_pad_too_bigfreeIndex is not validgenerate challenge: %wgetenv before env initgzip: invalid checksumheadTailIndex overflowheader field %q = %q%shpack: string too longhsmiths4fyqlw5xw.onionhsmiths5mjk6uijs.onionhttp2: frame too largehttp://localhost:3433/https://duniadekho.baridna: invalid label %qinappropriate fallbackinteger divide by zerointegrity check failedinterface conversion: internal inconsistencyinvalid Trailer key %qinvalid address familyinvalid number base %djson: unknown field %qkernel32.dll not foundmalformed HTTP versionminpc or maxpc invalidmissing ']' in addressmultiple :: in addressndndword5lpb7eex.onionnetwork is unreachableno connection providednon-Go function at pc=oldoverflow is not niloperation was canceledoverflowing coordinateozahtqwp25chjdjd.onionprotocol not availableprotocol not supportedqtornadoklbgdyww.onionread response body: %wreflect.Value.MapIndexreflect.Value.SetFloatreflectlite.Value.Elemreflectlite.Value.Typeremote address changedruntime.main not on m0runtime: work.nwait = runtime:scanstack: gp=s.freeindex > s.nelemss7clinmo4cazmhul.onionscanstack - bad statussecure boot is enabledsend on closed channelserver.peers.subscribeservice does not existservice is not runningset Tor mode to %s: %wskipping Question Nameskipping Question Typespan has no free spacesql: no Rows availablestack not a power of 2status/bootstrap-phasetrace reader (blocked)trace: alloc too largetransaction is stoppedtransaction not existsunexpected length codeunexpected method stepwirep: invalid p statewrite on closed bufferx509: malformed issuerzero length BIT STRINGzlib: invalid checksum into Go value of type ) must be a power of 2
Source: 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.557680058.000000000DCDE000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://zaoshanghao.suhttp://cvwwajk56uu2la7jl4e2fdxy56veg5hqlaondeb7whvy2vlmreq6jnid.onionSoftware\Classes\ms-settings\shell\open\commandSoftware\Classes\ms-settings\shell\open\commandSoftware\Classes\ms-settings\shell\open\commandCommonProgramW6432=C:\Program Files\Common Files
Source: 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.557680058.000000000DCD4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cvwwajk56uu2la7jl4e2fdxy56veg5hqlaondeb7whvy2vlmreq6jnid.onion
Source: 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.557680058.000000000DCD4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: -1729232121351c16372a14042518241f2dhttp://cvwwajk56uu2la7jl4e2fdxy56veg5hqlaondeb7whvy2vlmreq6jnid.onionhttp://cvwwajk56uu2la7jl4e2fdxy56veg5hqlaondeb7whvy2vlmreq6jnid.onionS-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\TestAppS-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8S-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8http://cvwwajk56uu2la7jl4e2fdxy56veg5hqlaondeb7whvy2vlmreq6jnid.onionS-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8S-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8S-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8FirstInstallDateS-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8S-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8S-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8S-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8S-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8S-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8S-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8S-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8S-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8S-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8S-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8S-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHzS-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8SELECT Name FROM Win32_VideoControllerS-1-5-21-3853321935-2125563209-4053062332-1002\Software\Microsoft\780aa3f8PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 85 Stepping 7, GenuineIntelPROCESSOR_LEVEL=6SESSIONNAME=Consolewindir=C:\WindowsPROCESSOR_IDENTIFIER=Intel64 Family 6 Model 85 Stepping 7, GenuineIntel
Source: f8hJzDp1zQtAPJgciyNSoGpb.exe, 00000024.00000002.522431758.0000000000400000.00000040.00000001.01000000.00000019.sdmp	String found in binary or memory: Nyiakeng_Puachue_HmongPakistan Standard TimeParaguay Standard TimeRoGetActivationFactoryRtlDeleteFunctionTableRtlGetNtVersionNumbersSafeArrayGetRecordInfoSafeArraySetRecordInfoSakhalin Standard TimeSao Tome Standard TimeSeImpersonatePrivilegeSetupDiEnumDriverInfoWSetupDiGetClassDevsExWTasmania Standard TimeTor bootstrap progressTor service is runningUnsupported Media TypeWSAGetOverlappedResultWSALookupServiceBeginWWaitForMultipleObjectsWget/1.12 (freebsd8.1)Xenu Link Sleuth/1.3.8access-control-max-ageaddress already in useadvapi32.dll not foundargument list too longassembly checks failedbad g->status in readybad sweepgen in refillbitcoin3nqy3db7c.onionbody closed by handlercannot allocate memoryclient not initializedcompileCallabck: type couldn't create devicecouldn't get file infocouldn't start servicecoulnd't write to filecreate main window: %wdecode and decrypt: %wdriver: bad connectionduplicated defer entryelectrum.leblancnet.uselectrum3.hodlister.coelectrum5.hodlister.coelectrumxhqdsmlu.onionencrypt and encode: %werror decoding messageerror parsing regexp: failed to get UUID: %wfailed to hide app: %wfailed to open key: %wfailed to open src: %wfailed to register: %wfailed to set UUID: %wframe_data_pad_too_bigfreeIndex is not validgenerate challenge: %wgetenv before env initgzip: invalid checksumheadTailIndex overflowheader field %q = %q%shpack: string too longhsmiths4fyqlw5xw.onionhsmiths5mjk6uijs.onionhttp2: frame too largehttp://localhost:3433/https://duniadekho.baridna: invalid label %qinappropriate fallbackinteger divide by zerointegrity check failedinterface conversion: internal inconsistencyinvalid Trailer key %qinvalid address familyinvalid number base %djson: unknown field %qkernel32.dll not foundmalformed HTTP versionminpc or maxpc invalidmissing ']' in addressmultiple :: in addressndndword5lpb7eex.onionnetwork is unreachableno connection providednon-Go function at pc=oldoverflow is not niloperation was canceledoverflowing coordinateozahtqwp25chjdjd.onionprotocol not availableprotocol not supportedqtornadoklbgdyww.onionread response body: %wreflect.Value.MapIndexreflect.Value.SetFloatreflectlite.Value.Elemreflectlite.Value.Typeremote address changedruntime.main not on m0runtime: work.nwait = runtime:scanstack: gp=s.freeindex > s.nelemss7clinmo4cazmhul.onionscanstack - bad statussecure boot is enabledsend on closed channelserver.peers.subscribeservice does not existservice is not runningset Tor mode to %s: %wskipping Question Nameskipping Question Typespan has no free spacesql: no Rows availablestack not a power of 2status/bootstrap-phasetrace reader (blocked)trace: alloc too largetransaction is stoppedtransaction not existsunexpected length codeunexpected method stepwirep: invalid p statewrite on closed bufferx509: malformed issuerzero length BIT STRINGzlib: invalid checksum into Go value of type ) must be a power of 2

Yara detected Generic Downloader

Source: Yara match	File source: 14.2.A388.exe.21354a5ff10.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://bulimu55t.net/
Source: Malware configuration extractor	URLs: http://soryytlic4.net/
Source: Malware configuration extractor	URLs: http://bukubuka1.net/
Source: Malware configuration extractor	URLs: http://novanosa5org.org/
Source: Malware configuration extractor	URLs: http://hujukui3.net/
Source: Malware configuration extractor	URLs: http://newzelannd66.org/
Source: Malware configuration extractor	URLs: http://golilopaster.org/
Source: Malware configuration extractor	URLs: http://zexeq.com/raud/get.php

Source: unknown

Network traffic detected: IP country count 11

Source: i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.587270076.0000000003A32000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://171.22.28.208/dpp.nnnaajjjgc.com/
Source: AddInProcess32.exe, 00000012.00000002.709315982.0000000002DE7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://5.42.64.10
Source: AddInProcess32.exe, 00000012.00000002.709315982.0000000002DE7000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000012.00000002.709315982.0000000002D51000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000012.00000002.709315982.0000000002E77000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000012.00000002.709315982.0000000002D83000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000012.00000002.709315982.0000000002D9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://5.42.64.10/api/files/software/s5.exe
Source: AddInProcess32.exe, 00000012.00000002.709315982.0000000002D83000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://85.217.144.143
Source: AddInProcess32.exe, 00000012.00000002.709315982.0000000002D51000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000012.00000002.709315982.0000000002DC0000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000012.00000002.709315982.0000000002E77000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000012.00000002.709315982.0000000002D83000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000012.00000002.709315982.0000000002D9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://85.217.144.143/files/My2.exe
Source: i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000002.659928263.0000000003840000.00000040.00001000.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.508069337.00000000039D4000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000002.659717297.00000000014BC000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.521926205.00000000039D4000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000002.659906409.00000000036C0000.00000040.00001000.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.510371610.00000000039D4000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.621914047.0000000003A32000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000002.659798164.0000000002DF0000.00000004.00001000.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.624585849.0000000003A32000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.522984526.00000000039D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://app.nnnaajjjgc.com/
Source: i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000002.659717297.00000000014BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://app.nnnaajjjgc.com/0vx
Source: i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000002.659717297.00000000014BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://app.nnnaajjjgc.com/Lv
Source: i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.644710934.0000000003A19000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.650934958.0000000003A1E000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000002.659975363.0000000003A22000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.559968655.00000000039CF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://app.nnnaajjjgc.com/check/
Source: i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.453911428.00000000039E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://app.nnnaajjjgc.com/check/?sid=1134410&key=d8da1f375efe6f677fdf59da1e67cae1
Source: i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.484324155.00000000039E5000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.482007401.00000000039E5000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.483619386.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.478481171.00000000039E5000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.468722131.00000000039E7000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.477596745.00000000039C9000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.481490961.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.453911428.00000000039E7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://app.nnnaajjjgc.com/check/?sid=1134410&key=d8da1f375efe6f677fdf59da1e67cae1j
Source: i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.484324155.00000000039E5000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.482007401.00000000039E5000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.483619386.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.478481171.00000000039E5000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.468722131.00000000039E7000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.477596745.00000000039C9000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.481490961.00000000039D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://app.nnnaajjjgc.com/check/?sid=1134520&key=b7ede437f78d86896c262b77e451a861
Source: i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.478481171.00000000039E5000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.477596745.00000000039C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://app.nnnaajjjgc.com/check/?sid=1134630&key=a7f738ef34a58abfd14b211f7ae4d75a;
Source: i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.484324155.00000000039E5000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.482007401.00000000039E5000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.483619386.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.478481171.00000000039E5000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.477596745.00000000039C9000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.481490961.00000000039D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://app.nnnaajjjgc.com/check/?sid=1134664&key=5a5e7537a8885a65fb2b4176d4c48e2c
Source: i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.475552135.0000000003A24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://app.nnnaajjjgc.com/check/?sid=1134664&key=5a5e7537a8885a65fb2b4176d4c48e2cco
Source: i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.487859289.00000000039E5000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.484324155.00000000039E5000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.482007401.00000000039E5000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.487163158.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.483619386.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.487415421.00000000039DA000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.494963976.00000000039D4000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.500068426.00000000039E5000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.481490961.00000000039D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://app.nnnaajjjgc.com/check/?sid=1134718&key=abd6c79d9cdea0adf3c5fbb50faa6372
Source: i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.484324155.00000000039E5000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.483619386.00000000039D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://app.nnnaajjjgc.com/check/?sid=1134718&key=abd6c79d9cdea0adf3c5fbb50faa6372;
Source: i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.484324155.00000000039E5000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.482007401.00000000039E5000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.483619386.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.481490961.00000000039D8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://app.nnnaajjjgc.com/check/?sid=1134718&key=abd6c79d9cdea0adf3c5fbb50faa6372W
Source: i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.504972513.00000000039E1000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.487859289.00000000039E5000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.504033756.00000000039D4000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.508038273.00000000039E6000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.484324155.00000000039E5000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.487163158.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.483619386.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.487415421.00000000039DA000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.494963976.00000000039D4000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.500068426.00000000039E5000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.510336455.00000000039E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://app.nnnaajjjgc.com/check/?sid=1134718&key=abd6c79d9cdea0adf3c5fbb50faa6372y
Source: i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.487382669.0000000003A33000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://app.nnnaajjjgc.com/check/?sid=1134752&key=b91eaeee1ec96f7344a52c72e78649e0
Source: i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.487382669.0000000003A33000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://app.nnnaajjjgc.com/check/?sid=1134752&key=b91eaeee1ec96f7344a52c72e78649e0w
Source: i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.493610182.0000000003A2D000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.493610182.0000000003A33000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.503664579.0000000003A1E000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.494963976.00000000039D4000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.503664579.0000000003A33000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.500068426.00000000039E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://app.nnnaajjjgc.com/check/?sid=1134790&key=72224396aab18bba753981c520d8b1a5
Source: i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.493610182.0000000003A2D000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.503664579.0000000003A1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://app.nnnaajjjgc.com/check/?sid=1134790&key=72224396aab18bba753981c520d8b1a5Gh
Source: i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.504972513.00000000039E1000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.504033756.00000000039D4000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.493700002.0000000003A08000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.493610182.0000000003A2D000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.494963976.00000000039D4000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.500068426.00000000039E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://app.nnnaajjjgc.com/check/?sid=1134810&key=2e80054952ba0f1faf1a5db7f7ffcc01
Source: i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.493700002.0000000003A08000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://app.nnnaajjjgc.com/check/?sid=1134810&key=2e80054952ba0f1faf1a5db7f7ffcc01)Q
Source: i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.493610182.0000000003A33000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.503664579.0000000003A33000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://app.nnnaajjjgc.com/check/?sid=1134810&key=2e80054952ba0f1faf1a5db7f7ffcc016C92co
Source: i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.494963976.00000000039D4000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.500068426.00000000039E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://app.nnnaajjjgc.com/check/?sid=1134810&key=2e80054952ba0f1faf1a5db7f7ffcc01;
Source: i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.493700002.0000000003A08000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://app.nnnaajjjgc.com/check/?sid=1134810&key=2e80054952ba0f1faf1a5db7f7ffcc01AP
Source: i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.493610182.0000000003A33000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.503664579.0000000003A33000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://app.nnnaajjjgc.com/check/?sid=1134810&key=2e80054952ba0f1faf1a5db7f7ffcc01G
Source: i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.504972513.00000000039E1000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.504033756.00000000039D4000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.494963976.00000000039D4000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.500068426.00000000039E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://app.nnnaajjjgc.com/check/?sid=1134810&key=2e80054952ba0f1faf1a5db7f7ffcc01_
Source: i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.494963976.00000000039D4000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.500068426.00000000039E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://app.nnnaajjjgc.com/check/?sid=1134810&key=2e80054952ba0f1faf1a5db7f7ffcc01b
Source: i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.493610182.0000000003A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://app.nnnaajjjgc.com/check/?sid=1134810&key=2e80054952ba0f1faf1a5db7f7ffcc01hrome/116.0.0.0
Source: i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.507939167.0000000003A33000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.507939167.0000000003A2D000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.510336455.00000000039E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://app.nnnaajjjgc.com/check/?sid=1134916&key=3167af0b34b5a44fdec507f97304d55a
Source: i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.508038273.00000000039E6000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.510336455.00000000039E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://app.nnnaajjjgc.com/check/?sid=1134916&key=3167af0b34b5a44fdec507f97304d55a#
Source: i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.507939167.0000000003A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://app.nnnaajjjgc.com/check/?sid=1134916&key=3167af0b34b5a44fdec507f97304d55aad23e1
Source: i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.510336455.0000000003A08000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.510394090.0000000003A08000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://app.nnnaajjjgc.com/check/?sid=1134940&key=9c360413b20472b92e1b278
Source: i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.510056403.0000000003A1E000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.521926205.00000000039D4000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.510056403.0000000003A32000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.522984526.00000000039D4000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.510336455.00000000039E5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://app.nnnaajjjgc.com/check/?sid=1134940&key=9c360413b20472b92e1b278c2654cd9b
Source: i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.510056403.0000000003A32000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://app.nnnaajjjgc.com/check/?sid=1134940&key=9c360413b20472b92e1b278c2654cd9b6C92
Source: i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.510056403.0000000003A1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://app.nnnaajjjgc.com/check/?sid=1134940&key=9c360413b20472b92e1b278c2654cd9bec507f97304d55a
Source: i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.510056403.0000000003A32000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://app.nnnaajjjgc.com/check/?sid=1134940&key=9c360413b20472b92e1b278c2654cd9bgc
Source: i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.521926205.00000000039D4000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.541322508.00000000039E4000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.522984526.00000000039D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://app.nnnaajjjgc.com/check/?sid=1134958&key=41250e8bd6a56f64e8c0405a6d7193b4
Source: i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.521926205.00000000039D4000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.522984526.00000000039D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://app.nnnaajjjgc.com/check/?sid=1134966&key=0fd5f12a596a555ef492fb9
Source: i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.518699245.0000000003A25000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.522164708.0000000003A32000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.521926205.00000000039D4000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.522164708.0000000003A2D000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.518699245.0000000003A32000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.522984526.00000000039D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://app.nnnaajjjgc.com/check/?sid=1134966&key=0fd5f12a596a555ef492fb98f379fab8
Source: i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.522164708.0000000003A32000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.518699245.0000000003A32000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://app.nnnaajjjgc.com/check/?sid=1134966&key=0fd5f12a596a555ef492fb98f379fab8?
Source: i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.518699245.0000000003A25000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.522164708.0000000003A2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://app.nnnaajjjgc.com/check/?sid=1134966&key=0fd5f12a596a555ef492fb98f379fab8hrome/116.0.0.0
Source: i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.541322508.00000000039E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://app.nnnaajjjgc.com/check/?sid=1135090&key=edd7cc6d7a3da0e6fcfef9be40b04de5
Source: i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.529764912.0000000003A33000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.529294566.0000000003A32000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://app.nnnaajjjgc.com/check/?sid=1135096&key=926573ae433d4e9b1289658ba0ba5ac36C92
Source: i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.541322508.00000000039E4000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.550000806.00000000039C9000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.540098239.0000000003A02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://app.nnnaajjjgc.com/check/?sid=1135144&key=023c731ba3587eb5248d1c34c3dff713
Source: i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.540098239.0000000003A02000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://app.nnnaajjjgc.com/check/?sid=1135184&key=e2b003b01e4d0eb6ffeb7affbde6d54b
Source: i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.541322508.00000000039E4000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.550000806.00000000039C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://app.nnnaajjjgc.com/check/?sid=1135184&key=e2b003b01e4d0eb6ffeb7affbde6d54b30
Source: i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.541322508.00000000039E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://app.nnnaajjjgc.com/check/?sid=1135184&key=e2b003b01e4d0eb6ffeb7affbde6d54b5
Source: i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.546344384.0000000003A32000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.543043426.0000000003A33000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://app.nnnaajjjgc.com/check/?sid=1135184&key=e2b003b01e4d0eb6ffeb7affbde6d54b6C92
Source: i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.555268660.00000000039CF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://app.nnnaajjjgc.com/check/?sid=1135324&key=7d66a132c21ba63fc78546c9d24589f2
Source: i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.555268660.00000000039CF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://app.nnnaajjjgc.com/check/?sid=1135340&key=86810d751c0aa0fa28346472918311d6
Source: i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.555251999.0000000003A32000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://app.nnnaajjjgc.com/check/?sid=1135340&key=86810d751c0aa0fa28346472918311d61:ut
Source: i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.555268660.00000000039CF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://app.nnnaajjjgc.com/check/?sid=1135340&key=86810d751c0aa0fa28346472918311d630
Source: i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.555251999.0000000003A32000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://app.nnnaajjjgc.com/check/?sid=1135340&key=86810d751c0aa0fa28346472918311d66C92
Source: i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.557010087.0000000003A32000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.555251999.0000000003A32000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://app.nnnaajjjgc.com/check/?sid=1135340&key=86810d751c0aa0fa28346472918311d66C9221
Source: i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.555251999.0000000003A2C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://app.nnnaajjjgc.com/check/?sid=1135340&key=86810d751c0aa0fa28346472918311d6VpT2pFMk9UbjA9
Source: i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.555268660.00000000039CF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://app.nnnaajjjgc.com/check/?sid=1135340&key=86810d751c0aa0fa28346472918311d6y
Source: i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.571334117.00000000039C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://app.nnnaajjjgc.com/check/?sid=1135404&key=68acdef07771384dfd60618d4ee3762c
Source: i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.580765017.0000000003A32000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.580765017.0000000003A2B000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.572402015.00000000039E1000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.568847528.0000000003A2C000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.571334117.00000000039C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://app.nnnaajjjgc.com/check/?sid=1135418&key=af1ae34227e74b84877a2b0bbf3bee9b
Source: i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.572402015.00000000039E1000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.571334117.00000000039C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://app.nnnaajjjgc.com/check/?sid=1135418&key=af1ae34227e74b84877a2b0bbf3bee9b_
Source: i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.580765017.0000000003A2B000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.568847528.0000000003A2C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://app.nnnaajjjgc.com/check/?sid=1135418&key=af1ae34227e74b84877a2b0bbf3bee9bmi
Source: i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.589146137.00000000039CF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://app.nnnaajjjgc.com/check/?sid=1135610&key=4046e3a9fdb6e9ea3edf724aa957aa89
Source: i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.589146137.00000000039CF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://app.nnnaajjjgc.com/check/?sid=1135610&key=4046e3a9fdb6e9ea3edf724aa957aa8930
Source: i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.587270076.0000000003A32000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.588792935.0000000003A2B000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.587270076.0000000003A24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://app.nnnaajjjgc.com/check/?sid=1135652&key=52a1fa091a2d98cce516cbabc104bbb1
Source: i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.587270076.0000000003A32000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://app.nnnaajjjgc.com/check/?sid=1135652&key=52a1fa091a2d98cce516cbabc104bbb1081221o
Source: i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.621914047.00000000039FF000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.624585849.0000000003A10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://app.nnnaajjjgc.com/check/?sid=1135936&key=9f52c9e763a3022767eed76259d3a4df
Source: i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.621914047.00000000039FF000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.624585849.0000000003A10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://app.nnnaajjjgc.com/check/?sid=1135936&key=9f52c9e763a3022767eed76259d3a4dfDyn
Source: i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000002.659975363.0000000003980000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://app.nnnaajjjgc.com/check/?sid=1135936&key=9f52c9e763a3022767eed76259d3a4dfHYd/S4Buu41P
Source: i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.641242547.00000000039DA000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.639907595.00000000039C4000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.640934427.0000000003A32000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://app.nnnaajjjgc.com/check/?sid=1136118&key=18166b66b4c087f47773dacf194063c0
Source: i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.641242547.00000000039DA000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.639907595.00000000039C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://app.nnnaajjjgc.com/check/?sid=1136118&key=18166b66b4c087f47773dacf194063c030
Source: i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.640934427.0000000003A32000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://app.nnnaajjjgc.com/check/?sid=1136118&key=18166b66b4c087f47773dacf194063c06C92
Source: i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.653204608.00000000039C7000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.646375492.00000000039C2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://app.nnnaajjjgc.com/check/?sid=1136228&key=c0307c8142a402d39ed54c9eadddda2e30
Source: i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.644710934.0000000003A32000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://app.nnnaajjjgc.com/check/?sid=1136228&key=c0307c8142a402d39ed54c9eadddda2eo
Source: i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.650934958.0000000003A16000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000002.659975363.0000000003A22000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://app.nnnaajjjgc.com/check/?sid=1136320&key=f4073b8c48cdf506608aafebc7c710bd
Source: i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000002.659975363.00000000039C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://app.nnnaajjjgc.com/check/?sid=1136320&key=f4073b8c48cdf506608aafebc7c710bd30
Source: i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.650934958.0000000003A32000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://app.nnnaajjjgc.com/check/?sid=1136320&key=f4073b8c48cdf506608aafebc7c710bd?
Source: i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.650934958.0000000003A1E000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000002.659975363.0000000003A22000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://app.nnnaajjjgc.com/check/?sid=1136320&key=f4073b8c48cdf506608aafebc7c710bdI
Source: i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000002.659975363.0000000003A16000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.650934958.0000000003A16000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://app.nnnaajjjgc.com/check/?sid=1136320&key=f4073b8c48cdf506608aafebc7c710bdJO0x
Source: i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.650934958.0000000003A16000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://app.nnnaajjjgc.com/check/?sid=1136320&key=f4073b8c48cdf506608aafebc7c710bdkO
Source: i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.650934958.0000000003A1E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://app.nnnaajjjgc.com/check/?sid=1136320&key=f4073b8c48cdf506608aafebc7c710bdl
Source: i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.559968655.00000000039CF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://app.nnnaajjjgc.com/check/safe
Source: i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.487382669.0000000003A33000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.475552135.0000000003A24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://app.nnnaajjjgc.com/check/safe$l4x
Source: i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.646375492.00000000039C2000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.639907595.00000000039C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://app.nnnaajjjgc.com/check/safe7OM
Source: i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.493700002.0000000003A08000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://app.nnnaajjjgc.com/check/safe9P
Source: i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.572402015.00000000039E1000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.571334117.00000000039C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://app.nnnaajjjgc.com/check/safeGz2QMa%
Source: i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.493700002.0000000003A08000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.555251999.0000000003A32000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://app.nnnaajjjgc.com/check/safeI
Source: i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.507939167.0000000003A33000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.650934958.0000000003A1E000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.540098239.0000000003A02000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000002.659975363.0000000003A22000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://app.nnnaajjjgc.com/check/safeL
Source: i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.572402015.00000000039E1000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.571334117.00000000039C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://app.nnnaajjjgc.com/check/safeRNM1sQ
Source: i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.653204608.00000000039C7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://app.nnnaajjjgc.com/check/safeae/pIp2nc7wI0OOZ7ODWvQOKWZEwtQr8kNPChgS4fnzXGoNlFvG/T2NimDhtjD7a
Source: i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.555268660.00000000039CF000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.571334117.00000000039C9000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.559968655.00000000039CF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://app.nnnaajjjgc.com/check/safebt
Source: i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000002.659717297.00000000014BC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://app.nnnaajjjgc.com/check/safed
Source: i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.487382669.0000000003A33000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.475552135.0000000003A24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://app.nnnaajjjgc.com/check/safeglux
Source: i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.555268660.00000000039CF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://app.nnnaajjjgc.com/check/safeo
Source: i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.508069337.00000000039D4000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.521926205.00000000039D4000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.550000806.00000000039C9000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.555268660.00000000039CF000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.541941519.00000000039CB000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.510371610.00000000039D4000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.522984526.00000000039D4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://app.nnnaajjjgc.com/check/safep
Source: i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.507939167.0000000003A33000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://app.nnnaajjjgc.com/check/safet
Source: i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000002.659717297.00000000014B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://app.nnnaajjjgc.com:80/check/safe
Source: AddInProcess32.exe, 00000012.00000002.709315982.0000000002E44000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000012.00000002.709315982.0000000002D93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: AddInProcess32.exe, 00000012.00000002.709315982.0000000002E44000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000012.00000002.709315982.0000000002D93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: AddInProcess32.exe, 00000012.00000002.709315982.0000000002E44000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000012.00000002.709315982.0000000002D93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: AddInProcess32.exe, 00000012.00000002.709315982.0000000002E44000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000012.00000002.709315982.0000000002D93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: 4A15.exe, 00000019.00000002.528784929.00000000005C2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://colisumy.com/dl/build2.exe
Source: 4A15.exe, 00000019.00000002.528784929.00000000005FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://colisumy.com/dl/build2.exe$run
Source: 4A15.exe, 00000019.00000002.528784929.00000000005C2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://colisumy.com/dl/build2.exerun
Source: explorer.exe, 00000002.00000000.376345728.00007FFC2B229000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://components.groove.net/Groove/Components/Root.osd?Package=net.groove.Groove.Tools.System.Groov
Source: explorer.exe, 00000002.00000000.376345728.00007FFC2B229000.00000002.00000001.01000000.00000005.sdmp	String found in binary or memory: http://components.groove.net/Groove/Components/SystemComponents/SystemComponents.osd?Package=net.gro
Source: Pwp3yspp3pM97CCYpnZxEaEs.exe, 0000001C.00000003.440105042.00000000025E8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.542182071.00000000046F2000.00000040.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.g
Source: 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.525875413.0000000000843000.00000040.00000001.01000000.00000017.sdmp, 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.550001229.0000000004F33000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/ObjectSign.crl0
Source: 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.525875413.0000000000843000.00000040.00000001.01000000.00000017.sdmp, 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.550001229.0000000004F33000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/Root.crl0
Source: 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.525875413.0000000000843000.00000040.00000001.01000000.00000017.sdmp, 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.550001229.0000000004F33000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/primobject.crl0
Source: svchost.exe, 00000004.00000002.448095688.000001AC75CEC000.00000004.00000020.00020000.00000000.sdmp, 4A15.exe, 0000000B.00000003.433589617.000000000074E000.00000004.00000020.00020000.00000000.sdmp, 4A15.exe, 0000000B.00000002.435946180.000000000074C000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000012.00000002.690591915.0000000001134000.00000004.00000020.00020000.00000000.sdmp, 4A15.exe, 00000019.00000002.528784929.00000000005C2000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000002.659717297.00000000014BC000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.450265651.00000000014CC000.00000004.00000020.00020000.00000000.sdmp, 4A15.exe, 0000001D.00000002.678164342.000000000078C000.00000004.00000020.00020000.00000000.sdmp, 4A15.exe, 0000001D.00000003.584736156.000000000078C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.450265651.0000000001521000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.m
Source: AddInProcess32.exe, 00000012.00000002.709315982.0000000002DB0000.00000004.00000800.00020000.00000000.sdmp, Pwp3yspp3pM97CCYpnZxEaEs.exe, 0000001C.00000003.440105042.00000000025E8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: AddInProcess32.exe, 00000012.00000002.709315982.0000000002DB0000.00000004.00000800.00020000.00000000.sdmp, Pwp3yspp3pM97CCYpnZxEaEs.exe, 0000001C.00000003.440105042.00000000025E8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: AddInProcess32.exe, 00000012.00000002.709315982.0000000002D51000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000012.00000002.709315982.0000000002DA7000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000012.00000002.709315982.0000000002D83000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000012.00000002.709315982.0000000002DB0000.00000004.00000800.00020000.00000000.sdmp, Pwp3yspp3pM97CCYpnZxEaEs.exe, 0000001C.00000003.440105042.00000000025E8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: svchost.exe, 00000004.00000002.448095688.000001AC75CEC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: AddInProcess32.exe, 00000012.00000002.709315982.0000000002E44000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000012.00000002.709315982.0000000002D93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: AddInProcess32.exe, 00000012.00000002.709315982.0000000002E44000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: AddInProcess32.exe, 00000012.00000002.709315982.0000000002E44000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000012.00000002.709315982.0000000002D93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: AddInProcess32.exe, 00000012.00000002.709315982.0000000002E44000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000012.00000002.709315982.0000000002D93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: AddInProcess32.exe, 00000012.00000002.709315982.0000000002E44000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000012.00000002.709315982.0000000002D93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
Source: AddInProcess32.exe, 00000012.00000002.709315982.0000000002DB0000.00000004.00000800.00020000.00000000.sdmp, Pwp3yspp3pM97CCYpnZxEaEs.exe, 0000001C.00000003.440105042.00000000025E8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: AddInProcess32.exe, 00000012.00000002.709315982.0000000002DB0000.00000004.00000800.00020000.00000000.sdmp, Pwp3yspp3pM97CCYpnZxEaEs.exe, 0000001C.00000003.440105042.00000000025E8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: AddInProcess32.exe, 00000012.00000002.709315982.0000000002D51000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000012.00000002.709315982.0000000002DA7000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000012.00000002.709315982.0000000002D83000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000012.00000002.709315982.0000000002DB0000.00000004.00000800.00020000.00000000.sdmp, Pwp3yspp3pM97CCYpnZxEaEs.exe, 0000001C.00000003.440105042.00000000025E8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.557680058.000000000DCD4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cvwwajk56uu2la7jl4e2fdxy56veg5hqlaondeb7whvy2vlmreq6jnid.onion
Source: 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.557680058.000000000DCE0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cvwwajk56uu2la7jl4e2fdxy56veg5hqlaondeb7whvy2vlmreq6jnid.onionPROCESSOR_IDENTIFIER=Intel64
Source: 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.557680058.000000000DCD4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cvwwajk56uu2la7jl4e2fdxy56veg5hqlaondeb7whvy2vlmreq6jnid.onionS-1-5-21-3853321935-2125563209-
Source: 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.557680058.000000000DCD4000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cvwwajk56uu2la7jl4e2fdxy56veg5hqlaondeb7whvy2vlmreq6jnid.onionhttp://cvwwajk56uu2la7jl4e2fdxy
Source: YRhJ9y7wcq2JenN54ladams2.exe, 00000020.00000003.526186837.0000000002051000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://demo.seafile.com/f/4dd787a6a9b74434b278/?dl=1
Source: 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.550001229.0000000004AF0000.00000040.00001000.00020000.00000000.sdmp, 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.525875413.0000000000400000.00000040.00000001.01000000.00000017.sdmp, f8hJzDp1zQtAPJgciyNSoGpb.exe, 00000024.00000002.522431758.0000000000400000.00000040.00000001.01000000.00000019.sdmp	String found in binary or memory: http://devlog.gregarius.net/docs/ua)Links
Source: V1NdDWPeq5yoU55PUCrHuT1N.exe, 00000023.00000002.445804410.0000000000471000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://down.360safe.com/setup.exePathSOFTWARE
Source: V1NdDWPeq5yoU55PUCrHuT1N.exe, 00000023.00000002.445817611.0000000000487000.00000008.00000001.01000000.00000018.sdmp	String found in binary or memory: http://down.360safe.com/setup.exehttp://down.360safe.com/setupbeta.exe
Source: V1NdDWPeq5yoU55PUCrHuT1N.exe, 00000023.00000002.445817611.0000000000487000.00000008.00000001.01000000.00000018.sdmp	String found in binary or memory: http://down.360safe.com/setup.exehttp://down.360safe.com/setupbeta.exe360
Source: V1NdDWPeq5yoU55PUCrHuT1N.exe, 00000023.00000002.445817611.0000000000487000.00000008.00000001.01000000.00000018.sdmp	String found in binary or memory: http://down.360safe.com/setup.exehttp://down.360safe.com/setupbeta.exeBUTTONBUTTONProduct32Product64
Source: AddInProcess32.exe, 00000012.00000002.709315982.0000000002DE7000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000012.00000002.709315982.0000000002D51000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000012.00000002.709315982.0000000002E77000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000012.00000002.709315982.0000000002D83000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000012.00000002.709315982.0000000002D9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://galandskiyher3.com/downloads/toolspub1.exe
Source: AddInProcess32.exe, 00000012.00000002.709315982.0000000002D83000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://hbn42414.beget.tech
Source: AddInProcess32.exe, 00000012.00000002.709315982.0000000002D83000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000012.00000002.709315982.0000000002D9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://hbn42414.beget.tech/385118/setup.exe
Source: i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.572402015.00000000039E1000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.571334117.00000000039C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://host-host-file8pp.nnnaajjjgc.com/check/safe
Source: 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.550001229.00000000051BB000.00000040.00001000.00020000.00000000.sdmp, 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.525875413.0000000000ACC000.00000040.00000001.01000000.00000017.sdmp, f8hJzDp1zQtAPJgciyNSoGpb.exe, 00000024.00000002.541185132.00000000051EB000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://https://_bad_pdb_file.pdb
Source: 4A15.exe, 0000000A.00000002.419357601.0000000004470000.00000040.00001000.00020000.00000000.sdmp, 4A15.exe, 0000000B.00000002.435887482.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 4A15.exe, 00000018.00000002.436925476.0000000004380000.00000040.00001000.00020000.00000000.sdmp, 4A15.exe, 00000019.00000002.528674260.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 4A15.exe, 0000001B.00000002.521687562.0000000004390000.00000040.00001000.00020000.00000000.sdmp, 4A15.exe, 0000001D.00000002.665875140.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://https://ns1.kriston.ugns2.chalekin.ugns3.unalelath.ugns4.andromath.ug/Error
Source: AddInProcess32.exe, 00000012.00000002.709315982.0000000002DC0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://int.down.360safe.com
Source: AddInProcess32.exe, 00000012.00000002.709315982.0000000002DE7000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000012.00000002.709315982.0000000002D51000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000012.00000002.709315982.0000000002E77000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000012.00000002.709315982.0000000002D83000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000012.00000002.709315982.0000000002D9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://int.down.360safe.com/totalsecurity/360TS_Setup_Mini_WW_InstallRox_CPI202211_6.6.0.1054.exe
Source: 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.550001229.0000000004AF0000.00000040.00001000.00020000.00000000.sdmp, 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.525875413.0000000000400000.00000040.00000001.01000000.00000017.sdmp, f8hJzDp1zQtAPJgciyNSoGpb.exe, 00000024.00000002.522431758.0000000000400000.00000040.00000001.01000000.00000019.sdmp	String found in binary or memory: http://invalidlog.txtlookup
Source: V1NdDWPeq5yoU55PUCrHuT1N.exe, 00000023.00000000.444126937.000000000056E000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://iup.360safe.com/iv3/pc/360safe/360TS_Setup_For_Mini_Rel.cab
Source: V1NdDWPeq5yoU55PUCrHuT1N.exe, 00000023.00000000.444126937.000000000056E000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://iup.360safe.com/iv3/pc/360safe/360TS_Setup_For_Mini_Win10TS.cabXhttp://www.360totalsecurity.c
Source: V1NdDWPeq5yoU55PUCrHuT1N.exe, 00000023.00000000.444126937.000000000056E000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://iup.360safe.com/iv3/pc/360safe/360TS_Setup_For_Mini_Win10TSE.cab9http://int.down.360safe.com/
Source: AddInProcess32.exe, 00000012.00000002.709315982.0000000002DAB000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000012.00000002.709315982.0000000002DE7000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000012.00000002.709315982.0000000002DC0000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000012.00000002.709315982.0000000002E77000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000012.00000002.709315982.0000000002D83000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000012.00000002.709315982.0000000002D9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ji.alie3ksgbb.com/m/ss29
Source: YRhJ9y7wcq2JenN54ladams2.exe, 00000020.00000003.526186837.0000000002051000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://link.storjshare.io/jw6d5ycuf7e6mtiudwapyqs22o2q/less-bucket%2F3la%20barra%2FLightCleaner.exe?
Source: 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.550001229.0000000004AF0000.00000040.00001000.00020000.00000000.sdmp, 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.525875413.0000000000400000.00000040.00000001.01000000.00000017.sdmp, f8hJzDp1zQtAPJgciyNSoGpb.exe, 00000024.00000002.522431758.0000000000400000.00000040.00000001.01000000.00000019.sdmp	String found in binary or memory: http://localhost:3433/https://duniadekho.baridna:
Source: AddInProcess32.exe, 00000012.00000002.709315982.0000000002DE7000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000012.00000002.709315982.0000000002D51000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000012.00000002.709315982.0000000002E77000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000012.00000002.709315982.0000000002D83000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000012.00000002.709315982.0000000002D9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://net.geo.opera.com/opera/stable/windows/?utm_medium=apb&utm_source=mkt&utm_campaign=767
Source: Pwp3yspp3pM97CCYpnZxEaEs.exe, 0000001C.00000003.440105042.00000000025E8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: AddInProcess32.exe, 00000012.00000002.709315982.0000000002E44000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000012.00000002.709315982.0000000002D93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: AddInProcess32.exe, 00000012.00000002.709315982.0000000002E44000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000012.00000002.709315982.0000000002D93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: AddInProcess32.exe, 00000012.00000002.709315982.0000000002E44000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000012.00000002.709315982.0000000002D93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: AddInProcess32.exe, 00000012.00000002.709315982.0000000002E44000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000012.00000002.709315982.0000000002D93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: AddInProcess32.exe, 00000012.00000002.709315982.0000000002D51000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000012.00000002.709315982.0000000002DA7000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000012.00000002.709315982.0000000002D83000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000012.00000002.709315982.0000000002DB0000.00000004.00000800.00020000.00000000.sdmp, Pwp3yspp3pM97CCYpnZxEaEs.exe, 0000001C.00000003.440105042.00000000025E8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: AddInProcess32.exe, 00000012.00000002.709315982.0000000002DB0000.00000004.00000800.00020000.00000000.sdmp, Pwp3yspp3pM97CCYpnZxEaEs.exe, 0000001C.00000003.440105042.00000000025E8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0-
Source: V1NdDWPeq5yoU55PUCrHuT1N.exe, 00000023.00000002.445804410.0000000000471000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://pinst.360.cn/360se/wssj_setup.cabGdiplus.dllGdiplusStartupGdiplusShutdownGdipCreateFromHDCGdi
Source: V1NdDWPeq5yoU55PUCrHuT1N.exe, 00000023.00000002.445804410.0000000000471000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://pinst.360.cn/zhuomian/desktopsafe.cabSoftware
Source: V1NdDWPeq5yoU55PUCrHuT1N.exe, 00000023.00000002.445804410.0000000000471000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://s.360safe.com/360ts/mini_inst.htm?ver=%s&pid=%s&os=%s&mid=%s&state=%d&opr_state=%xhttp://s.36
Source: i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.644710934.0000000003A32000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s.360safe.com/pp.nnnaajjjgc.com/check/?sid=1136228&key=c0307c8142a402d39ed54c9eadddda2e
Source: AddInProcess32.exe, 00000012.00000002.709315982.0000000002D51000.00000004.00000800.00020000.00000000.sdmp, 4GAUQKCdkFpttJoyS2YGgxr9.exe, 0000001E.00000002.699952372.00000000035F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.640934427.0000000003A3E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://script.google.cpp.nnnaajjjgc.com/check/safe
Source: 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.550001229.0000000004AF0000.00000040.00001000.00020000.00000000.sdmp, 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.525875413.0000000000400000.00000040.00000001.01000000.00000017.sdmp, f8hJzDp1zQtAPJgciyNSoGpb.exe, 00000024.00000002.522431758.0000000000400000.00000040.00000001.01000000.00000019.sdmp	String found in binary or memory: http://search.msn.com/msnbot.htm)msnbot/1.1
Source: 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.550001229.0000000004AF0000.00000040.00001000.00020000.00000000.sdmp, 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.525875413.0000000000400000.00000040.00000001.01000000.00000017.sdmp, f8hJzDp1zQtAPJgciyNSoGpb.exe, 00000024.00000002.522431758.0000000000400000.00000040.00000001.01000000.00000019.sdmp	String found in binary or memory: http://search.msn.com/msnbot.htm)net/http:
Source: 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.550001229.0000000004AF0000.00000040.00001000.00020000.00000000.sdmp, 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.525875413.0000000000400000.00000040.00000001.01000000.00000017.sdmp, f8hJzDp1zQtAPJgciyNSoGpb.exe, 00000024.00000002.522431758.0000000000400000.00000040.00000001.01000000.00000019.sdmp	String found in binary or memory: http://search.msn.com/msnbot.htm)pkcs7:
Source: V1NdDWPeq5yoU55PUCrHuT1N.exe, 00000023.00000000.444126937.000000000056E000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://www.360safe.com/totalsecurity/en/101/tswin10u/d7http://www.360safe.com/totalsecurity/en/101/t
Source: V1NdDWPeq5yoU55PUCrHuT1N.exe, 00000023.00000002.445804410.0000000000471000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://www.360totalsecurity.comIDS_LOAD_P2SP_ERROR/tswin10/tsewin10IDS_UPDATE_QUESTIONIDS_UPDATE_WAR
Source: 4A15.exe, 00000019.00000003.516080817.0000000003170000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.amazon.com/
Source: 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.550001229.0000000004AF0000.00000040.00001000.00020000.00000000.sdmp, 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.525875413.0000000000400000.00000040.00000001.01000000.00000017.sdmp, f8hJzDp1zQtAPJgciyNSoGpb.exe, 00000024.00000002.522431758.0000000000400000.00000040.00000001.01000000.00000019.sdmp	String found in binary or memory: http://www.avantbrowser.com)MOT-V9mm/00.62
Source: 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.550001229.0000000004AF0000.00000040.00001000.00020000.00000000.sdmp, 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.525875413.0000000000400000.00000040.00000001.01000000.00000017.sdmp, f8hJzDp1zQtAPJgciyNSoGpb.exe, 00000024.00000002.522431758.0000000000400000.00000040.00000001.01000000.00000019.sdmp	String found in binary or memory: http://www.baidu.com/search/spider.htm)MobileSafari/600.1.4
Source: AddInProcess32.exe, 00000012.00000002.709315982.0000000002E44000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000012.00000002.709315982.0000000002D93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: 4A15.exe, 00000019.00000003.516184671.0000000003170000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.google.com/
Source: 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.550001229.0000000004AF0000.00000040.00001000.00020000.00000000.sdmp, 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.525875413.0000000000400000.00000040.00000001.01000000.00000017.sdmp, f8hJzDp1zQtAPJgciyNSoGpb.exe, 00000024.00000002.522431758.0000000000400000.00000040.00000001.01000000.00000019.sdmp	String found in binary or memory: http://www.google.com/feedfetcher.html)HKLM
Source: YRhJ9y7wcq2JenN54ladams2.exe, 00000020.00000003.442316567.0000000002440000.00000004.00001000.00020000.00000000.sdmp, YRhJ9y7wcq2JenN54ladams2.exe, 00000020.00000003.443753613.0000000002330000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.innosetup.com/
Source: YRhJ9y7wcq2JenN54ladams2.exe, 00000020.00000002.526416925.0000000000401000.00000020.00000001.01000000.00000015.sdmp	String found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline
Source: YRhJ9y7wcq2JenN54ladams2.exe, 00000020.00000002.526416925.0000000000401000.00000020.00000001.01000000.00000015.sdmp	String found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: 4A15.exe, 00000019.00000003.516223554.0000000003170000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.live.com/
Source: 4A15.exe, 00000019.00000003.516248171.0000000003170000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.nytimes.com/
Source: 4A15.exe, 0000001D.00000002.665875140.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://www.openssl.org/support/faq.html
Source: AddInProcess32.exe, 00000012.00000002.709315982.0000000002E44000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000012.00000002.709315982.0000000002D93000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.opera.com0
Source: 4A15.exe, 00000019.00000003.516279370.0000000003170000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.reddit.com/
Source: YRhJ9y7wcq2JenN54ladams2.exe, 00000020.00000003.442316567.0000000002440000.00000004.00001000.00020000.00000000.sdmp, YRhJ9y7wcq2JenN54ladams2.exe, 00000020.00000003.443753613.0000000002330000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.remobjects.com/ps
Source: YRhJ9y7wcq2JenN54ladams2.exe, 00000020.00000003.442316567.0000000002440000.00000004.00001000.00020000.00000000.sdmp, YRhJ9y7wcq2JenN54ladams2.exe, 00000020.00000003.443753613.0000000002330000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.remobjects.com/psU
Source: 4A15.exe, 00000019.00000003.516314996.0000000003170000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.twitter.com/
Source: 4A15.exe, 00000019.00000003.516366313.0000000003170000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.wikipedia.com/
Source: 4A15.exe, 00000019.00000003.516430209.0000000003170000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.youtube.com/
Source: 4A15.exe, 00000019.00000003.527546819.000000000065D000.00000004.00000020.00020000.00000000.sdmp, 4A15.exe, 00000019.00000002.529745378.00000000030B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://zexeq.com/files/1/build3.exe
Source: 4A15.exe, 00000019.00000002.528784929.00000000005FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://zexeq.com/files/1/build3.exe$run
Source: 4A15.exe, 00000019.00000002.528784929.00000000005FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://zexeq.com/files/1/build3.exe$run8
Source: 4A15.exe, 00000019.00000002.528784929.00000000005FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://zexeq.com/files/1/build3.exe$runC
Source: 4A15.exe, 00000019.00000002.528888660.000000000065D000.00000004.00000020.00020000.00000000.sdmp, 4A15.exe, 00000019.00000003.527546819.000000000065D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://zexeq.com/files/1/build3.exe-N
Source: 4A15.exe, 00000019.00000003.526920988.00000000030B1000.00000004.00000020.00020000.00000000.sdmp, 4A15.exe, 00000019.00000003.528078249.00000000030B1000.00000004.00000020.00020000.00000000.sdmp, 4A15.exe, 00000019.00000002.529745378.00000000030B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://zexeq.com/files/1/build3.exerun
Source: 4A15.exe, 00000019.00000002.528784929.00000000005C2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://zexeq.com/files/1/build3.exerunXp.
Source: i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.555268660.00000000039CF000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.559968655.00000000039CF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://zexeq.com/filespp.nnnaajjjgc.com/
Source: 4A15.exe, 00000019.00000002.528784929.00000000005FF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://zexeq.com/raud/get.php
Source: 4A15.exe, 00000019.00000002.528888660.000000000061C000.00000004.00000020.00020000.00000000.sdmp, 4A15.exe, 00000019.00000003.528105248.000000000061B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://zexeq.com/raud/get.php?pid=F4B58C92E14ED1DB6A495C4F0112806C&first=trueB
Source: 4A15.exe, 00000019.00000002.528784929.00000000005C2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://zexeq.com/raud/get.php?pid=F4B58C92E14ED1DB6A495C4F0112806C&first=trueW
Source: 4A15.exe, 00000019.00000002.528784929.00000000005C2000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.650934958.0000000003A3E000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.644710934.0000000003A32000.00000004.00000020.00020000.00000000.sdmp, 4A15.exe, 0000001D.00000002.678164342.000000000078C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/
Source: 4A15.exe, 0000000B.00000002.435946180.00000000006D8000.00000004.00000020.00020000.00000000.sdmp, 4A15.exe, 0000000B.00000003.433599791.000000000071D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/M
Source: 4A15.exe, 0000001D.00000002.678164342.0000000000748000.00000004.00000020.00020000.00000000.sdmp, 4A15.exe, 0000001D.00000002.678164342.000000000078C000.00000004.00000020.00020000.00000000.sdmp, 4A15.exe, 0000001D.00000002.665875140.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.json
Source: 4A15.exe, 00000019.00000002.528784929.00000000005C2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.json&A
Source: 4A15.exe, 0000001D.00000002.678164342.000000000078C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.json7
Source: 4A15.exe, 0000001D.00000002.678164342.0000000000748000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.jsonB
Source: 4A15.exe, 0000001D.00000002.678164342.0000000000748000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.jsoni
Source: 4A15.exe, 00000019.00000002.528784929.0000000000578000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.jsonp
Source: 4A15.exe, 0000001D.00000003.584736156.000000000076E000.00000004.00000020.00020000.00000000.sdmp, 4A15.exe, 0000001D.00000002.678164342.0000000000748000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.jsonr
Source: 4A15.exe, 0000001D.00000002.678164342.0000000000748000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.2ip.ua/geo.jsonz
Source: U58dhzMU8ddvYuIUxUkOSiON.exe, 00000021.00000003.444125965.0000000004260000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: U58dhzMU8ddvYuIUxUkOSiON.exe, 00000021.00000003.444125965.0000000004260000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/iphttps://api.my-ip.io
Source: U58dhzMU8ddvYuIUxUkOSiON.exe, 00000021.00000003.444125965.0000000004260000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://api.my-ip.io
Source: f8hJzDp1zQtAPJgciyNSoGpb.exe, 00000024.00000002.522431758.0000000000400000.00000040.00000001.01000000.00000019.sdmp	String found in binary or memory: https://blockchain.infoindex
Source: AddInProcess32.exe, 00000012.00000002.709315982.0000000002DB4000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000012.00000002.709315982.0000000002DBE000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000012.00000002.709315982.0000000002DC0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://d241.userscloud.net/d/hulq6euctn2fvxijrtnj7gioldutikskeaas5n4z5jprs4ng4yrlvcutm4k33tidjh4auv
Source: i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.650934958.0000000003A32000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://desktop-netinspp.nnnaajjjgc.com/check/?sid=1136320&key=f4073b8c48cdf506608aafebc7c710bd
Source: 4A15.exe, 00000019.00000003.523963155.0000000003170000.00000004.00001000.00020000.00000000.sdmp, 4A15.exe, 00000019.00000003.526468027.0000000003170000.00000004.00001000.00020000.00000000.sdmp, 4A15.exe, 00000019.00000003.523571046.0000000003170000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://dev.vk.com
Source: Pwp3yspp3pM97CCYpnZxEaEs.exe, 0000001C.00000002.677592753.0000000002301000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://digitalpulsedata.com/
Source: Pwp3yspp3pM97CCYpnZxEaEs.exe, 0000001C.00000003.439723896.00000000024F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://digitalpulsedata.com/:https://digitalpulsedata.com/:https://digitalpulsedata.com/
Source: Pwp3yspp3pM97CCYpnZxEaEs.exe, 0000001C.00000003.439723896.00000000024F0000.00000004.00001000.00020000.00000000.sdmp, Pwp3yspp3pM97CCYpnZxEaEs.exe, 0000001C.00000002.677592753.0000000002287000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://digitalpulsedata.com/pp/
Source: Pwp3yspp3pM97CCYpnZxEaEs.exe, 0000001C.00000003.439723896.00000000024F0000.00000004.00001000.00020000.00000000.sdmp, Pwp3yspp3pM97CCYpnZxEaEs.exe, 0000001C.00000002.677592753.0000000002287000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://digitalpulsedata.com/tos/.
Source: Pwp3yspp3pM97CCYpnZxEaEs.exe, 0000001C.00000002.677592753.0000000002271000.00000004.00001000.00020000.00000000.sdmp, Pwp3yspp3pM97CCYpnZxEaEs.exe, 0000001C.00000003.439723896.00000000024F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://digitalpulsedata.com/uninstall/?guid=
Source: AddInProcess32.exe, 00000012.00000002.709315982.0000000002DAB000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000012.00000002.709315982.0000000002DE7000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000012.00000002.709315982.0000000002DC0000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000012.00000002.709315982.0000000002E77000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000012.00000002.709315982.0000000002D83000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000012.00000002.709315982.0000000002D9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://downloads.digitalpulsedata.com/0.16.16/DigitalPulse.exe
Source: AddInProcess32.exe, 00000012.00000002.709315982.0000000002DAB000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000012.00000002.709315982.0000000002DE7000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000012.00000002.709315982.0000000002D83000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000012.00000002.709315982.0000000002D9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://flyawayaero.net/baf14778c246e15550645e30ba78ce1c.exe
Source: AddInProcess32.exe, 00000012.00000002.709315982.0000000002D51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://iplogger.com/1uNwK4
Source: explorer.exe, 00000002.00000000.374746176.00000000068D2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.374517074.0000000004AFA000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://java.sun.com
Source: AddInProcess32.exe, 00000012.00000002.709315982.0000000002DE7000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000012.00000002.709315982.0000000002D51000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000012.00000002.709315982.0000000002DC0000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000012.00000002.709315982.0000000002E77000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000012.00000002.709315982.0000000002D83000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000012.00000002.709315982.0000000002D9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://jetpackdelivery.net/7a54bdb20779c4359694feaa1398dd25.exe
Source: Pwp3yspp3pM97CCYpnZxEaEs.exe, 0000001C.00000000.439502509.0000000000401000.00000020.00000001.01000000.00000011.sdmp	String found in binary or memory: https://jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: AddInProcess32.exe, 00000012.00000002.709315982.0000000002D93000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000012.00000002.709315982.0000000002DC0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://justsafepay.com/03ea740ea772f2ff2218e4ed0bfbac4b/7a54bdb20779c4359694feaa1398dd25.exe
Source: AddInProcess32.exe, 00000012.00000002.709315982.0000000002DAB000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000012.00000002.709315982.0000000002D51000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000012.00000002.709315982.0000000002E77000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000012.00000002.709315982.0000000002D83000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000012.00000002.709315982.0000000002D9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://link.storjshare.io/jwwi6qvijjcy2bytemq4e4pelcoa/installer%2FLightCleaner.exe?download=1
Source: 4A15.exe, 00000019.00000003.523963155.0000000003170000.00000004.00001000.00020000.00000000.sdmp, 4A15.exe, 00000019.00000003.526468027.0000000003170000.00000004.00001000.00020000.00000000.sdmp, 4A15.exe, 00000019.00000003.523571046.0000000003170000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://login.vk.com/
Source: 4A15.exe, 00000019.00000003.523963155.0000000003170000.00000004.00001000.00020000.00000000.sdmp, 4A15.exe, 00000019.00000003.526468027.0000000003170000.00000004.00001000.00020000.00000000.sdmp, 4A15.exe, 00000019.00000003.523571046.0000000003170000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://login.vk.com/?act=login
Source: 4A15.exe, 00000019.00000003.523963155.0000000003170000.00000004.00001000.00020000.00000000.sdmp, 4A15.exe, 00000019.00000003.526468027.0000000003170000.00000004.00001000.00020000.00000000.sdmp, 4A15.exe, 00000019.00000003.523571046.0000000003170000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://login.vk.com/?act=logout&hash=7472f290654d0fb45c&_origin=https%3A%2F%2Fvk.com&lrt=BDpxh3TFcr
Source: AddInProcess32.exe, 00000012.00000002.709315982.0000000002DE7000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000012.00000002.709315982.0000000002D51000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000012.00000002.709315982.0000000002E77000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000012.00000002.709315982.0000000002D83000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000012.00000002.709315982.0000000002D9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://lycheepanel.info/download/?cid=client7
Source: 4GAUQKCdkFpttJoyS2YGgxr9.exe, 0000001E.00000002.699952372.00000000035F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://m7val1dat0r.info
Source: 4A15.exe, 00000019.00000003.519668767.0000000003170000.00000004.00001000.00020000.00000000.sdmp, 4GAUQKCdkFpttJoyS2YGgxr9.exe, 0000001E.00000002.699952372.00000000035F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://m7val1dat0r.info/loader
Source: AddInProcess32.exe, 00000012.00000002.709315982.0000000002DC0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://net.geo.opera.com/opera/stable/windows/?utm_medium=apb&utm_source=mkt&utm_campaign=767
Source: V1NdDWPeq5yoU55PUCrHuT1N.exe, 00000023.00000002.445804410.0000000000471000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: https://orion.ts.360.com/promo/opera?ch=%s&sch=%s&ver=%s&lan=%s&os=%s&mid=%s&mver=%s&time=%I64d/down
Source: 4A15.exe, 00000019.00000003.523963155.0000000003170000.00000004.00001000.00020000.00000000.sdmp, 4A15.exe, 00000019.00000003.526468027.0000000003170000.00000004.00001000.00020000.00000000.sdmp, 4A15.exe, 00000019.00000003.523571046.0000000003170000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://papi.vk.com/pushsse/ruim
Source: AddInProcess32.exe, 00000012.00000002.709315982.0000000002DE7000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000012.00000002.709315982.0000000002DC0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com
Source: AddInProcess32.exe, 00000012.00000002.709315982.0000000002D51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/xYhKBupz
Source: A388.exe, 0000000E.00000002.428047892.0000021354A50000.00000004.00000020.00020000.00000000.sdmp, AddInProcess32.exe, 00000012.00000002.661613256.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/xYhKBupz1https://yip.su/RNWPd.exe7https://iplogger.com/1uNwK4
Source: AddInProcess32.exe, 00000012.00000002.709315982.0000000002D9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.comG
Source: AddInProcess32.exe, 00000012.00000002.709315982.0000000002DC0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://potatogoose.com
Source: AddInProcess32.exe, 00000012.00000002.709315982.0000000002D97000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000012.00000002.709315982.0000000002DC0000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000012.00000002.709315982.0000000002D9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://potatogoose.com/03ea740ea772f2ff2218e4ed0bfbac4b/baf14778c246e15550645e30ba78ce1c.exe
Source: i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.589146137.00000000039CF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://pp.nnnaajjjgc.com/
Source: i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.621914047.0000000003A32000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.624585849.0000000003A32000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://script.google.pp.nnnaajjjgc.com/check/?sid=1135936&key=9f52c9e763a3022767eed76259d3a4df
Source: AddInProcess32.exe, 00000012.00000002.709315982.0000000002D51000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000012.00000002.709315982.0000000002DA7000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000012.00000002.709315982.0000000002D83000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000012.00000002.709315982.0000000002DB0000.00000004.00000800.00020000.00000000.sdmp, Pwp3yspp3pM97CCYpnZxEaEs.exe, 0000001C.00000003.440105042.00000000025E8000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: 4A15.exe, 00000019.00000003.523963155.0000000003170000.00000004.00001000.00020000.00000000.sdmp, 4A15.exe, 00000019.00000003.526468027.0000000003170000.00000004.00001000.00020000.00000000.sdmp, 4A15.exe, 00000019.00000003.523571046.0000000003170000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://st6-20.vk.com
Source: 4A15.exe, 00000019.00000003.523963155.0000000003170000.00000004.00001000.00020000.00000000.sdmp, 4A15.exe, 00000019.00000003.526468027.0000000003170000.00000004.00001000.00020000.00000000.sdmp, 4A15.exe, 00000019.00000003.523571046.0000000003170000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://st6-20.vk.com/css/al/base.2e3fc345b3e9701dafc5.css
Source: 4A15.exe, 00000019.00000003.523963155.0000000003170000.00000004.00001000.00020000.00000000.sdmp, 4A15.exe, 00000019.00000003.526468027.0000000003170000.00000004.00001000.00020000.00000000.sdmp, 4A15.exe, 00000019.00000003.523571046.0000000003170000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://st6-20.vk.com/css/al/common.46325ec9e7cba25feea7.css
Source: 4A15.exe, 00000019.00000003.523963155.0000000003170000.00000004.00001000.00020000.00000000.sdmp, 4A15.exe, 00000019.00000003.526468027.0000000003170000.00000004.00001000.00020000.00000000.sdmp, 4A15.exe, 00000019.00000003.523571046.0000000003170000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://st6-20.vk.com/css/al/fonts_cnt.c7a76efe4d312a46c1b8.css
Source: 4A15.exe, 00000019.00000003.523963155.0000000003170000.00000004.00001000.00020000.00000000.sdmp, 4A15.exe, 00000019.00000003.526468027.0000000003170000.00000004.00001000.00020000.00000000.sdmp, 4A15.exe, 00000019.00000003.523571046.0000000003170000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://st6-20.vk.com/css/al/fonts_utf.7fa94adac24497ce4d3a.css
Source: 4A15.exe, 00000019.00000003.523963155.0000000003170000.00000004.00001000.00020000.00000000.sdmp, 4A15.exe, 00000019.00000003.526468027.0000000003170000.00000004.00001000.00020000.00000000.sdmp, 4A15.exe, 00000019.00000003.523571046.0000000003170000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://st6-20.vk.com/css/al/vkui.f5be3fae592194cc6a35.css
Source: 4A15.exe, 00000019.00000003.523963155.0000000003170000.00000004.00001000.00020000.00000000.sdmp, 4A15.exe, 00000019.00000003.526468027.0000000003170000.00000004.00001000.00020000.00000000.sdmp, 4A15.exe, 00000019.00000003.523571046.0000000003170000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://stats.vk-portal.net
Source: i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.582090716.00000000039DA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://telegram.org/pp.nnnaajjjgc.com/
Source: 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.550001229.0000000004AF0000.00000040.00001000.00020000.00000000.sdmp, 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.525875413.0000000000400000.00000040.00000001.01000000.00000017.sdmp, f8hJzDp1zQtAPJgciyNSoGpb.exe, 00000024.00000002.522431758.0000000000400000.00000040.00000001.01000000.00000019.sdmp	String found in binary or memory: https://turnitin.com/robot/crawlerinfo.html)cannot
Source: 4A15.exe, 00000019.00000003.523963155.0000000003170000.00000004.00001000.00020000.00000000.sdmp, 4A15.exe, 00000019.00000003.526468027.0000000003170000.00000004.00001000.00020000.00000000.sdmp, 4A15.exe, 00000019.00000003.523571046.0000000003170000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://vk.com
Source: 4A15.exe, 00000019.00000003.523963155.0000000003170000.00000004.00001000.00020000.00000000.sdmp, 4A15.exe, 00000019.00000003.526468027.0000000003170000.00000004.00001000.00020000.00000000.sdmp, 4A15.exe, 00000019.00000003.523571046.0000000003170000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://vk.com/away.php?to=https%3A%2F%2F1l-go.mail.ru%2Fr%2Fadid%2F3245029_2013344%2Fpid%2F102819%2
Source: 4A15.exe, 00000019.00000002.528888660.0000000000629000.00000004.00000020.00020000.00000000.sdmp, 4A15.exe, 00000019.00000003.528105248.0000000000629000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://we.tl/t-e5pgPH03
Source: 4A15.exe, 00000019.00000002.528888660.0000000000629000.00000004.00000020.00020000.00000000.sdmp, 4A15.exe, 00000019.00000003.528105248.0000000000629000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://we.tl/t-e5pgPH03c
Source: 4A15.exe, 00000019.00000003.527825412.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, 4A15.exe, 00000019.00000003.528097167.00000000030A0000.00000004.00000020.00020000.00000000.sdmp, 4A15.exe, 00000019.00000002.529745378.00000000030A1000.00000004.00000020.00020000.00000000.sdmp, 4A15.exe, 00000019.00000002.528888660.000000000061C000.00000004.00000020.00020000.00000000.sdmp, 4A15.exe, 00000019.00000003.472838166.00000000030D9000.00000004.00000020.00020000.00000000.sdmp, 4A15.exe, 00000019.00000003.528105248.000000000061B000.00000004.00000020.00020000.00000000.sdmp, 4A15.exe, 00000019.00000003.526920988.00000000030A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://we.tl/t-e5pgPH03fe
Source: AddInProcess32.exe, 00000012.00000002.709315982.0000000002DAB000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000012.00000002.709315982.0000000002D9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.amsangroup.com
Source: AddInProcess32.exe, 00000012.00000002.709315982.0000000002D51000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000012.00000002.709315982.0000000002DC0000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000012.00000002.709315982.0000000002E77000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000012.00000002.709315982.0000000002D83000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000012.00000002.709315982.0000000002D9B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.amsangroup.com/wp-includes/net/gate4.exe
Source: 4A15.exe, 00000019.00000003.519668767.0000000003170000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.health.com/
Source: Pwp3yspp3pM97CCYpnZxEaEs.exe, 0000001C.00000003.440105042.00000000024F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.innosetup.com/
Source: Pwp3yspp3pM97CCYpnZxEaEs.exe, 0000001C.00000003.440105042.00000000024F0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://www.remobjects.com/ps
Source: AddInProcess32.exe, 00000012.00000002.709315982.0000000002D51000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://yip.su/RNWPd.exe
Source: i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000002.659717297.000000000143B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://z.nnnaajjjgc.com/
Source: i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000002.659717297.000000000143B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://z.nnnaajjjgc.com/4)
Source: i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000002.684798567.00007FF77A421000.00000040.00000001.01000000.0000000F.sdmp	String found in binary or memory: https://z.nnnaajjjgc.com/sts/imagd.jpg
Source: 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.557680058.000000000DCC8000.00000004.00001000.00020000.00000000.sdmp, 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.557680058.000000000DC88000.00000004.00001000.00020000.00000000.sdmp, f8hJzDp1zQtAPJgciyNSoGpb.exe, 00000024.00000002.553319805.000000000DC14000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://zaoshanghao.su
Source: 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.557680058.000000000DCDA000.00000004.00001000.00020000.00000000.sdmp, 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.557680058.000000000DCC8000.00000004.00001000.00020000.00000000.sdmp, f8hJzDp1zQtAPJgciyNSoGpb.exe, 00000024.00000002.553319805.000000000DC14000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://zaoshanghao.suMicrosoft
Source: 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.557680058.000000000DCDE000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://zaoshanghao.suhttp://cvwwajk56uu2la7jl4e2fdxy56veg5hqlaondeb7whvy2vlmreq6jnid.onionSoftware
Source: 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.557680058.000000000DC88000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://zaoshanghao.suhttps://zaoshanghao.suRegQueryValueExWUUIDPGDSE

Source: C:\Users\user\AppData\Local\Temp\4A15.exe

Code function: 11_2_0040CF10 _memset,InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

11_2_0040CF10

Source: svchost.exe, 00000004.00000003.424846400.000001AC765CC000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.424827668.000001AC765AB000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.424772638.000001AC765B9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: t enough.\r\n\r\nSHARE WITH FRIENDS\r\nSend photos and videos to keep your close friends up to speed. Receive files for even more productivity.\r\n\r\n\r\nCalls are free over Wi-Fi but otherwise standard data charges apply.\r\nPrivacy Policy: https://www.facebook.com/about/privacy \| LEARN MORE at: https://messenger.com (https://messenger.com/)","ProductTitle":"Messenger","SearchTitles":[],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9WZDNCRF0083","Properties":{"PackageFamilyName":"Facebook.317180B0BB486_8xx8rvfyw5nnt","PackageIdentityName":"FACEBOOK.317180B0BB486","PublisherCertificateName":"CN=6E08453F-9BA7-4311-999C-D22FBA2FB1B8","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"c6a9fa5c-20a2-4e12-904d-edd408657dc8"},{"IdType":"LegacyWindowsPhoneProductId","Value":"3219d30d-4a23-4f58-a91c-c44b04e6a0c7"},{"IdType":"XboxTitleId","Value":"2004208728"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2023-09-11T23:48:25.5854013Z\|\|.\|\|a7da40df-b5be-40f6-b49d-5ac70d4d5568\|\|1152921505696762320\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku":{"LastModifiedDate":"2023-09-11T23:48:04.9851982Z","LocalizedProperties":[{"SkuDescription":"Made for big screens and close connections. Get access to free texting, and high-quality voice & video chat built specifically for desktop.\r\n\r\nMADE FOR DESKTOP, MADE
Source: i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000002.659798164.0000000002DF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: InitOnceExecuteOnceCreateSemaphoreWCreateSemaphoreExWCreateThreadpoolTimerSetThreadpoolTimerWaitForThreadpoolTimerCallbacksCloseThreadpoolTimerCreateThreadpoolWaitSetThreadpoolWaitCloseThreadpoolWaitFlushProcessWriteBuffersFreeLibraryWhenCallbackReturnsGetCurrentProcessorNumberCreateSymbolicLinkWGetCurrentPackageIdSetFileInformationByHandleInitializeConditionVariableWakeConditionVariableInitializeSRWLockAcquireSRWLockExclusiveTryAcquireSRWLockExclusiveReleaseSRWLockExclusiveSleepConditionVariableSRWCreateThreadpoolWorkSubmitThreadpoolWorkCloseThreadpoolWorkUnknown exceptionbad array new lengthstring too longmap/set too longMUI1isinstall0macuidun_pwdc_userdblnMozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36https://www.facebook.com/ed/login/ice-bas/login/dev"="st"azoe"jsd""luid"=urce""sot=oesjazlsd&d=&uirce=&souxt=&nehttps://www.facebook.com/login/device-based/login/ersc_uonkieJscoocookieJsonhttps://adsmanager.facebook.com/ads/manager/accounts<tbodyaccountIdpayInfo</tbody>></tr><tr?act</td> <tdlastRowdata-sortpaidbilling_statushttps://business.facebook.com/billing_hub/payment_settings/?asset_id=?asset_id"ACCOUNT_ID":"globalScopeID":token":""DTSGInitData""LSD",:"__spin_r""__spin_t"av=&__user=&__a=1&__csr=&__req=5&dpr=1&__ccg=EXCELLENT&__comet_req=0&fb_dtsg=&lsd=&__spin_r=&__spin_b=trunk&__spin_t=&fb_api_caller_class=RelayModern&fb_api_req_friendly_name=BillingAMNexusRootQuery&variables={"paymentAccountID":""}&server_timestamps=true&doc_id=4123775161071594https://business.facebook.com/api/graphql/?lll=pppdatabillable_account_by_payment_accountbilling_payment_accountbilling_payment_methodspayment_modesSUPPORTS_POSTPAYhttps://business.facebook.com/selectbusiness_id=businesshttps://www.facebook.com/pages/?category=your_pages&ref=bookmarks}"profile_switcher_eligible_profiles":{"count"hasHomePage"admined_pages":{"nodes":[{"id"aria-label="Verified"http://app.nnnaajjjgc.com/check/safe{"sid":0,"time":0,"rand_str":""}http://app.nnnaajjjgc.com/check/?sid=sid#IO$J2&89DFJ2^984%7FJfj<>asi?h3.728*fhastimerand_str89%3gj,IH@<F7>84\|j5kl3;4y:jdFJOhf01(92)3&key=invalid vector subscriptinvalid string positionvector too long equals www.facebook.com (Facebook)
Source: 4A15.exe, 00000019.00000003.516141592.0000000003170000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: URL=http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: 4A15.exe, 00000019.00000003.516314996.0000000003170000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: URL=http://www.twitter.com/ equals www.twitter.com (Twitter)
Source: 4A15.exe, 00000019.00000003.516430209.0000000003170000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: URL=http://www.youtube.com/ equals www.youtube.com (Youtube)
Source: svchost.exe, 00000004.00000002.448011878.000001AC75CC2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \nLike us on Facebook: http://www.facebook.com/spotify\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"Sear equals www.facebook.com (Facebook)
Source: svchost.exe, 00000004.00000002.448011878.000001AC75CC2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \nLike us on Facebook: http://www.facebook.com/spotify\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"Sear equals www.twitter.com (Twitter)
Source: svchost.exe, 00000004.00000002.448011878.000001AC75CC2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \nLike us on Facebook: http://www.facebook.com/spotify\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"Sear(x equals www.facebook.com (Facebook)
Source: svchost.exe, 00000004.00000002.448011878.000001AC75CC2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \nLike us on Facebook: http://www.facebook.com/spotify\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"Sear(x equals www.twitter.com (Twitter)
Source: svchost.exe, 00000004.00000003.436311110.000001AC765AF000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.436303029.000001AC765A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \nLike us on Facebook: http://www.facebook.com/spotify\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2023-09-22T12:09:58.6371163Z\|\|.\|\|ac40657f-579b-4a38-b3ff-1e6a8cd648f9\|\|1152921505696806515\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":["HeadlessApp"],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku":{"LastModifiedDate":"202
Source: svchost.exe, 00000004.00000003.436311110.000001AC765AF000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.436303029.000001AC765A2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \nLike us on Facebook: http://www.facebook.com/spotify\nFollow us on Twitter: http://twitter.com/spotify","ProductTitle":"Spotify - Music and Podcasts","SearchTitles":[{"SearchTitleString":"Spotify","SearchTitleType":"SearchHint"},{"SearchTitleString":"Music","SearchTitleType":"SearchHint"},{"SearchTitleString":"music apps","SearchTitleType":"SearchHint"},{"SearchTitleString":"free music","SearchTitleType":"SearchHint"},{"SearchTitleString":"podcasts","SearchTitleType":"SearchHint"},{"SearchTitleString":"streaming","SearchTitleType":"SearchHint"},{"SearchTitleString":"soundcloud","SearchTitleType":"SearchHint"}],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9NCBCSZSJRSB","Properties":{"PackageFamilyName":"SpotifyAB.SpotifyMusic_zpdnekdrzrea0","PackageIdentityName":"SpotifyAB.SpotifyMusic","PublisherCertificateName":"CN=453637B3-4E12-4CDF-B0D3-2A3C863BF6EF","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"ceac5d3f-8a4f-40e1-9a67-76d9108c7cb5"},{"IdType":"LegacyWindowsPhoneProductId","Value":"caac1b9d-621b-4f96-b143-e10e1397740a"},{"IdType":"XboxTitleId","Value":"1681279293"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2023-09-22T12:09:58.6371163Z\|\|.\|\|ac40657f-579b-4a38-b3ff-1e6a8cd648f9\|\|1152921505696806515\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":["HeadlessApp"],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku":{"LastModifiedDate":"202
Source: i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000002.659798164.0000000002DF0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: iostreambad castbad locale nameios_base::badbit setios_base::failbit setios_base::eofbit setinvalid stoi argumentstoi argument out of range^(([^:\/?#]+):)?(//([^\/?#:])(:([^\/?#]))?)?([^?#])(\?([^#]))?(#(.))?httphttps?POSTGET/device-based/loginContent-Type: application/x-www-form-urlencodedContent-Length: facebooksec-ch-ua: "Not.A/Brand";v="8", "Chromium";v="114", "Microsoft Edge";v="114"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9Accept-Language: en,q=0.9;q=0.8,ja;q=0.7,af;q=0.6,am;q=0.5,sq;q=0.4,ar;q=0.3,an;q=0.2,hy;q=0.1,ast;q=0.1,az;q=0.1,bn;q=0.1,eu;q=0.1Connection: keep-alive/selectHost: business.facebook.comsec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"sec-ch-prefers-color-scheme: lightUpgrade-Insecure-Requests: 1Sec-Fetch-Mode: navigate: ?1Sec-Fetch-Userest: documentSec-Fetch-Dame-originch-Site: sSec-Fet/accountsHost: adsmanager.facebook.com/billing_hub/bile: ?0a-mosec-ch-urm: "Windows"latfosec-ch-ua-polor-scheme: lightefers-csec-ch-precure-Requests: 1de-InsUpgraetch-Site: noneSec-Fode: navigateetch-Mer: ?1c-Fetch-UsSementest: docutch-DSec-Feapi/graphql/?lll=pppX-FB-Friendly-Name: BillingHubPaymentSettingsPaymentMethodsListQueryOrigin: https://business.facebook.comSec-Fetch-Site: same-originSec-Fetch-Mode: corsSec-Fetch-Dest: empty/v15.0/k.comcebooHost: graph.fadows": "Winsec-ch-ua-platform-urlencodedpplication/x-www-formContent-type: aept: /*Accok.comaceboOrigin: https://www.fame-sitetch-Site: stch-Mode: corsmptych-Dest: eook.com///www.facebReferer: https:ook.comw.facebHost: wwobile: ?0-ch-ua-msecindows"a-platform: "Ws-color-scheme: lightprefersec-ch-equests: 1ecure-RUpgrade-InsSec-Fetch-Site: noneMode: navigateSec-Fetch-ser: ?1Sec-Fetch-Uentst: documSec-Fetch-DeCache-Control: max-age=0vector<bool> too longalnumalnumalphaalphablankblankcntrlcntrldddigitdigitgraphgraphlowerlowerprintprintpunctpunctspacespacesupperupperwwxdigitxdigit equals www.facebook.com (Facebook)
Source: svchost.exe, 00000004.00000003.424833774.000001AC7656C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: t enough.\r\n\r\nSHARE WITH FRIENDS\r\nSend photos and videos to keep your close friends up to speed. Receive files for even more productivity.\r\n\r\n\r\nCalls are free over Wi-Fi but otherwise standard data charges apply.\r\nPrivacy Policy: https://www.facebook.com/about/privacy \| LEARN MORE at: https://messenger.com (https://messenger.com/)","ProductTitle":"Messenger","SearchTitles":[],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9WZDNCRF0083","Properties":{"PackageFamilyName":"Facebook.317180B0BB486_8xx8rvfyw5nnt","PackageIdentityName":"FACEBOOK.317180B0BB486","PublisherCertificateName":"CN=6E08453F-9BA7-4311-999C-D22FBA2FB1B8","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"c6a9fa5c-20a2-4e12-904d-edd408657dc8"},{"IdType":"LegacyWindowsPhoneProductId","Value":"3219d30d-4a23-4f58-a91c-c44b04e6a0c7"},{"IdType":"XboxTitleId","Value":"2004208728"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2023-09-11T23:48:25.5854013Z\|\|.\|\|a7da40df-b5be-40f6-b49d-5ac70d4d5568\|\|1152921505696762320\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku":{"LastModifiedDate":"2023-09-11T23:48:04.9851982Z","LocalizedProperties":[{"SkuDescription":"Made for big screens and close connections. Get access to free texting, and high-quality voice & video chat built specifically for desktop.\r\n\r\nMADE FOR DESKTOP, MADE
Source: svchost.exe, 00000004.00000003.424833774.000001AC7656C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000003.424817479.000001AC7659A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: t enough.\r\n\r\nSHARE WITH FRIENDS\r\nSend photos and videos to keep your close friends up to speed. Receive files for even more productivity.\r\n\r\n\r\nCalls are free over Wi-Fi but otherwise standard data charges apply.\r\nPrivacy Policy: https://www.facebook.com/about/privacy \| LEARN MORE at: https://messenger.com (https://messenger.com/)","ProductTitle":"Messenger","SearchTitles":[],"Language":"en-us","Markets":["US","DZ","AR","AU","AT","BH","BD","BE","BR","BG","CA","CL","CN","CO","CR","HR","CY","CZ","DK","EG","EE","FI","FR","DE","GR","GT","HK","HU","IS","IN","ID","IQ","IE","IL","IT","JP","JO","KZ","KE","KW","LV","LB","LI","LT","LU","MY","MT","MR","MX","MA","NL","NZ","NG","NO","OM","PK","PE","PH","PL","PT","QA","RO","RU","SA","RS","SG","SK","SI","ZA","KR","ES","SE","CH","TW","TH","TT","TN","TR","UA","AE","GB","VN","YE","LY","LK","UY","VE","AF","AX","AL","AS","AO","AI","AQ","AG","AM","AW","BO","BQ","BA","BW","BV","IO","BN","BF","BI","KH","CM","CV","KY","CF","TD","TL","DJ","DM","DO","EC","SV","GQ","ER","ET","FK","FO","FJ","GF","PF","TF","GA","GM","GE","GH","GI","GL","GD","GP","GU","GG","GN","GW","GY","HT","HM","HN","AZ","BS","BB","BY","BZ","BJ","BM","BT","KM","CG","CD","CK","CX","CC","CI","CW","JM","SJ","JE","KI","KG","LA","LS","LR","MO","MK","MG","MW","IM","MH","MQ","MU","YT","FM","MD","MN","MS","MZ","MM","NA","NR","NP","MV","ML","NC","NI","NE","NU","NF","PW","PS","PA","PG","PY","RE","RW","BL","MF","WS","ST","SN","MP","PN","SX","SB","SO","SC","SL","GS","SH","KN","LC","PM","VC","TJ","TZ","TG","TK","TO","TM","TC","TV","UM","UG","VI","VG","WF","EH","ZM","ZW","UZ","VU","SR","SZ","AD","MC","SM","ME","VA","NEUTRAL"]}],"MarketProperties":[{"RelatedProducts":[],"Markets":["US"]}],"ProductASchema":"Product;3","ProductBSchema":"ProductUnifiedApp;3","ProductId":"9WZDNCRF0083","Properties":{"PackageFamilyName":"Facebook.317180B0BB486_8xx8rvfyw5nnt","PackageIdentityName":"FACEBOOK.317180B0BB486","PublisherCertificateName":"CN=6E08453F-9BA7-4311-999C-D22FBA2FB1B8","XboxCrossGenSetId":null,"XboxConsoleGenOptimized":null,"XboxConsoleGenCompatible":null},"AlternateIds":[{"IdType":"LegacyWindowsStoreProductId","Value":"c6a9fa5c-20a2-4e12-904d-edd408657dc8"},{"IdType":"LegacyWindowsPhoneProductId","Value":"3219d30d-4a23-4f58-a91c-c44b04e6a0c7"},{"IdType":"XboxTitleId","Value":"2004208728"}],"IngestionSource":"DCE","IsMicrosoftProduct":false,"PreferredSkuId":"0010","ProductType":"Application","ValidationData":{"PassedValidation":false,"RevisionId":"2023-09-11T23:48:25.5854013Z\|\|.\|\|a7da40df-b5be-40f6-b49d-5ac70d4d5568\|\|1152921505696762320\|\|Null\|\|fullrelease","ValidationResultUri":""},"MerchandizingTags":[],"PartD":"","ProductFamily":"Apps","ProductKind":"Application","DisplaySkuAvailabilities":[{"Sku":{"LastModifiedDate":"2023-09-11T23:48:04.9851982Z","LocalizedProperties":[{"SkuDescription":"Made for big screens and close connections. Get access to free texting, and high-quality voice & video chat built specifically for desktop.\r\n\r\nMADE FOR DESKTOP, MADE

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected SmokeLoader

Source: Yara match	File source: 37.2.t3PINyJoW83t7JJSZ5BPE6bi.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.t3PINyJoW83t7JJSZ5BPE6bi.exe.27d15a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000025.00000002.457133950.00000000004E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.376788233.0000000004111000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.376714688.0000000002600000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.428808631.00000000040F1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.428789330.00000000040C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.457074870.00000000004B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\AppData\Local\Temp\4A15.exe

Code function: 11_2_004822E0 CreateDCA,CreateCompatibleDC,GetDeviceCaps,GetDeviceCaps,GetDeviceCaps,CreateCompatibleBitmap,SelectObject,GetObjectA,BitBlt,GetBitmapBits,SelectObject,DeleteObject,DeleteDC,DeleteDC,DeleteDC,

11_2_004822E0

Source: file.exe, 00000001.00000002.376731132.0000000002648000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

memstr_e12d178d-f

E-Banking Fraud

Yara detected Glupteba

Source: Yara match	File source: 36.2.f8hJzDp1zQtAPJgciyNSoGpb.exe.4b20e67.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.941caPIfMmGnCq8PWe7WWHEk.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.2.f8hJzDp1zQtAPJgciyNSoGpb.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.941caPIfMmGnCq8PWe7WWHEk.exe.4af0e67.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000022.00000002.525875413.0000000000843000.00000040.00000001.01000000.00000017.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.541185132.0000000004F63000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.522431758.0000000000843000.00000040.00000001.01000000.00000019.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.550001229.0000000004F33000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 941caPIfMmGnCq8PWe7WWHEk.exe PID: 7140, type: MEMORYSTR

Spam, unwanted Advertisements and Ransom Demands

Found ransom note / readme

Source: C:\_readme.txt

Dropped file: ATTENTION!Don't worry, you can return all your files!All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key.The only method of recovering files is to purchase decrypt tool and unique key for you.This software will decrypt all your encrypted files.What guarantees you have?You can send one of your encrypted file from your PC and we decrypt it for free.But we can decrypt only 1 file for free. File must not contain valuable information.You can get and look video overview decrypt tool:https://we.tl/t-e5pgPH03fePrice of private key and decrypt software is $980.Discount 50% available if you contact us first 72 hours, that's price for you is $490.Please note that you'll never restore your data without payment.Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours.To get this software you need write on our e-mail:support@freshmail.topReserve e-mail address to contact us:datarestorehelp@airmail.ccYour personal ID:0793lfyRgbm7aZ5zpjJggzyGva9vFH6Xpmk3xwjgrUmT

Jump to dropped file

Yara detected Babuk Ransomware

Source: Yara match

File source: Process Memory Space: 4A15.exe PID: 6392, type: MEMORYSTR

Yara detected Djvu Ransomware

Source: Yara match	File source: 25.2.4A15.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.4A15.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.4A15.exe.43815a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 24.2.4A15.exe.43815a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.4A15.exe.44715a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.4A15.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.4A15.exe.43915a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.4A15.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.4A15.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 27.2.4A15.exe.43915a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.4A15.exe.44715a0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 29.2.4A15.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.419357601.0000000004470000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.436925476.0000000004380000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.528674260.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.665875140.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001B.00000002.521687562.0000000004390000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.435887482.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 4A15.exe PID: 4692, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 4A15.exe PID: 3164, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 4A15.exe PID: 5976, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 4A15.exe PID: 6392, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 4A15.exe PID: 2456, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 4A15.exe PID: 2884, type: MEMORYSTR

Modifies existing user documents (likely ransomware behavior)

Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File moved: C:\Users\user\Desktop\MXPXCVPDVN\MXPXCVPDVN.docx
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File moved: C:\Users\user\Desktop\MXPXCVPDVN\NEBFQQYWPS.jpg
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File moved: C:\Users\user\Desktop\SFPUSAFIOL\ZQIXMVQGAH.pdf
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File moved: C:\Users\user\Desktop\IPKGELNTQY\QCFWYSKMHA.pdf
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File moved: C:\Users\user\Desktop\ZQIXMVQGAH.xlsx

Writes many files with high entropy

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\yRbowIjZdxellWMLi8kEb6gJ.exe entropy: 7.99591438001	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\GlKtZqXQAiyhJM8NCtTVvYcF.exe entropy: 7.99591438001	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\VWecoOkiAKSpFQMeoTrTyGCa.exe entropy: 7.99591438001	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\46ajs7POqByEYUKIKWz4ttVU.exe entropy: 7.99591438001	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\ZMVfke3FfhAYexvtpGaP7QO0.exe entropy: 7.99591438001	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\3zaREjkJ8eT5V6QYRyuztw7a.exe entropy: 7.99591438001	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\N5fklblcsXVYu4JmfhsKVoFv.exe entropy: 7.99591438001	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\FGncB6Cizu2PKxdPqCgKygMO.exe entropy: 7.99984962795	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\zDIXJhMuVzNtJxExlDXABWMh.exe entropy: 7.99591438001	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\ghXDF7wc1k0lMAVWTQE9mN9d.exe entropy: 7.99591438001	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\adc91a0e0132170ee1c9ace67d4b\1049\eula.rtf entropy: 7.99076919624	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\adc91a0e0132170ee1c9ace67d4b\1049\LocalizedData.xml entropy: 7.99754285623	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\adc91a0e0132170ee1c9ace67d4b\1053\LocalizedData.xml entropy: 7.99786232361	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\adc91a0e0132170ee1c9ace67d4b\1055\LocalizedData.xml entropy: 7.99782642787	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\adc91a0e0132170ee1c9ace67d4b\2052\LocalizedData.xml entropy: 7.9973313107	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\adc91a0e0132170ee1c9ace67d4b\2070\LocalizedData.xml entropy: 7.99781623342	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\adc91a0e0132170ee1c9ace67d4b\3082\LocalizedData.xml entropy: 7.99791484053	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\adc91a0e0132170ee1c9ace67d4b\Graphics\Print.ico entropy: 7.99851955206	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\adc91a0e0132170ee1c9ace67d4b\Graphics\Rotate1.ico entropy: 7.99894080626	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\adc91a0e0132170ee1c9ace67d4b\Graphics\Rotate10.ico entropy: 7.9985073103	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\adc91a0e0132170ee1c9ace67d4b\Graphics\Rotate2.ico entropy: 7.99869741568	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\adc91a0e0132170ee1c9ace67d4b\Graphics\Rotate3.ico entropy: 7.9987694436	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\adc91a0e0132170ee1c9ace67d4b\Graphics\Rotate4.ico entropy: 7.99867667446	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\adc91a0e0132170ee1c9ace67d4b\Graphics\Rotate5.ico entropy: 7.99868049861	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\adc91a0e0132170ee1c9ace67d4b\Graphics\Rotate6.ico entropy: 7.99863013359	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\adc91a0e0132170ee1c9ace67d4b\Graphics\Rotate7.ico entropy: 7.99883156893	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\adc91a0e0132170ee1c9ace67d4b\Graphics\Rotate8.ico entropy: 7.99878346558	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\adc91a0e0132170ee1c9ace67d4b\Graphics\Rotate9.ico entropy: 7.99874641609	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\adc91a0e0132170ee1c9ace67d4b\Graphics\Save.ico entropy: 7.99842005011	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\adc91a0e0132170ee1c9ace67d4b\Graphics\Setup.ico entropy: 7.99863774825	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\adc91a0e0132170ee1c9ace67d4b\Graphics\SysReqMet.ico entropy: 7.99888594552	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\adc91a0e0132170ee1c9ace67d4b\Graphics\SysReqNotMet.ico entropy: 7.99859493498	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\adc91a0e0132170ee1c9ace67d4b\DisplayIcon.ico entropy: 7.99762161073	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\adc91a0e0132170ee1c9ace67d4b\Setup.exe entropy: 7.99839623586	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\adc91a0e0132170ee1c9ace67d4b\SetupUi.xsd entropy: 7.99398242604	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\adc91a0e0132170ee1c9ace67d4b\SplashScreen.bmp entropy: 7.99847173258	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\adc91a0e0132170ee1c9ace67d4b\UiInfo.xml entropy: 7.99673571701	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\adc91a0e0132170ee1c9ace67d4b\watermark.bmp entropy: 7.99811635994	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\adc91a0e0132170ee1c9ace67d4b\1025\LocalizedData.xml entropy: 7.99764925768	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\adc91a0e0132170ee1c9ace67d4b\1028\LocalizedData.xml entropy: 7.99723183467	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\adc91a0e0132170ee1c9ace67d4b\1029\LocalizedData.xml entropy: 7.99813486448	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\adc91a0e0132170ee1c9ace67d4b\1030\LocalizedData.xml entropy: 7.9973820247	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\adc91a0e0132170ee1c9ace67d4b\1031\LocalizedData.xml entropy: 7.99796232163	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\adc91a0e0132170ee1c9ace67d4b\1032\LocalizedData.xml entropy: 7.99785301137	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\adc91a0e0132170ee1c9ace67d4b\1033\LocalizedData.xml entropy: 7.99773003168	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\adc91a0e0132170ee1c9ace67d4b\1035\LocalizedData.xml entropy: 7.99754727376	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\adc91a0e0132170ee1c9ace67d4b\1036\LocalizedData.xml entropy: 7.99794968928	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\adc91a0e0132170ee1c9ace67d4b\1037\LocalizedData.xml entropy: 7.9980651264	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\adc91a0e0132170ee1c9ace67d4b\1038\LocalizedData.xml entropy: 7.99798098502	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\adc91a0e0132170ee1c9ace67d4b\1040\LocalizedData.xml entropy: 7.99805711069	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\adc91a0e0132170ee1c9ace67d4b\1041\eula.rtf entropy: 7.99217307553	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\adc91a0e0132170ee1c9ace67d4b\1041\LocalizedData.xml entropy: 7.99790523034	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\adc91a0e0132170ee1c9ace67d4b\1042\eula.rtf entropy: 7.99007850689	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\adc91a0e0132170ee1c9ace67d4b\1042\LocalizedData.xml entropy: 7.99723894124	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\adc91a0e0132170ee1c9ace67d4b\1043\LocalizedData.xml entropy: 7.99791986218	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\adc91a0e0132170ee1c9ace67d4b\1044\LocalizedData.xml entropy: 7.99734842538	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\adc91a0e0132170ee1c9ace67d4b\1045\LocalizedData.xml entropy: 7.99800749719	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\adc91a0e0132170ee1c9ace67d4b\1046\LocalizedData.xml entropy: 7.99775905389	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\adc91a0e0132170ee1c9ace67d4b\DisplayIcon.ico.azhi (copy) entropy: 7.99762161073	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\adc91a0e0132170ee1c9ace67d4b\Setup.exe.azhi (copy) entropy: 7.99839623586	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\adc91a0e0132170ee1c9ace67d4b\SetupUi.xsd.azhi (copy) entropy: 7.99398242604	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\adc91a0e0132170ee1c9ace67d4b\SplashScreen.bmp.azhi (copy) entropy: 7.99847173258	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\adc91a0e0132170ee1c9ace67d4b\UiInfo.xml.azhi (copy) entropy: 7.99673571701	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\adc91a0e0132170ee1c9ace67d4b\watermark.bmp.azhi (copy) entropy: 7.99811635994	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\adc91a0e0132170ee1c9ace67d4b\1025\LocalizedData.xml.azhi (copy) entropy: 7.99764925768	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\adc91a0e0132170ee1c9ace67d4b\1028\LocalizedData.xml.azhi (copy) entropy: 7.99723183467	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\adc91a0e0132170ee1c9ace67d4b\1029\LocalizedData.xml.azhi (copy) entropy: 7.99813486448	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\adc91a0e0132170ee1c9ace67d4b\1030\LocalizedData.xml.azhi (copy) entropy: 7.9973820247	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\adc91a0e0132170ee1c9ace67d4b\1031\LocalizedData.xml.azhi (copy) entropy: 7.99796232163	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\adc91a0e0132170ee1c9ace67d4b\1032\LocalizedData.xml.azhi (copy) entropy: 7.99785301137	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\adc91a0e0132170ee1c9ace67d4b\1033\LocalizedData.xml.azhi (copy) entropy: 7.99773003168	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\adc91a0e0132170ee1c9ace67d4b\1035\LocalizedData.xml.azhi (copy) entropy: 7.99754727376	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\adc91a0e0132170ee1c9ace67d4b\1036\LocalizedData.xml.azhi (copy) entropy: 7.99794968928	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\adc91a0e0132170ee1c9ace67d4b\1037\LocalizedData.xml.azhi (copy) entropy: 7.9980651264	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\adc91a0e0132170ee1c9ace67d4b\1038\LocalizedData.xml.azhi (copy) entropy: 7.99798098502	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\adc91a0e0132170ee1c9ace67d4b\1040\LocalizedData.xml.azhi (copy) entropy: 7.99805711069	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\adc91a0e0132170ee1c9ace67d4b\1041\eula.rtf.azhi (copy) entropy: 7.99217307553	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\adc91a0e0132170ee1c9ace67d4b\1041\LocalizedData.xml.azhi (copy) entropy: 7.99790523034	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\adc91a0e0132170ee1c9ace67d4b\1042\eula.rtf.azhi (copy) entropy: 7.99007850689	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\adc91a0e0132170ee1c9ace67d4b\1042\LocalizedData.xml.azhi (copy) entropy: 7.99723894124	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\adc91a0e0132170ee1c9ace67d4b\1043\LocalizedData.xml.azhi (copy) entropy: 7.99791986218	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\adc91a0e0132170ee1c9ace67d4b\1044\LocalizedData.xml.azhi (copy) entropy: 7.99734842538	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\adc91a0e0132170ee1c9ace67d4b\1045\LocalizedData.xml.azhi (copy) entropy: 7.99800749719	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\adc91a0e0132170ee1c9ace67d4b\1046\LocalizedData.xml.azhi (copy) entropy: 7.99775905389	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\adc91a0e0132170ee1c9ace67d4b\1049\eula.rtf.azhi (copy) entropy: 7.99076919624	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\adc91a0e0132170ee1c9ace67d4b\1049\LocalizedData.xml.azhi (copy) entropy: 7.99754285623	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\adc91a0e0132170ee1c9ace67d4b\1053\LocalizedData.xml.azhi (copy) entropy: 7.99786232361	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\adc91a0e0132170ee1c9ace67d4b\1055\LocalizedData.xml.azhi (copy) entropy: 7.99782642787	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\adc91a0e0132170ee1c9ace67d4b\2052\LocalizedData.xml.azhi (copy) entropy: 7.9973313107	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\adc91a0e0132170ee1c9ace67d4b\2070\LocalizedData.xml.azhi (copy) entropy: 7.99781623342	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\adc91a0e0132170ee1c9ace67d4b\3082\LocalizedData.xml.azhi (copy) entropy: 7.99791484053	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\adc91a0e0132170ee1c9ace67d4b\Graphics\Print.ico.azhi (copy) entropy: 7.99851955206	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\adc91a0e0132170ee1c9ace67d4b\Graphics\Rotate1.ico.azhi (copy) entropy: 7.99894080626	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\adc91a0e0132170ee1c9ace67d4b\Graphics\Rotate10.ico.azhi (copy) entropy: 7.9985073103	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\adc91a0e0132170ee1c9ace67d4b\Graphics\Rotate2.ico.azhi (copy) entropy: 7.99869741568	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\adc91a0e0132170ee1c9ace67d4b\Graphics\Rotate3.ico.azhi (copy) entropy: 7.9987694436	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\adc91a0e0132170ee1c9ace67d4b\Graphics\Rotate4.ico.azhi (copy) entropy: 7.99867667446	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\adc91a0e0132170ee1c9ace67d4b\Graphics\Rotate5.ico.azhi (copy) entropy: 7.99868049861	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\adc91a0e0132170ee1c9ace67d4b\Graphics\Rotate6.ico.azhi (copy) entropy: 7.99863013359	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\adc91a0e0132170ee1c9ace67d4b\Graphics\Rotate7.ico.azhi (copy) entropy: 7.99883156893	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\adc91a0e0132170ee1c9ace67d4b\Graphics\Rotate8.ico.azhi (copy) entropy: 7.99878346558	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\adc91a0e0132170ee1c9ace67d4b\Graphics\Rotate9.ico.azhi (copy) entropy: 7.99874641609	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\adc91a0e0132170ee1c9ace67d4b\Graphics\Save.ico.azhi (copy) entropy: 7.99842005011	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\adc91a0e0132170ee1c9ace67d4b\Graphics\Setup.ico.azhi (copy) entropy: 7.99863774825	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\adc91a0e0132170ee1c9ace67d4b\Graphics\SysReqMet.ico.azhi (copy) entropy: 7.99888594552	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\adc91a0e0132170ee1c9ace67d4b\Graphics\SysReqNotMet.ico.azhi (copy) entropy: 7.99859493498	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\Users\user\Pictures\FGncB6Cizu2PKxdPqCgKygMO.exe.azhi (copy) entropy: 7.99984962795	Jump to dropped file

Writes a notice file (html or txt) to demand a ransom

Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File dropped: C:\_readme.txt -> decrypt tool and unique key for you.this software will decrypt all your encrypted files.what guarantees you have?you can send one of your encrypted file from your pc and we decrypt it for free.but we can decrypt only 1 file for free. file must not contain valuable information.you can get and look video overview decrypt tool:https://we.tl/t-e5pgph03feprice of private key and decrypt software is $980.discount 50% available if you contact us first 72 hours, that's price for you is $490.please note that you'll never restore your data without payment.check your e-mail "spam" or "junk" folder if you don't get answer more than 6 hours.to get this software you need write on our e-mail:support@freshmail.topreserve e-mail address to contact us:datarestorehelp@airmail.ccyour personal id:0793lfyrgbm7az5zpjjggzygva9vfh6xpmk3xwjgrumt	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File dropped: C:\adc91a0e0132170ee1c9ace67d4b\_readme.txt -> decrypt tool and unique key for you.this software will decrypt all your encrypted files.what guarantees you have?you can send one of your encrypted file from your pc and we decrypt it for free.but we can decrypt only 1 file for free. file must not contain valuable information.you can get and look video overview decrypt tool:https://we.tl/t-e5pgph03feprice of private key and decrypt software is $980.discount 50% available if you contact us first 72 hours, that's price for you is $490.please note that you'll never restore your data without payment.check your e-mail "spam" or "junk" folder if you don't get answer more than 6 hours.to get this software you need write on our e-mail:support@freshmail.topreserve e-mail address to contact us:datarestorehelp@airmail.ccyour personal id:0793lfyrgbm7az5zpjjggzygva9vfh6xpmk3xwjgrumt	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File dropped: C:\adc91a0e0132170ee1c9ace67d4b\1025\_readme.txt -> decrypt tool and unique key for you.this software will decrypt all your encrypted files.what guarantees you have?you can send one of your encrypted file from your pc and we decrypt it for free.but we can decrypt only 1 file for free. file must not contain valuable information.you can get and look video overview decrypt tool:https://we.tl/t-e5pgph03feprice of private key and decrypt software is $980.discount 50% available if you contact us first 72 hours, that's price for you is $490.please note that you'll never restore your data without payment.check your e-mail "spam" or "junk" folder if you don't get answer more than 6 hours.to get this software you need write on our e-mail:support@freshmail.topreserve e-mail address to contact us:datarestorehelp@airmail.ccyour personal id:0793lfyrgbm7az5zpjjggzygva9vfh6xpmk3xwjgrumt	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File dropped: C:\adc91a0e0132170ee1c9ace67d4b\1028\_readme.txt -> decrypt tool and unique key for you.this software will decrypt all your encrypted files.what guarantees you have?you can send one of your encrypted file from your pc and we decrypt it for free.but we can decrypt only 1 file for free. file must not contain valuable information.you can get and look video overview decrypt tool:https://we.tl/t-e5pgph03feprice of private key and decrypt software is $980.discount 50% available if you contact us first 72 hours, that's price for you is $490.please note that you'll never restore your data without payment.check your e-mail "spam" or "junk" folder if you don't get answer more than 6 hours.to get this software you need write on our e-mail:support@freshmail.topreserve e-mail address to contact us:datarestorehelp@airmail.ccyour personal id:0793lfyrgbm7az5zpjjggzygva9vfh6xpmk3xwjgrumt	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File dropped: C:\adc91a0e0132170ee1c9ace67d4b\1029\_readme.txt -> decrypt tool and unique key for you.this software will decrypt all your encrypted files.what guarantees you have?you can send one of your encrypted file from your pc and we decrypt it for free.but we can decrypt only 1 file for free. file must not contain valuable information.you can get and look video overview decrypt tool:https://we.tl/t-e5pgph03feprice of private key and decrypt software is $980.discount 50% available if you contact us first 72 hours, that's price for you is $490.please note that you'll never restore your data without payment.check your e-mail "spam" or "junk" folder if you don't get answer more than 6 hours.to get this software you need write on our e-mail:support@freshmail.topreserve e-mail address to contact us:datarestorehelp@airmail.ccyour personal id:0793lfyrgbm7az5zpjjggzygva9vfh6xpmk3xwjgrumt	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File dropped: C:\adc91a0e0132170ee1c9ace67d4b\1030\_readme.txt -> decrypt tool and unique key for you.this software will decrypt all your encrypted files.what guarantees you have?you can send one of your encrypted file from your pc and we decrypt it for free.but we can decrypt only 1 file for free. file must not contain valuable information.you can get and look video overview decrypt tool:https://we.tl/t-e5pgph03feprice of private key and decrypt software is $980.discount 50% available if you contact us first 72 hours, that's price for you is $490.please note that you'll never restore your data without payment.check your e-mail "spam" or "junk" folder if you don't get answer more than 6 hours.to get this software you need write on our e-mail:support@freshmail.topreserve e-mail address to contact us:datarestorehelp@airmail.ccyour personal id:0793lfyrgbm7az5zpjjggzygva9vfh6xpmk3xwjgrumt	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File dropped: C:\adc91a0e0132170ee1c9ace67d4b\1031\_readme.txt -> decrypt tool and unique key for you.this software will decrypt all your encrypted files.what guarantees you have?you can send one of your encrypted file from your pc and we decrypt it for free.but we can decrypt only 1 file for free. file must not contain valuable information.you can get and look video overview decrypt tool:https://we.tl/t-e5pgph03feprice of private key and decrypt software is $980.discount 50% available if you contact us first 72 hours, that's price for you is $490.please note that you'll never restore your data without payment.check your e-mail "spam" or "junk" folder if you don't get answer more than 6 hours.to get this software you need write on our e-mail:support@freshmail.topreserve e-mail address to contact us:datarestorehelp@airmail.ccyour personal id:0793lfyrgbm7az5zpjjggzygva9vfh6xpmk3xwjgrumt	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File dropped: C:\adc91a0e0132170ee1c9ace67d4b\1032\_readme.txt -> decrypt tool and unique key for you.this software will decrypt all your encrypted files.what guarantees you have?you can send one of your encrypted file from your pc and we decrypt it for free.but we can decrypt only 1 file for free. file must not contain valuable information.you can get and look video overview decrypt tool:https://we.tl/t-e5pgph03feprice of private key and decrypt software is $980.discount 50% available if you contact us first 72 hours, that's price for you is $490.please note that you'll never restore your data without payment.check your e-mail "spam" or "junk" folder if you don't get answer more than 6 hours.to get this software you need write on our e-mail:support@freshmail.topreserve e-mail address to contact us:datarestorehelp@airmail.ccyour personal id:0793lfyrgbm7az5zpjjggzygva9vfh6xpmk3xwjgrumt	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File dropped: C:\adc91a0e0132170ee1c9ace67d4b\1033\_readme.txt -> decrypt tool and unique key for you.this software will decrypt all your encrypted files.what guarantees you have?you can send one of your encrypted file from your pc and we decrypt it for free.but we can decrypt only 1 file for free. file must not contain valuable information.you can get and look video overview decrypt tool:https://we.tl/t-e5pgph03feprice of private key and decrypt software is $980.discount 50% available if you contact us first 72 hours, that's price for you is $490.please note that you'll never restore your data without payment.check your e-mail "spam" or "junk" folder if you don't get answer more than 6 hours.to get this software you need write on our e-mail:support@freshmail.topreserve e-mail address to contact us:datarestorehelp@airmail.ccyour personal id:0793lfyrgbm7az5zpjjggzygva9vfh6xpmk3xwjgrumt	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File dropped: C:\adc91a0e0132170ee1c9ace67d4b\1035\_readme.txt -> decrypt tool and unique key for you.this software will decrypt all your encrypted files.what guarantees you have?you can send one of your encrypted file from your pc and we decrypt it for free.but we can decrypt only 1 file for free. file must not contain valuable information.you can get and look video overview decrypt tool:https://we.tl/t-e5pgph03feprice of private key and decrypt software is $980.discount 50% available if you contact us first 72 hours, that's price for you is $490.please note that you'll never restore your data without payment.check your e-mail "spam" or "junk" folder if you don't get answer more than 6 hours.to get this software you need write on our e-mail:support@freshmail.topreserve e-mail address to contact us:datarestorehelp@airmail.ccyour personal id:0793lfyrgbm7az5zpjjggzygva9vfh6xpmk3xwjgrumt	Jump to dropped file

System Summary

Malicious sample detected (through community Yara rule)

Source: 33.3.U58dhzMU8ddvYuIUxUkOSiON.exe.50dd858.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 25.2.4A15.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 25.2.4A15.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 25.2.4A15.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 25.2.4A15.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 24.2.4A15.exe.43815a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 24.2.4A15.exe.43815a0.1.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 24.2.4A15.exe.43815a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 24.2.4A15.exe.43815a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 10.2.4A15.exe.44715a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 10.2.4A15.exe.44715a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 11.2.4A15.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 11.2.4A15.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 33.3.U58dhzMU8ddvYuIUxUkOSiON.exe.50dd858.3.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 33.3.U58dhzMU8ddvYuIUxUkOSiON.exe.4260000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects OnlyLogger loader variants Author: ditekSHen
Source: 33.3.U58dhzMU8ddvYuIUxUkOSiON.exe.508b050.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 33.3.U58dhzMU8ddvYuIUxUkOSiON.exe.4260000.0.unpack, type: UNPACKEDPE	Matched rule: Detects OnlyLogger loader variants Author: ditekSHen
Source: 27.2.4A15.exe.43915a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 27.2.4A15.exe.43915a0.1.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 33.3.U58dhzMU8ddvYuIUxUkOSiON.exe.506d050.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 33.3.U58dhzMU8ddvYuIUxUkOSiON.exe.508b050.2.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 33.3.U58dhzMU8ddvYuIUxUkOSiON.exe.506d050.7.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 11.2.4A15.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 11.2.4A15.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 33.3.U58dhzMU8ddvYuIUxUkOSiON.exe.5146010.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 29.2.4A15.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 29.2.4A15.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 33.3.U58dhzMU8ddvYuIUxUkOSiON.exe.5146010.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 27.2.4A15.exe.43915a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 27.2.4A15.exe.43915a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 10.2.4A15.exe.44715a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 10.2.4A15.exe.44715a0.1.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 29.2.4A15.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 29.2.4A15.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000025.00000002.457133950.00000000004E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000001.00000002.376788233.0000000004111000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000022.00000002.542182071.00000000046F2000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000024.00000002.541185132.0000000004B20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 0000001B.00000002.521657270.00000000042E3000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000001F.00000002.446630399.0000000002858000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000000A.00000002.419357601.0000000004470000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000018.00000002.436925476.0000000004380000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000022.00000002.550001229.0000000004AF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000019.00000002.528674260.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000019.00000002.528674260.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000001.00000002.376743466.0000000002659000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000000A.00000002.419328976.000000000429C000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000001.00000002.376714688.0000000002600000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000007.00000002.428763684.00000000026F8000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000007.00000002.428808631.00000000040F1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000018.00000002.436833878.0000000004194000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000021.00000003.444125965.0000000004260000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects OnlyLogger loader variants Author: ditekSHen
Source: 0000001D.00000002.665875140.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0000001D.00000002.665875140.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: 00000007.00000002.428745109.00000000026D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000024.00000002.531504418.0000000004625000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000001B.00000002.521687562.0000000004390000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 00000001.00000002.376709250.00000000025F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000007.00000002.428789330.00000000040C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000025.00000002.457074870.00000000004B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 0000000B.00000002.435887482.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: 0000000B.00000002.435887482.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects STOP ransomware Author: ditekSHen
Source: Process Memory Space: 4A15.exe PID: 4692, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: 4A15.exe PID: 3164, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: 4A15.exe PID: 5976, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: 4A15.exe PID: 6392, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: 4A15.exe PID: 2456, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: Process Memory Space: 4A15.exe PID: 2884, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff Author: unknown
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\s51[1], type: DROPPED	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: C:\Users\user\AppData\Local\4204bcd2-893f-40a6-aea5-23bed3094b06\build3.exe, type: DROPPED	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: C:\Users\user\AppData\Local\4204bcd2-893f-40a6-aea5-23bed3094b06\build3.exe, type: DROPPED	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: C:\Users\user\Pictures\Minor Policy\oM7t40xLe0OgCrSQGKhQ7p6Z.exe, type: DROPPED	Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\build3[1].exe, type: DROPPED	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d Author: unknown
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\build3[1].exe, type: DROPPED	Matched rule: Windows_Trojan_Clipbanker_787b130b Author: unknown
Source: C:\Users\user\AppData\Local\Temp\BB52.exe, type: DROPPED	Matched rule: Detects downloader / injector Author: ditekSHen

PE file contains section with special chars

Source: uYMXNl5sSvaZoW3VwBNxI0U7.exe.18.dr	Static PE information: section name:
Source: uYMXNl5sSvaZoW3VwBNxI0U7.exe.18.dr	Static PE information: section name:
Source: uYMXNl5sSvaZoW3VwBNxI0U7.exe.18.dr	Static PE information: section name:
Source: uYMXNl5sSvaZoW3VwBNxI0U7.exe.18.dr	Static PE information: section name:
Source: uYMXNl5sSvaZoW3VwBNxI0U7.exe.18.dr	Static PE information: section name:
Source: uYMXNl5sSvaZoW3VwBNxI0U7.exe.18.dr	Static PE information: section name: .7-Zip0
Source: uYMXNl5sSvaZoW3VwBNxI0U7.exe.18.dr	Static PE information: section name:
Source: uYMXNl5sSvaZoW3VwBNxI0U7.exe.18.dr	Static PE information: section name: .7-Zip1
Source: uYMXNl5sSvaZoW3VwBNxI0U7.exe.18.dr	Static PE information: section name: .7-Zip2
Source: uYMXNl5sSvaZoW3VwBNxI0U7.exe.18.dr	Static PE information: section name: .7-Zip3
Source: P94EhV34EPtPaMGwUp1MdOBl.exe.18.dr	Static PE information: section name:
Source: P94EhV34EPtPaMGwUp1MdOBl.exe.18.dr	Static PE information: section name:
Source: P94EhV34EPtPaMGwUp1MdOBl.exe.18.dr	Static PE information: section name:
Source: P94EhV34EPtPaMGwUp1MdOBl.exe.18.dr	Static PE information: section name:
Source: P94EhV34EPtPaMGwUp1MdOBl.exe.18.dr	Static PE information: section name:
Source: P94EhV34EPtPaMGwUp1MdOBl.exe.18.dr	Static PE information: section name: .7-Zip0
Source: P94EhV34EPtPaMGwUp1MdOBl.exe.18.dr	Static PE information: section name:
Source: P94EhV34EPtPaMGwUp1MdOBl.exe.18.dr	Static PE information: section name: .7-Zip1
Source: P94EhV34EPtPaMGwUp1MdOBl.exe.18.dr	Static PE information: section name: .7-Zip2
Source: P94EhV34EPtPaMGwUp1MdOBl.exe.18.dr	Static PE information: section name: .7-Zip3
Source: opugKRO9HQIQrHGr6X89OLro.exe.18.dr	Static PE information: section name:
Source: opugKRO9HQIQrHGr6X89OLro.exe.18.dr	Static PE information: section name:
Source: opugKRO9HQIQrHGr6X89OLro.exe.18.dr	Static PE information: section name:
Source: opugKRO9HQIQrHGr6X89OLro.exe.18.dr	Static PE information: section name:
Source: opugKRO9HQIQrHGr6X89OLro.exe.18.dr	Static PE information: section name:
Source: opugKRO9HQIQrHGr6X89OLro.exe.18.dr	Static PE information: section name: .7-Zip0
Source: opugKRO9HQIQrHGr6X89OLro.exe.18.dr	Static PE information: section name:
Source: opugKRO9HQIQrHGr6X89OLro.exe.18.dr	Static PE information: section name: .7-Zip1
Source: opugKRO9HQIQrHGr6X89OLro.exe.18.dr	Static PE information: section name: .7-Zip2
Source: opugKRO9HQIQrHGr6X89OLro.exe.18.dr	Static PE information: section name: .7-Zip3
Source: AboFkE91gGtC0jX22BS3GOn1.exe.18.dr	Static PE information: section name:
Source: AboFkE91gGtC0jX22BS3GOn1.exe.18.dr	Static PE information: section name:
Source: AboFkE91gGtC0jX22BS3GOn1.exe.18.dr	Static PE information: section name:
Source: AboFkE91gGtC0jX22BS3GOn1.exe.18.dr	Static PE information: section name:
Source: AboFkE91gGtC0jX22BS3GOn1.exe.18.dr	Static PE information: section name:
Source: AboFkE91gGtC0jX22BS3GOn1.exe.18.dr	Static PE information: section name: .7-Zip0
Source: AboFkE91gGtC0jX22BS3GOn1.exe.18.dr	Static PE information: section name:
Source: AboFkE91gGtC0jX22BS3GOn1.exe.18.dr	Static PE information: section name: .7-Zip1
Source: AboFkE91gGtC0jX22BS3GOn1.exe.18.dr	Static PE information: section name: .7-Zip2
Source: AboFkE91gGtC0jX22BS3GOn1.exe.18.dr	Static PE information: section name: .7-Zip3
Source: SPpYvykupaNYuUQqOkv0xHw6.exe.18.dr	Static PE information: section name:
Source: SPpYvykupaNYuUQqOkv0xHw6.exe.18.dr	Static PE information: section name:
Source: SPpYvykupaNYuUQqOkv0xHw6.exe.18.dr	Static PE information: section name:
Source: SPpYvykupaNYuUQqOkv0xHw6.exe.18.dr	Static PE information: section name:
Source: SPpYvykupaNYuUQqOkv0xHw6.exe.18.dr	Static PE information: section name:
Source: SPpYvykupaNYuUQqOkv0xHw6.exe.18.dr	Static PE information: section name: .7-Zip0
Source: SPpYvykupaNYuUQqOkv0xHw6.exe.18.dr	Static PE information: section name:
Source: SPpYvykupaNYuUQqOkv0xHw6.exe.18.dr	Static PE information: section name: .7-Zip1
Source: SPpYvykupaNYuUQqOkv0xHw6.exe.18.dr	Static PE information: section name: .7-Zip2
Source: SPpYvykupaNYuUQqOkv0xHw6.exe.18.dr	Static PE information: section name: .7-Zip3
Source: flZM696vxwchmoky86e6PuiE.exe.18.dr	Static PE information: section name:
Source: flZM696vxwchmoky86e6PuiE.exe.18.dr	Static PE information: section name:
Source: flZM696vxwchmoky86e6PuiE.exe.18.dr	Static PE information: section name:
Source: flZM696vxwchmoky86e6PuiE.exe.18.dr	Static PE information: section name:
Source: flZM696vxwchmoky86e6PuiE.exe.18.dr	Static PE information: section name:
Source: flZM696vxwchmoky86e6PuiE.exe.18.dr	Static PE information: section name: .7-Zip0
Source: flZM696vxwchmoky86e6PuiE.exe.18.dr	Static PE information: section name:
Source: flZM696vxwchmoky86e6PuiE.exe.18.dr	Static PE information: section name: .7-Zip1
Source: flZM696vxwchmoky86e6PuiE.exe.18.dr	Static PE information: section name: .7-Zip2
Source: flZM696vxwchmoky86e6PuiE.exe.18.dr	Static PE information: section name: .7-Zip3

Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00425472	1_2_00425472
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00424005	1_2_00424005
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00426923	1_2_00426923
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00424F21	1_2_00424F21
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_004249D0	1_2_004249D0
Source: C:\Users\user\AppData\Roaming\jwjrtuw	Code function: 7_2_00425472	7_2_00425472
Source: C:\Users\user\AppData\Roaming\jwjrtuw	Code function: 7_2_00424005	7_2_00424005
Source: C:\Users\user\AppData\Roaming\jwjrtuw	Code function: 7_2_00426923	7_2_00426923
Source: C:\Users\user\AppData\Roaming\jwjrtuw	Code function: 7_2_00424F21	7_2_00424F21
Source: C:\Users\user\AppData\Roaming\jwjrtuw	Code function: 7_2_004249D0	7_2_004249D0
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Code function: 10_2_0447E6E0	10_2_0447E6E0
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Code function: 10_2_044BB69F	10_2_044BB69F
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Code function: 10_2_0447C760	10_2_0447C760
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Code function: 10_2_0449D7F1	10_2_0449D7F1
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Code function: 10_2_0447B000	10_2_0447B000
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Code function: 10_2_0448F030	10_2_0448F030
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Code function: 10_2_044800D0	10_2_044800D0
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Code function: 10_2_044730F0	10_2_044730F0
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Code function: 10_2_0447B0B0	10_2_0447B0B0
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Code function: 10_2_044BE141	10_2_044BE141
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Code function: 10_2_0449D1A4	10_2_0449D1A4
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Code function: 10_2_044BE37C	10_2_044BE37C
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Code function: 10_2_044B2D1E	10_2_044B2D1E
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Code function: 10_2_044A4E9F	10_2_044A4E9F
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Code function: 10_2_044918D0	10_2_044918D0
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Code function: 10_2_0448A930	10_2_0448A930
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Code function: 10_2_0449E9A3	10_2_0449E9A3
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Code function: 10_2_0449F9B0	10_2_0449F9B0
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Code function: 10_2_0447CA10	10_2_0447CA10
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Code function: 10_2_04472B60	10_2_04472B60
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Code function: 10_2_04480B00	10_2_04480B00
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Code function: 10_2_0447DBE0	10_2_0447DBE0
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Code function: 11_2_0040D240	11_2_0040D240
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Code function: 11_2_00427D6C	11_2_00427D6C
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Code function: 11_2_00419F90	11_2_00419F90
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Code function: 11_2_00405057	11_2_00405057
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Code function: 11_2_0040C070	11_2_0040C070
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Code function: 11_2_0042E003	11_2_0042E003
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Code function: 11_2_0042F010	11_2_0042F010
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Code function: 11_2_00408030	11_2_00408030
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Code function: 11_2_004070E0	11_2_004070E0
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Code function: 11_2_00410160	11_2_00410160
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Code function: 11_2_004C8113	11_2_004C8113
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Code function: 11_2_004021C0	11_2_004021C0
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Code function: 11_2_004391F6	11_2_004391F6
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Code function: 11_2_00435240	11_2_00435240
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Code function: 11_2_004C9343	11_2_004C9343
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Code function: 11_2_0044237E	11_2_0044237E
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Code function: 11_2_00405447	11_2_00405447
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Code function: 11_2_00405457	11_2_00405457
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Code function: 11_2_004084C0	11_2_004084C0
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Code function: 11_2_004344FF	11_2_004344FF
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Code function: 11_2_00449506	11_2_00449506
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Code function: 11_2_0043E5A3	11_2_0043E5A3
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Code function: 11_2_0044B5B1	11_2_0044B5B1
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Code function: 11_2_0040A660	11_2_0040A660
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Code function: 11_2_00435675	11_2_00435675
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Code function: 11_2_00409686	11_2_00409686
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Code function: 11_2_0041E690	11_2_0041E690
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Code function: 11_2_00406740	11_2_00406740
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Code function: 11_2_00402750	11_2_00402750
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Code function: 11_2_0040A710	11_2_0040A710
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Code function: 11_2_0040F730	11_2_0040F730
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Code function: 11_2_00408780	11_2_00408780
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Code function: 11_2_0044D7A1	11_2_0044D7A1
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Code function: 11_2_0042C804	11_2_0042C804
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Code function: 11_2_00406880	11_2_00406880
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Code function: 11_2_00481920	11_2_00481920
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Code function: 11_2_0044D9DC	11_2_0044D9DC
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Code function: 11_2_004349F3	11_2_004349F3
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Code function: 11_2_004069F3	11_2_004069F3
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Code function: 11_2_00449A71	11_2_00449A71
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Code function: 11_2_00443B40	11_2_00443B40
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Code function: 11_2_00402B80	11_2_00402B80
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Code function: 11_2_00406B80	11_2_00406B80
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Code function: 11_2_00409CF9	11_2_00409CF9
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Code function: 11_2_0044ACFF	11_2_0044ACFF
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Code function: 11_2_0040DD40	11_2_0040DD40
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Code function: 11_2_0040BDC0	11_2_0040BDC0
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Code function: 11_2_00409DFA	11_2_00409DFA
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Code function: 11_2_0042CE51	11_2_0042CE51
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Code function: 11_2_00434E0B	11_2_00434E0B
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Code function: 11_2_00406EE0	11_2_00406EE0
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Code function: 11_2_00409F76	11_2_00409F76
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Code function: 11_2_00420F30	11_2_00420F30
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Code function: 11_2_00449FE3	11_2_00449FE3

Source: C:\Windows\explorer.exe	Section loaded: windows.staterepositorybroker.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: capauthz.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: capabilityaccessmanagerclient.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: npsmdesktopprovider.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: lz32.dll	Jump to behavior

Source: P94EhV34EPtPaMGwUp1MdOBl.exe.18.dr	Static PE information: Number of sections : 15 > 10
Source: flZM696vxwchmoky86e6PuiE.exe.18.dr	Static PE information: Number of sections : 15 > 10
Source: AboFkE91gGtC0jX22BS3GOn1.exe.18.dr	Static PE information: Number of sections : 15 > 10
Source: 1oYHJ3b1F3QrpZXBIXgl6loz.exe.18.dr	Static PE information: Number of sections : 11 > 10
Source: SPpYvykupaNYuUQqOkv0xHw6.exe.18.dr	Static PE information: Number of sections : 15 > 10
Source: uYMXNl5sSvaZoW3VwBNxI0U7.exe.18.dr	Static PE information: Number of sections : 15 > 10
Source: WQ1sXS4A8SPQ3OH5qUwmsfK7.exe.18.dr	Static PE information: Number of sections : 11 > 10
Source: opugKRO9HQIQrHGr6X89OLro.exe.18.dr	Static PE information: Number of sections : 15 > 10

Source: file.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 33.3.U58dhzMU8ddvYuIUxUkOSiON.exe.50dd858.3.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 25.2.4A15.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 25.2.4A15.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 25.2.4A15.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 25.2.4A15.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 24.2.4A15.exe.43815a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 24.2.4A15.exe.43815a0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 24.2.4A15.exe.43815a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 24.2.4A15.exe.43815a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 10.2.4A15.exe.44715a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 10.2.4A15.exe.44715a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 11.2.4A15.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 11.2.4A15.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 33.3.U58dhzMU8ddvYuIUxUkOSiON.exe.50dd858.3.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 33.3.U58dhzMU8ddvYuIUxUkOSiON.exe.4260000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_OnlyLogger author = ditekSHen, description = Detects OnlyLogger loader variants
Source: 33.3.U58dhzMU8ddvYuIUxUkOSiON.exe.508b050.2.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 33.3.U58dhzMU8ddvYuIUxUkOSiON.exe.4260000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_OnlyLogger author = ditekSHen, description = Detects OnlyLogger loader variants
Source: 27.2.4A15.exe.43915a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 27.2.4A15.exe.43915a0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 33.3.U58dhzMU8ddvYuIUxUkOSiON.exe.506d050.7.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 33.3.U58dhzMU8ddvYuIUxUkOSiON.exe.508b050.2.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 33.3.U58dhzMU8ddvYuIUxUkOSiON.exe.506d050.7.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 11.2.4A15.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 11.2.4A15.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 33.3.U58dhzMU8ddvYuIUxUkOSiON.exe.5146010.5.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 29.2.4A15.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 29.2.4A15.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 33.3.U58dhzMU8ddvYuIUxUkOSiON.exe.5146010.4.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 27.2.4A15.exe.43915a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 27.2.4A15.exe.43915a0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 10.2.4A15.exe.44715a0.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 10.2.4A15.exe.44715a0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 29.2.4A15.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 29.2.4A15.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000025.00000002.457133950.00000000004E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000001.00000002.376788233.0000000004111000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000022.00000002.542182071.00000000046F2000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000024.00000002.541185132.0000000004B20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 0000001B.00000002.521657270.00000000042E3000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000001F.00000002.446630399.0000000002858000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000000A.00000002.419357601.0000000004470000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000018.00000002.436925476.0000000004380000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000022.00000002.550001229.0000000004AF0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000019.00000002.528674260.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000019.00000002.528674260.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000001.00000002.376743466.0000000002659000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000000A.00000002.419328976.000000000429C000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000001.00000002.376714688.0000000002600000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000007.00000002.428763684.00000000026F8000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000007.00000002.428808631.00000000040F1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000018.00000002.436833878.0000000004194000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000021.00000003.444125965.0000000004260000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_OnlyLogger author = ditekSHen, description = Detects OnlyLogger loader variants
Source: 0000001D.00000002.665875140.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0000001D.00000002.665875140.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: 00000007.00000002.428745109.00000000026D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000024.00000002.531504418.0000000004625000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000001B.00000002.521687562.0000000004390000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 00000001.00000002.376709250.00000000025F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000007.00000002.428789330.00000000040C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000025.00000002.457074870.00000000004B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 0000000B.00000002.435887482.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: 0000000B.00000002.435887482.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_STOP snort2_sid = 920113, author = ditekSHen, description = Detects STOP ransomware, clamav_sig = MALWARE.Win.Ransomware.STOP, snort3_sid = 920111
Source: Process Memory Space: 4A15.exe PID: 4692, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: 4A15.exe PID: 3164, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: 4A15.exe PID: 5976, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: 4A15.exe PID: 6392, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: 4A15.exe PID: 2456, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: Process Memory Space: 4A15.exe PID: 2884, type: MEMORYSTR	Matched rule: Windows_Ransomware_Stop_1e8d48ff reference_sample = 821b27488f296e15542b13ac162db4a354cbf4386b6cd40a550c4a71f4d628f3, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Ransomware.Stop, fingerprint = 715888e3e13aaa33f2fd73beef2c260af13e9726cb4b43d349333e3259bf64eb, id = 1e8d48ff-e0ab-478d-8268-a11f2e87ab79, last_modified = 2021-08-23
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\s51[1], type: DROPPED	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: C:\Users\user\AppData\Local\4204bcd2-893f-40a6-aea5-23bed3094b06\build3.exe, type: DROPPED	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: C:\Users\user\AppData\Local\4204bcd2-893f-40a6-aea5-23bed3094b06\build3.exe, type: DROPPED	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: C:\Users\user\Pictures\Minor Policy\oM7t40xLe0OgCrSQGKhQ7p6Z.exe, type: DROPPED	Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\build3[1].exe, type: DROPPED	Matched rule: Windows_Trojan_Clipbanker_f9f9e79d reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = ec985e1273d8ff52ea7f86271a96db01633402facf8d140d11b82e5539e4b5fd, id = f9f9e79d-ce71-4b6c-83e0-ac6e06252c25, last_modified = 2022-06-09
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\build3[1].exe, type: DROPPED	Matched rule: Windows_Trojan_Clipbanker_787b130b reference_sample = 0407e8f54490b2a24e1834d99ec0452f217499f1e5a64de3d28439d71d16d43c, os = windows, severity = x86, creation_date = 2022-04-24, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Clipbanker, fingerprint = 15f3c7d5f25982a02a6bca0b550b3b65e1e21efa5717a1ea0c13dfe46b8f2699, id = 787b130b-6382-42f0-8822-fce457fa940d, last_modified = 2022-06-09
Source: C:\Users\user\AppData\Local\Temp\BB52.exe, type: DROPPED	Matched rule: MALWARE_Win_DLInjector04 author = ditekSHen, description = Detects downloader / injector

Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Code function: String function: 00428C81 appears 41 times
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Code function: String function: 0042F7C0 appears 56 times
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Code function: String function: 0044F23E appears 53 times
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Code function: String function: 00428520 appears 74 times
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Code function: String function: 04498EC0 appears 50 times
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Code function: String function: 044A0160 appears 46 times
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Code function: String function: 004547A0 appears 31 times

Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00401558 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	1_2_00401558
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00401749 NtMapViewOfSection,NtMapViewOfSection,	1_2_00401749
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00401564 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	1_2_00401564
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00401577 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	1_2_00401577
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00401523 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	1_2_00401523
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_00401585 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	1_2_00401585
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0040158C NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	1_2_0040158C
Source: C:\Users\user\Desktop\file.exe	Code function: 1_2_0040159A NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	1_2_0040159A
Source: C:\Users\user\AppData\Roaming\jwjrtuw	Code function: 7_2_00401558 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	7_2_00401558
Source: C:\Users\user\AppData\Roaming\jwjrtuw	Code function: 7_2_00401749 NtMapViewOfSection,NtMapViewOfSection,	7_2_00401749
Source: C:\Users\user\AppData\Roaming\jwjrtuw	Code function: 7_2_00401564 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	7_2_00401564
Source: C:\Users\user\AppData\Roaming\jwjrtuw	Code function: 7_2_00401577 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	7_2_00401577
Source: C:\Users\user\AppData\Roaming\jwjrtuw	Code function: 7_2_00401523 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	7_2_00401523
Source: C:\Users\user\AppData\Roaming\jwjrtuw	Code function: 7_2_00401585 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	7_2_00401585
Source: C:\Users\user\AppData\Roaming\jwjrtuw	Code function: 7_2_0040158C NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	7_2_0040158C
Source: C:\Users\user\AppData\Roaming\jwjrtuw	Code function: 7_2_0040159A NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	7_2_0040159A
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Code function: 10_2_04470110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,SetThreadContext,ResumeThread,ExitProcess,	10_2_04470110

Source: file.exe	Static PE information: Resource name: RT_VERSION type: ARMv7 Thumb COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: 9315.exe.2.dr	Static PE information: Resource name: RT_RCDATA type: Microsoft Cabinet archive data, many, 983088 bytes, 2 files, at 0x2c +A "z1899051.exe" +A "w7735502.exe", ID 1711, number 1, 32 datablocks, 0x1503 compression
Source: D8E5.exe.2.dr	Static PE information: Resource name: RT_VERSION type: ARMv7 Thumb COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: 2D42.exe.2.dr	Static PE information: Resource name: RT_VERSION type: ARMv7 Thumb COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: 9117.exe.2.dr	Static PE information: Resource name: RT_VERSION type: ARMv7 Thumb COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: jwjrtuw.2.dr	Static PE information: Resource name: RT_VERSION type: ARMv7 Thumb COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: soa3mGK83PMJk1RZrnayLoiR.exe.18.dr	Static PE information: Resource name: DLL type: Microsoft Cabinet archive data, Windows 2000/XP setup, 423228 bytes, 1 file, at 0x2c +A "360P2SP.dll", number 1, 26 datablocks, 0x1 compression
Source: mbsmLcWDGIknMhQtAUGQxRi5.exe.18.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: tJU5p8ys1whXWo8BDeT3nnmx.exe.18.dr	Static PE information: Resource name: RT_VERSION type: ARMv7 Thumb COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: sXkL3LKFhhFZp9IPDF60kufQ.exe.18.dr	Static PE information: Resource name: RT_VERSION type: ARMv7 Thumb COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970
Source: mdVqxBv1FXzpT51i7izhV1L3.exe.18.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS

Source: file.exe, 00000001.00000002.376679497.0000000002591000.00000002.00000001.01000000.00000003.sdmp

Binary or memory string: OriginalFilenameKujingle.exe2 vs file.exe

Source: 4A15.exe.2.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 2629.exe.2.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 9117.exe.2.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 4A15.exe.11.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 3958.dll.2.dr	Static PE information: Section: CODE ZLIB complexity 0.9980922965116279
Source: 25C8.dll.2.dr	Static PE information: Section: CODE ZLIB complexity 0.9980922965116279

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\jwjrtuw

Jump to behavior

Source: classification engine

Classification label: mal100.rans.troj.spyw.expl.evad.winEXE@149/755@0/51

Source: C:\Windows\explorer.exe

File read: C:\Users\user\Searches\desktop.ini

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\4A15.exe

Code function: 11_2_00411900 GetLastError,FormatMessageW,lstrlenW,lstrlenW,lstrlenW,LocalAlloc,lstrcpyW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,_memset,lstrcpynW,MessageBoxW,LocalFree,LocalFree,LocalFree,

11_2_00411900

Source: C:\Users\user\Pictures\Pwp3yspp3pM97CCYpnZxEaEs.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\Pictures\Pwp3yspp3pM97CCYpnZxEaEs.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\is-23R8R.tmp\Pwp3yspp3pM97CCYpnZxEaEs.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\is-23R8R.tmp\Pwp3yspp3pM97CCYpnZxEaEs.tmp	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Users\user\AppData\Local\Temp\is-23R8R.tmp\Pwp3yspp3pM97CCYpnZxEaEs.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown	Process created: C:\Users\user\AppData\Roaming\jwjrtuw C:\Users\user\AppData\Roaming\jwjrtuw
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\4A15.exe C:\Users\user\AppData\Local\Temp\4A15.exe
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Process created: C:\Users\user\AppData\Local\Temp\4A15.exe C:\Users\user\AppData\Local\Temp\4A15.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\regsvr32.exe regsvr32 /s C:\Users\user\AppData\Local\Temp\3958.dll
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe /s C:\Users\user\AppData\Local\Temp\3958.dll
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\A388.exe C:\Users\user\AppData\Local\Temp\A388.exe
Source: C:\Users\user\AppData\Local\Temp\A388.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\A388.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
Source: C:\Users\user\AppData\Local\Temp\A388.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
Source: C:\Users\user\AppData\Local\Temp\A388.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Process created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Users\user\AppData\Local\d11683cc-0d8b-41c4-a224-c03c55bb751f" /deny *S-1-1-0:(OI)(CI)(DE,DC)
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Process created: C:\Users\user\AppData\Local\Temp\4A15.exe "C:\Users\user\AppData\Local\Temp\4A15.exe" --Admin IsNotAutoStart IsNotTask
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Process created: C:\Users\user\AppData\Local\Temp\4A15.exe "C:\Users\user\AppData\Local\Temp\4A15.exe" --Admin IsNotAutoStart IsNotTask
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: C:\Users\user\Pictures\i4PHS5R0iEKcuu4uBuaRKA3v.exe "C:\Users\user\Pictures\i4PHS5R0iEKcuu4uBuaRKA3v.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\d11683cc-0d8b-41c4-a224-c03c55bb751f\4A15.exe C:\Users\user\AppData\Local\d11683cc-0d8b-41c4-a224-c03c55bb751f\4A15.exe --Task
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: C:\Users\user\Pictures\Pwp3yspp3pM97CCYpnZxEaEs.exe "C:\Users\user\Pictures\Pwp3yspp3pM97CCYpnZxEaEs.exe" /SP- /VERYSILENT /SUPPRESSMSGBOXES /PID=5333
Source: C:\Users\user\AppData\Local\d11683cc-0d8b-41c4-a224-c03c55bb751f\4A15.exe	Process created: C:\Users\user\AppData\Local\d11683cc-0d8b-41c4-a224-c03c55bb751f\4A15.exe C:\Users\user\AppData\Local\d11683cc-0d8b-41c4-a224-c03c55bb751f\4A15.exe --Task
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe "C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: C:\Users\user\Pictures\t3PINyJoW83t7JJSZ5BPE6bi.exe "C:\Users\user\Pictures\t3PINyJoW83t7JJSZ5BPE6bi.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: C:\Users\user\Pictures\YRhJ9y7wcq2JenN54ladams2.exe "C:\Users\user\Pictures\YRhJ9y7wcq2JenN54ladams2.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: C:\Users\user\Pictures\U58dhzMU8ddvYuIUxUkOSiON.exe "C:\Users\user\Pictures\U58dhzMU8ddvYuIUxUkOSiON.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: C:\Users\user\Pictures\941caPIfMmGnCq8PWe7WWHEk.exe "C:\Users\user\Pictures\941caPIfMmGnCq8PWe7WWHEk.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: C:\Users\user\Pictures\V1NdDWPeq5yoU55PUCrHuT1N.exe "C:\Users\user\Pictures\V1NdDWPeq5yoU55PUCrHuT1N.exe" /s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: C:\Users\user\Pictures\f8hJzDp1zQtAPJgciyNSoGpb.exe "C:\Users\user\Pictures\f8hJzDp1zQtAPJgciyNSoGpb.exe"
Source: C:\Users\user\Pictures\t3PINyJoW83t7JJSZ5BPE6bi.exe	Process created: C:\Users\user\Pictures\t3PINyJoW83t7JJSZ5BPE6bi.exe "C:\Users\user\Pictures\t3PINyJoW83t7JJSZ5BPE6bi.exe"
Source: C:\Users\user\Pictures\Pwp3yspp3pM97CCYpnZxEaEs.exe	Process created: C:\Users\user\AppData\Local\Temp\is-23R8R.tmp\Pwp3yspp3pM97CCYpnZxEaEs.tmp "C:\Users\user\AppData\Local\Temp\is-23R8R.tmp\Pwp3yspp3pM97CCYpnZxEaEs.tmp" /SL5="$1044C,4692544,832512,C:\Users\user\Pictures\Pwp3yspp3pM97CCYpnZxEaEs.exe" /SP- /VERYSILENT /SUPPRESSMSGBOXES /PID=5333
Source: C:\Users\user\Pictures\YRhJ9y7wcq2JenN54ladams2.exe	Process created: C:\Users\user\AppData\Local\Temp\is-O59IV.tmp\YRhJ9y7wcq2JenN54ladams2.tmp "C:\Users\user\AppData\Local\Temp\is-O59IV.tmp\YRhJ9y7wcq2JenN54ladams2.tmp" /SL5="$30434,491750,408064,C:\Users\user\Pictures\YRhJ9y7wcq2JenN54ladams2.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\4A15.exe C:\Users\user\AppData\Local\Temp\4A15.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\regsvr32.exe regsvr32 /s C:\Users\user\AppData\Local\Temp\3958.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\A388.exe C:\Users\user\AppData\Local\Temp\A388.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Process created: C:\Users\user\AppData\Local\Temp\4A15.exe C:\Users\user\AppData\Local\Temp\4A15.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Process created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Users\user\AppData\Local\d11683cc-0d8b-41c4-a224-c03c55bb751f" /deny *S-1-1-0:(OI)(CI)(DE,DC)	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe /s C:\Users\user\AppData\Local\Temp\3958.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A388.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
Source: C:\Users\user\AppData\Local\Temp\A388.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
Source: C:\Users\user\AppData\Local\Temp\A388.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: C:\Users\user\Pictures\i4PHS5R0iEKcuu4uBuaRKA3v.exe "C:\Users\user\Pictures\i4PHS5R0iEKcuu4uBuaRKA3v.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: C:\Users\user\Pictures\Pwp3yspp3pM97CCYpnZxEaEs.exe "C:\Users\user\Pictures\Pwp3yspp3pM97CCYpnZxEaEs.exe" /SP- /VERYSILENT /SUPPRESSMSGBOXES /PID=5333
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe "C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: C:\Users\user\Pictures\t3PINyJoW83t7JJSZ5BPE6bi.exe "C:\Users\user\Pictures\t3PINyJoW83t7JJSZ5BPE6bi.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: C:\Users\user\Pictures\YRhJ9y7wcq2JenN54ladams2.exe "C:\Users\user\Pictures\YRhJ9y7wcq2JenN54ladams2.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: C:\Users\user\Pictures\U58dhzMU8ddvYuIUxUkOSiON.exe "C:\Users\user\Pictures\U58dhzMU8ddvYuIUxUkOSiON.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: C:\Users\user\Pictures\941caPIfMmGnCq8PWe7WWHEk.exe "C:\Users\user\Pictures\941caPIfMmGnCq8PWe7WWHEk.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: C:\Users\user\Pictures\V1NdDWPeq5yoU55PUCrHuT1N.exe "C:\Users\user\Pictures\V1NdDWPeq5yoU55PUCrHuT1N.exe" /s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: C:\Users\user\Pictures\f8hJzDp1zQtAPJgciyNSoGpb.exe "C:\Users\user\Pictures\f8hJzDp1zQtAPJgciyNSoGpb.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Process created: C:\Users\user\AppData\Local\Temp\4A15.exe "C:\Users\user\AppData\Local\Temp\4A15.exe" --Admin IsNotAutoStart IsNotTask
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\d11683cc-0d8b-41c4-a224-c03c55bb751f\4A15.exe	Process created: C:\Users\user\AppData\Local\d11683cc-0d8b-41c4-a224-c03c55bb751f\4A15.exe C:\Users\user\AppData\Local\d11683cc-0d8b-41c4-a224-c03c55bb751f\4A15.exe --Task
Source: C:\Users\user\Pictures\Pwp3yspp3pM97CCYpnZxEaEs.exe	Process created: C:\Users\user\AppData\Local\Temp\is-23R8R.tmp\Pwp3yspp3pM97CCYpnZxEaEs.tmp "C:\Users\user\AppData\Local\Temp\is-23R8R.tmp\Pwp3yspp3pM97CCYpnZxEaEs.tmp" /SL5="$1044C,4692544,832512,C:\Users\user\Pictures\Pwp3yspp3pM97CCYpnZxEaEs.exe" /SP- /VERYSILENT /SUPPRESSMSGBOXES /PID=5333
Source: C:\Users\user\Pictures\t3PINyJoW83t7JJSZ5BPE6bi.exe	Process created: C:\Users\user\Pictures\t3PINyJoW83t7JJSZ5BPE6bi.exe "C:\Users\user\Pictures\t3PINyJoW83t7JJSZ5BPE6bi.exe"
Source: C:\Users\user\Pictures\YRhJ9y7wcq2JenN54ladams2.exe	Process created: C:\Users\user\AppData\Local\Temp\is-O59IV.tmp\YRhJ9y7wcq2JenN54ladams2.tmp "C:\Users\user\AppData\Local\Temp\is-O59IV.tmp\YRhJ9y7wcq2JenN54ladams2.tmp" /SL5="$30434,491750,408064,C:\Users\user\Pictures\YRhJ9y7wcq2JenN54ladams2.exe"
Source: C:\Users\user\Pictures\U58dhzMU8ddvYuIUxUkOSiON.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\U58dhzMU8ddvYuIUxUkOSiON.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\941caPIfMmGnCq8PWe7WWHEk.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\f8hJzDp1zQtAPJgciyNSoGpb.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\is-23R8R.tmp\Pwp3yspp3pM97CCYpnZxEaEs.tmp	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\is-23R8R.tmp\Pwp3yspp3pM97CCYpnZxEaEs.tmp	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\is-23R8R.tmp\Pwp3yspp3pM97CCYpnZxEaEs.tmp	Process created: unknown unknown

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{603D3801-BD81-11d0-A3A5-00C04FD706EC}\InProcServer32

Jump to behavior

Source: C:\Users\user\Pictures\f8hJzDp1zQtAPJgciyNSoGpb.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name FROM Win32_Processor

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Local\Temp\4A15.tmp

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\4A15.exe

Code function: 11_2_0040D240 CoInitialize,CoInitializeSecurity,CoCreateInstance,VariantInit,VariantInit,VariantInit,VariantInit,VariantInit,VariantClear,VariantClear,VariantClear,VariantClear,CoUninitialize,CoUninitialize,CoUninitialize,__time64,__localtime64,_wcsftime,VariantInit,VariantInit,VariantClear,VariantClear,VariantClear,VariantClear,swprintf,CoUninitialize,CoUninitialize,

11_2_0040D240

Source: i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000002.659928263.0000000003840000.00000040.00001000.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000002.659906409.00000000036C0000.00000040.00001000.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000002.659798164.0000000002DF0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000002.659928263.0000000003840000.00000040.00001000.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000002.659906409.00000000036C0000.00000040.00001000.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000002.659798164.0000000002DF0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000002.659928263.0000000003840000.00000040.00001000.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000002.659906409.00000000036C0000.00000040.00001000.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000002.659798164.0000000002DF0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
Source: i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.518699245.0000000003A25000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.621914047.00000000039FF000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.557010087.0000000003A29000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.631372323.0000000003A21000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.644710934.0000000003A19000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.580765017.0000000003A2B000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.510056403.0000000003A1E000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.450265651.00000000014CC000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.507939167.0000000003A2D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT creation_utc,host_key,name,value,path,expires_utc,is_secure,is_httponly,last_access_utc,has_expires,is_persistent,priority,hex(encrypted_value) encrypted_value,samesite,source_scheme,source_port,is_same_party FROM cookies;
Source: i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.510056403.0000000003A1E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT creation_utc,host_key,name,value,path,expires_utc,is_secure,is_httponly,last_access_utc,has_expires,is_persistent,priority,hex(encrypted_value) encrypted_value,samesite,source_scheme,source_port,is_same_party FROM cookies;xT
Source: i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000002.659928263.0000000003840000.00000040.00001000.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000002.659906409.00000000036C0000.00000040.00001000.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000002.659798164.0000000002DF0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.621914047.00000000039FF000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.631372323.0000000003A21000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.644710934.0000000003A19000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.624585849.0000000003A10000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT creation_utc,host_key,name,value,path,expires_utc,is_secure,is_httponly,last_access_utc,has_expires,is_persistent,priority,hex(encrypted_value) encrypted_value,samesite,source_scheme,source_port,is_same_party FROM cookies;/x
Source: i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000002.659928263.0000000003840000.00000040.00001000.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000002.659906409.00000000036C0000.00000040.00001000.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000002.659798164.0000000002DF0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.580765017.0000000003A2B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT creation_utc,host_key,name,value,path,expires_utc,is_secure,is_httponly,last_access_utc,has_expires,is_persistent,priority,hex(encrypted_value) encrypted_value,samesite,source_scheme,source_port,is_same_party FROM cookies;H3
Source: i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.507939167.0000000003A2D000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.503664579.0000000003A1E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT creation_utc,host_key,name,value,path,expires_utc,is_secure,is_httponly,last_access_utc,has_expires,is_persistent,priority,hex(encrypted_value) encrypted_value,samesite,source_scheme,source_port,is_same_party FROM cookies;8D
Source: 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.557680058.000000000DCA4000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: SELECT OSArchitecture FROM Win32_OperatingSystem.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSCDriverData=C:\Windows\System32\Drivers\DriverData
Source: i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000002.659928263.0000000003840000.00000040.00001000.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000002.659906409.00000000036C0000.00000040.00001000.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000002.659798164.0000000002DF0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.518699245.0000000003A25000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.557010087.0000000003A29000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.522164708.0000000003A2D000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.555251999.0000000003A2C000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.529294566.0000000003A2D000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.546344384.0000000003A29000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.530724402.0000000003A2D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT creation_utc,host_key,name,value,path,expires_utc,is_secure,is_httponly,last_access_utc,has_expires,is_persistent,priority,hex(encrypted_value) encrypted_value,samesite,source_scheme,source_port,is_same_party FROM cookies;Pq
Source: i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.529294566.0000000003A2D000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.530724402.0000000003A2D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SELECT creation_utc,host_key,name,value,path,expires_utc,is_secure,is_httponly,last_access_utc,has_expires,is_persistent,priority,hex(encrypted_value) encrypted_value,samesite,source_scheme,source_port,is_same_party FROM cookies;jl
Source: i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000002.659928263.0000000003840000.00000040.00001000.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000002.659906409.00000000036C0000.00000040.00001000.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000002.659798164.0000000002DF0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\75b341f10c9579cbe1059d18f6f3b27b\mscorlib.ni.dll
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\75b341f10c9579cbe1059d18f6f3b27b\mscorlib.ni.dll

Source: C:\Users\user\AppData\Local\Temp\4A15.exe

Code function: 10_2_0429C7C6 CreateToolhelp32Snapshot,Module32First,

10_2_0429C7C6

Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Mutant created: \Sessions\1\BaseNamedObjects\{1D6FC66E-D1F3-422C-8A53-C0BBCF3D900D}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6852:120:WilError_01

Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Command line argument: --Admin	11_2_00419F90
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Command line argument: IsAutoStart	11_2_00419F90
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Command line argument: IsTask	11_2_00419F90
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Command line argument: --ForNetRes	11_2_00419F90
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Command line argument: IsAutoStart	11_2_00419F90
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Command line argument: IsTask	11_2_00419F90
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Command line argument: --Task	11_2_00419F90
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Command line argument: --AutoStart	11_2_00419F90
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Command line argument: --Service	11_2_00419F90
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Command line argument: X1P	11_2_00419F90
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Command line argument: --Admin	11_2_00419F90
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Command line argument: runas	11_2_00419F90
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Command line argument: x2Q	11_2_00419F90
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Command line argument: x*P	11_2_00419F90
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Command line argument: C:\Windows\	11_2_00419F90
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Command line argument: D:\Windows\	11_2_00419F90
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Command line argument: 7P	11_2_00419F90
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Command line argument: %username%	11_2_00419F90
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Command line argument: F:\	11_2_00419F90

Source: 4A15.exe	String found in binary or memory: set-addPolicy
Source: 4A15.exe	String found in binary or memory: id-cmc-addExtensions
Source: 4A15.exe	String found in binary or memory: set-addPolicy
Source: 4A15.exe	String found in binary or memory: id-cmc-addExtensions

Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\explorer.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\Pictures\i4PHS5R0iEKcuu4uBuaRKA3v.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\Pictures\i4PHS5R0iEKcuu4uBuaRKA3v.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\Pictures\i4PHS5R0iEKcuu4uBuaRKA3v.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: C:\Users\user\AppData\Local\Temp\is-23R8R.tmp\Pwp3yspp3pM97CCYpnZxEaEs.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner

Source: C:\Users\user\AppData\Local\Temp\is-23R8R.tmp\Pwp3yspp3pM97CCYpnZxEaEs.tmp

Window found: window name: TMainForm

Source: C:\Users\user\AppData\Local\Temp\is-23R8R.tmp\Pwp3yspp3pM97CCYpnZxEaEs.tmp

File opened: C:\Windows\SysWOW64\MSFTEDIT.DLL

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: C:\Users\user\Desktop\file.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-23R8R.tmp\Pwp3yspp3pM97CCYpnZxEaEs.tmp

Registry value created: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\{64F4736C-6169-4520-9368-BE1C9EAE552A}_is1

Source:	Binary string: P:\Target\x64\ship\groove\x-none\grooveex.pdbeex.pdb000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 source: explorer.exe, 00000002.00000000.376312472.00007FFC2B141000.00000020.00000001.01000000.00000005.sdmp
Source:	Binary string: Loader.pdb source: 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.525875413.0000000000843000.00000040.00000001.01000000.00000017.sdmp, 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.550001229.0000000004F33000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\cr4shed\Desktop\MyHealthLoader\obj\Debug\MyHealthLoader.pdb source: 4GAUQKCdkFpttJoyS2YGgxr9.exe, 0000001E.00000002.699952372.0000000003735000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: EfiGuardDxe.pdb7 source: 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.542182071.00000000046F2000.00000040.00000020.00020000.00000000.sdmp
Source:	Binary string: Unrecognized pdb formatThis error indicates attempting to access a .pdb file with source: 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.550001229.00000000051BB000.00000040.00001000.00020000.00000000.sdmp, 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.525875413.0000000000ACC000.00000040.00000001.01000000.00000017.sdmp, f8hJzDp1zQtAPJgciyNSoGpb.exe, 00000024.00000002.541185132.00000000051EB000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: A connection with the server could not be establishedAn extended error was returned from the WinHttp serverThe .pdb file is probably no longer indexed in the symbol server share location. source: 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.550001229.00000000051BB000.00000040.00001000.00020000.00000000.sdmp, 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.525875413.0000000000ACC000.00000040.00000001.01000000.00000017.sdmp, f8hJzDp1zQtAPJgciyNSoGpb.exe, 00000024.00000002.541185132.00000000051EB000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: Age does not matchThe module age and .pdb age do not match. source: 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.550001229.00000000051BB000.00000040.00001000.00020000.00000000.sdmp, 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.525875413.0000000000ACC000.00000040.00000001.01000000.00000017.sdmp, f8hJzDp1zQtAPJgciyNSoGpb.exe, 00000024.00000002.541185132.00000000051EB000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: symsrv.pdb source: 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.525875413.0000000000C79000.00000040.00000001.01000000.00000017.sdmp, 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.550001229.0000000005369000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: Cvinfo is corruptThe .pdb file contains a corrupted debug codeview information. source: 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.550001229.00000000051BB000.00000040.00001000.00020000.00000000.sdmp, 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.525875413.0000000000ACC000.00000040.00000001.01000000.00000017.sdmp, f8hJzDp1zQtAPJgciyNSoGpb.exe, 00000024.00000002.541185132.00000000051EB000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: SetupUtility.pdb source: 4A15.exe, 00000019.00000003.473464201.0000000009A20000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: Downloading symbols for [%s] %ssrvsymsrvhttp://https://_bad_pdb_file.pdb source: 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.550001229.00000000051BB000.00000040.00001000.00020000.00000000.sdmp, 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.525875413.0000000000ACC000.00000040.00000001.01000000.00000017.sdmp, f8hJzDp1zQtAPJgciyNSoGpb.exe, 00000024.00000002.541185132.00000000051EB000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: Setup.pdb source: 4A15.exe, 00000019.00000003.473294254.0000000009A20000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: The symbol server has never indexed any version of this symbol fileNo version of the .pdb file with the given name has ever been registered. source: 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.550001229.00000000051BB000.00000040.00001000.00020000.00000000.sdmp, 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.525875413.0000000000ACC000.00000040.00000001.01000000.00000017.sdmp, f8hJzDp1zQtAPJgciyNSoGpb.exe, 00000024.00000002.541185132.00000000051EB000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: PDB not foundUnable to locate the .pdb file in any of the symbol search path locations. source: 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.550001229.00000000051BB000.00000040.00001000.00020000.00000000.sdmp, 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.525875413.0000000000ACC000.00000040.00000001.01000000.00000017.sdmp, f8hJzDp1zQtAPJgciyNSoGpb.exe, 00000024.00000002.541185132.00000000051EB000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdb source: 4A15.exe, 4A15.exe, 0000000B.00000002.435887482.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 4A15.exe, 00000018.00000002.436925476.0000000004380000.00000040.00001000.00020000.00000000.sdmp, 4A15.exe, 00000019.00000002.528674260.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 4A15.exe, 0000001B.00000002.521687562.0000000004390000.00000040.00001000.00020000.00000000.sdmp, 4A15.exe, 0000001D.00000002.665875140.0000000000400000.00000040.00000400.00020000.00000000.sdmp
Source:	Binary string: c:\Users\Admin\documents\visual studio 2015\Projects\Winmon\Release\Winmon.pdb source: 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.525875413.0000000000843000.00000040.00000001.01000000.00000017.sdmp, 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.550001229.0000000004F33000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: Magnify.pdb source: 4A15.exe, 00000019.00000003.526084395.0000000003170000.00000004.00001000.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000000.437080358.00007FF77A411000.00000020.00000001.01000000.0000000F.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000002.683131767.00007FF77A411000.00000020.00000001.01000000.0000000F.sdmp
Source:	Binary string: P:\Target\x64\ship\groove\x-none\grooveex.pdb source: explorer.exe, 00000002.00000000.376312472.00007FFC2B141000.00000020.00000001.01000000.00000005.sdmp
Source:	Binary string: C:\vbox\branch\w64-1.6\out\win.amd64\release\obj\src\VBox\HostDrivers\VBoxDrv\VBoxDrv.pdb source: 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.525875413.0000000000843000.00000040.00000001.01000000.00000017.sdmp, 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.550001229.0000000004F33000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: c:\Users\Admin\documents\visual studio 2015\Projects\Winmon\x64\Release\Winmon.pdb source: 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.525875413.0000000000843000.00000040.00000001.01000000.00000017.sdmp, 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.550001229.0000000004F33000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: Drive not readyThis error indicates a .pdb file related failure. source: 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.550001229.00000000051BB000.00000040.00001000.00020000.00000000.sdmp, 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.525875413.0000000000ACC000.00000040.00000001.01000000.00000017.sdmp, f8hJzDp1zQtAPJgciyNSoGpb.exe, 00000024.00000002.541185132.00000000051EB000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: Error while loading symbolsUnable to locate the .pdb file in any of the symbol search source: 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.550001229.00000000051BB000.00000040.00001000.00020000.00000000.sdmp, 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.525875413.0000000000ACC000.00000040.00000001.01000000.00000017.sdmp, f8hJzDp1zQtAPJgciyNSoGpb.exe, 00000024.00000002.541185132.00000000051EB000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: zzz_AsmCodeRange_*FrameDatainvalid string positionstring too long.pdb source: 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.550001229.00000000051BB000.00000040.00001000.00020000.00000000.sdmp, 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.525875413.0000000000ACC000.00000040.00000001.01000000.00000017.sdmp, f8hJzDp1zQtAPJgciyNSoGpb.exe, 00000024.00000002.541185132.00000000051EB000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: Magnify.pdb@WH source: 4A15.exe, 00000019.00000003.526084395.0000000003170000.00000004.00001000.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000000.437080358.00007FF77A411000.00000020.00000001.01000000.0000000F.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000002.683131767.00007FF77A411000.00000020.00000001.01000000.0000000F.sdmp
Source:	Binary string: mscorlib.pdb source: 4GAUQKCdkFpttJoyS2YGgxr9.exe, 0000001E.00000002.699952372.0000000003735000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: Pdb read access deniedYou may be attempting to access a .pdb file with read-only attributes source: 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.550001229.00000000051BB000.00000040.00001000.00020000.00000000.sdmp, 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.525875413.0000000000ACC000.00000040.00000001.01000000.00000017.sdmp, f8hJzDp1zQtAPJgciyNSoGpb.exe, 00000024.00000002.541185132.00000000051EB000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: Unable to locate the .pdb file in this location source: 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.550001229.00000000051BB000.00000040.00001000.00020000.00000000.sdmp, 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.525875413.0000000000ACC000.00000040.00000001.01000000.00000017.sdmp, f8hJzDp1zQtAPJgciyNSoGpb.exe, 00000024.00000002.541185132.00000000051EB000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Admin\documents\visual studio 2015\Projects\WinmonFS\x64\Release\WinmonFS.pdb source: 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.525875413.0000000000843000.00000040.00000001.01000000.00000017.sdmp, 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.550001229.0000000004F33000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: The module signature does not match with .pdb signature. source: 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.550001229.00000000051BB000.00000040.00001000.00020000.00000000.sdmp, 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.525875413.0000000000ACC000.00000040.00000001.01000000.00000017.sdmp, f8hJzDp1zQtAPJgciyNSoGpb.exe, 00000024.00000002.541185132.00000000051EB000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: .pdb.dbg source: 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.550001229.00000000051BB000.00000040.00001000.00020000.00000000.sdmp, 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.525875413.0000000000ACC000.00000040.00000001.01000000.00000017.sdmp, f8hJzDp1zQtAPJgciyNSoGpb.exe, 00000024.00000002.541185132.00000000051EB000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: '(EfiGuardDxe.pdbx source: 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.550001229.00000000051BB000.00000040.00001000.00020000.00000000.sdmp, 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.525875413.0000000000ACC000.00000040.00000001.01000000.00000017.sdmp, f8hJzDp1zQtAPJgciyNSoGpb.exe, 00000024.00000002.541185132.00000000051EB000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: symsrv.pdbGCTL source: 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.525875413.0000000000C79000.00000040.00000001.01000000.00000017.sdmp, 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.550001229.0000000005369000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\admin\source\repos\driver-process-monitor-master\Release\WinmonProcessMonitor.pdb source: 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.525875413.0000000000843000.00000040.00000001.01000000.00000017.sdmp, 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.550001229.0000000004F33000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Admin\documents\visual studio 2015\Projects\WinmonFS\Release\WinmonFS.pdb source: 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.525875413.0000000000843000.00000040.00000001.01000000.00000017.sdmp, 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.550001229.0000000004F33000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: or you do not have access permission to the .pdb location. source: 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.550001229.00000000051BB000.00000040.00001000.00020000.00000000.sdmp, 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.525875413.0000000000ACC000.00000040.00000001.01000000.00000017.sdmp, f8hJzDp1zQtAPJgciyNSoGpb.exe, 00000024.00000002.541185132.00000000051EB000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: An Exception happened while downloading the module .pdbPlease open a bug if this is a consistent repro. source: 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.550001229.00000000051BB000.00000040.00001000.00020000.00000000.sdmp, 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.525875413.0000000000ACC000.00000040.00000001.01000000.00000017.sdmp, f8hJzDp1zQtAPJgciyNSoGpb.exe, 00000024.00000002.541185132.00000000051EB000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\Users\admin\source\repos\driver-process-monitor-master\x64\Release\WinmonProcessMonitor.pdb source: 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.525875413.0000000000843000.00000040.00000001.01000000.00000017.sdmp, 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.550001229.0000000004F33000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: EfiGuardDxe.pdb source: 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.550001229.00000000051BB000.00000040.00001000.00020000.00000000.sdmp, 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.525875413.0000000000ACC000.00000040.00000001.01000000.00000017.sdmp, f8hJzDp1zQtAPJgciyNSoGpb.exe, 00000024.00000002.541185132.00000000051EB000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: E:\Doc\My work (C++)\_Git\Encryption\Release\encrypt_win_api.pdbI source: 4A15.exe, 0000000A.00000002.419357601.0000000004470000.00000040.00001000.00020000.00000000.sdmp, 4A15.exe, 0000000B.00000002.435887482.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 4A15.exe, 00000018.00000002.436925476.0000000004380000.00000040.00001000.00020000.00000000.sdmp, 4A15.exe, 00000019.00000002.528674260.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 4A15.exe, 0000001B.00000002.521687562.0000000004390000.00000040.00001000.00020000.00000000.sdmp, 4A15.exe, 0000001D.00000002.665875140.0000000000400000.00000040.00000400.00020000.00000000.sdmp
Source:	Binary string: eex.pdb source: explorer.exe, 00000002.00000000.376312472.00007FFC2B141000.00000020.00000001.01000000.00000005.sdmp
Source:	Binary string: C:\vmagent_new\bin\joblist\615425\out\Release\360Installer.pdb0pH\| source: V1NdDWPeq5yoU55PUCrHuT1N.exe, 00000023.00000002.445804410.0000000000471000.00000002.00000001.01000000.00000018.sdmp
Source:	Binary string: SetupUtility.pdb5 source: 4A15.exe, 00000019.00000003.473464201.0000000009A20000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: Signature does not matchThe module signature does not match with .pdb signature source: 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.550001229.00000000051BB000.00000040.00001000.00020000.00000000.sdmp, 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.525875413.0000000000ACC000.00000040.00000001.01000000.00000017.sdmp, f8hJzDp1zQtAPJgciyNSoGpb.exe, 00000024.00000002.541185132.00000000051EB000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: dbghelp.pdb source: 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.550001229.00000000051BB000.00000040.00001000.00020000.00000000.sdmp, 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.525875413.0000000000ACC000.00000040.00000001.01000000.00000017.sdmp, f8hJzDp1zQtAPJgciyNSoGpb.exe, 00000024.00000002.541185132.00000000051EB000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: C:\vmagent_new\bin\joblist\615425\out\Release\360Installer.pdb source: V1NdDWPeq5yoU55PUCrHuT1N.exe, 00000023.00000002.445804410.0000000000471000.00000002.00000001.01000000.00000018.sdmp
Source:	Binary string: dbghelp.pdbGCTL source: 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.550001229.00000000051BB000.00000040.00001000.00020000.00000000.sdmp, 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.525875413.0000000000ACC000.00000040.00000001.01000000.00000017.sdmp, f8hJzDp1zQtAPJgciyNSoGpb.exe, 00000024.00000002.541185132.00000000051EB000.00000040.00001000.00020000.00000000.sdmp

Data Obfuscation

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Unpacked PE file: 11.2.4A15.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Unpacked PE file: 25.2.4A15.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\d11683cc-0d8b-41c4-a224-c03c55bb751f\4A15.exe	Unpacked PE file: 29.2.4A15.exe.400000.0.unpack
Source: C:\Users\user\Pictures\941caPIfMmGnCq8PWe7WWHEk.exe	Unpacked PE file: 34.2.941caPIfMmGnCq8PWe7WWHEk.exe.400000.5.unpack
Source: C:\Users\user\Pictures\f8hJzDp1zQtAPJgciyNSoGpb.exe	Unpacked PE file: 36.2.f8hJzDp1zQtAPJgciyNSoGpb.exe.400000.0.unpack

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\file.exe	Unpacked PE file: 1.2.file.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:EW;
Source: C:\Users\user\AppData\Roaming\jwjrtuw	Unpacked PE file: 7.2.jwjrtuw.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:EW;
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Unpacked PE file: 11.2.4A15.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Unpacked PE file: 25.2.4A15.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Local\d11683cc-0d8b-41c4-a224-c03c55bb751f\4A15.exe	Unpacked PE file: 29.2.4A15.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\Pictures\941caPIfMmGnCq8PWe7WWHEk.exe	Unpacked PE file: 34.2.941caPIfMmGnCq8PWe7WWHEk.exe.400000.5.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.idata:W;.reloc:R;.symtab:R;
Source: C:\Users\user\Pictures\f8hJzDp1zQtAPJgciyNSoGpb.exe	Unpacked PE file: 36.2.f8hJzDp1zQtAPJgciyNSoGpb.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.idata:W;.reloc:R;.symtab:R;
Source: C:\Users\user\Pictures\t3PINyJoW83t7JJSZ5BPE6bi.exe	Unpacked PE file: 37.2.t3PINyJoW83t7JJSZ5BPE6bi.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:EW;

Detected unpacking (creates a PE file in dynamic memory)

Source: C:\Users\user\Pictures\i4PHS5R0iEKcuu4uBuaRKA3v.exe

Unpacked PE file: 26.2.i4PHS5R0iEKcuu4uBuaRKA3v.exe.3840000.2.unpack

Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Code function: 10_2_0429F0AF push ecx; retf	10_2_0429F0B2
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Code function: 10_2_04498F05 push ecx; ret	10_2_04498F18
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Code function: 11_2_00428565 push ecx; ret	11_2_00428578

Source: C:\Users\user\AppData\Local\Temp\4A15.exe

Code function: 11_2_00412220 GetCommandLineW,CommandLineToArgvW,PathFindFileNameW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,K32EnumProcesses,OpenProcess,K32EnumProcessModules,K32GetModuleBaseNameW,CloseHandle,

11_2_00412220

Source: mbsmLcWDGIknMhQtAUGQxRi5.exe.18.dr

Static PE information: 0xC9989FCF [Sat Mar 6 02:19:59 2077 UTC]

Source: C:\Windows\explorer.exe

Process created: C:\Windows\System32\regsvr32.exe regsvr32 /s C:\Users\user\AppData\Local\Temp\3958.dll

Source: A388.exe.2.dr	Static PE information: section name: _RDATA
Source: uYMXNl5sSvaZoW3VwBNxI0U7.exe.18.dr	Static PE information: section name:
Source: uYMXNl5sSvaZoW3VwBNxI0U7.exe.18.dr	Static PE information: section name:
Source: uYMXNl5sSvaZoW3VwBNxI0U7.exe.18.dr	Static PE information: section name:
Source: uYMXNl5sSvaZoW3VwBNxI0U7.exe.18.dr	Static PE information: section name:
Source: uYMXNl5sSvaZoW3VwBNxI0U7.exe.18.dr	Static PE information: section name:
Source: uYMXNl5sSvaZoW3VwBNxI0U7.exe.18.dr	Static PE information: section name: .7-Zip0
Source: uYMXNl5sSvaZoW3VwBNxI0U7.exe.18.dr	Static PE information: section name:
Source: uYMXNl5sSvaZoW3VwBNxI0U7.exe.18.dr	Static PE information: section name: .themida
Source: uYMXNl5sSvaZoW3VwBNxI0U7.exe.18.dr	Static PE information: section name: .7-Zip1
Source: uYMXNl5sSvaZoW3VwBNxI0U7.exe.18.dr	Static PE information: section name: .7-Zip2
Source: uYMXNl5sSvaZoW3VwBNxI0U7.exe.18.dr	Static PE information: section name: .7-Zip3
Source: P94EhV34EPtPaMGwUp1MdOBl.exe.18.dr	Static PE information: section name:
Source: P94EhV34EPtPaMGwUp1MdOBl.exe.18.dr	Static PE information: section name:
Source: P94EhV34EPtPaMGwUp1MdOBl.exe.18.dr	Static PE information: section name:
Source: P94EhV34EPtPaMGwUp1MdOBl.exe.18.dr	Static PE information: section name:
Source: P94EhV34EPtPaMGwUp1MdOBl.exe.18.dr	Static PE information: section name:
Source: P94EhV34EPtPaMGwUp1MdOBl.exe.18.dr	Static PE information: section name: .7-Zip0
Source: P94EhV34EPtPaMGwUp1MdOBl.exe.18.dr	Static PE information: section name:
Source: P94EhV34EPtPaMGwUp1MdOBl.exe.18.dr	Static PE information: section name: .themida
Source: P94EhV34EPtPaMGwUp1MdOBl.exe.18.dr	Static PE information: section name: .7-Zip1
Source: P94EhV34EPtPaMGwUp1MdOBl.exe.18.dr	Static PE information: section name: .7-Zip2
Source: P94EhV34EPtPaMGwUp1MdOBl.exe.18.dr	Static PE information: section name: .7-Zip3
Source: yRbowIjZdxellWMLi8kEb6gJ.exe.18.dr	Static PE information: section name: .sxdata
Source: WQ1sXS4A8SPQ3OH5qUwmsfK7.exe.18.dr	Static PE information: section name: .xdata
Source: 1oYHJ3b1F3QrpZXBIXgl6loz.exe.18.dr	Static PE information: section name: .xdata
Source: GlKtZqXQAiyhJM8NCtTVvYcF.exe.18.dr	Static PE information: section name: .sxdata
Source: opugKRO9HQIQrHGr6X89OLro.exe.18.dr	Static PE information: section name:
Source: opugKRO9HQIQrHGr6X89OLro.exe.18.dr	Static PE information: section name:
Source: opugKRO9HQIQrHGr6X89OLro.exe.18.dr	Static PE information: section name:
Source: opugKRO9HQIQrHGr6X89OLro.exe.18.dr	Static PE information: section name:
Source: opugKRO9HQIQrHGr6X89OLro.exe.18.dr	Static PE information: section name:
Source: opugKRO9HQIQrHGr6X89OLro.exe.18.dr	Static PE information: section name: .7-Zip0
Source: opugKRO9HQIQrHGr6X89OLro.exe.18.dr	Static PE information: section name:
Source: opugKRO9HQIQrHGr6X89OLro.exe.18.dr	Static PE information: section name: .themida
Source: opugKRO9HQIQrHGr6X89OLro.exe.18.dr	Static PE information: section name: .7-Zip1
Source: opugKRO9HQIQrHGr6X89OLro.exe.18.dr	Static PE information: section name: .7-Zip2
Source: opugKRO9HQIQrHGr6X89OLro.exe.18.dr	Static PE information: section name: .7-Zip3
Source: AboFkE91gGtC0jX22BS3GOn1.exe.18.dr	Static PE information: section name:
Source: AboFkE91gGtC0jX22BS3GOn1.exe.18.dr	Static PE information: section name:
Source: AboFkE91gGtC0jX22BS3GOn1.exe.18.dr	Static PE information: section name:
Source: AboFkE91gGtC0jX22BS3GOn1.exe.18.dr	Static PE information: section name:
Source: AboFkE91gGtC0jX22BS3GOn1.exe.18.dr	Static PE information: section name:
Source: AboFkE91gGtC0jX22BS3GOn1.exe.18.dr	Static PE information: section name: .7-Zip0
Source: AboFkE91gGtC0jX22BS3GOn1.exe.18.dr	Static PE information: section name:
Source: AboFkE91gGtC0jX22BS3GOn1.exe.18.dr	Static PE information: section name: .themida
Source: AboFkE91gGtC0jX22BS3GOn1.exe.18.dr	Static PE information: section name: .7-Zip1
Source: AboFkE91gGtC0jX22BS3GOn1.exe.18.dr	Static PE information: section name: .7-Zip2
Source: AboFkE91gGtC0jX22BS3GOn1.exe.18.dr	Static PE information: section name: .7-Zip3
Source: SPpYvykupaNYuUQqOkv0xHw6.exe.18.dr	Static PE information: section name:
Source: SPpYvykupaNYuUQqOkv0xHw6.exe.18.dr	Static PE information: section name:
Source: SPpYvykupaNYuUQqOkv0xHw6.exe.18.dr	Static PE information: section name:
Source: SPpYvykupaNYuUQqOkv0xHw6.exe.18.dr	Static PE information: section name:
Source: SPpYvykupaNYuUQqOkv0xHw6.exe.18.dr	Static PE information: section name:
Source: SPpYvykupaNYuUQqOkv0xHw6.exe.18.dr	Static PE information: section name: .7-Zip0
Source: SPpYvykupaNYuUQqOkv0xHw6.exe.18.dr	Static PE information: section name:
Source: SPpYvykupaNYuUQqOkv0xHw6.exe.18.dr	Static PE information: section name: .themida
Source: SPpYvykupaNYuUQqOkv0xHw6.exe.18.dr	Static PE information: section name: .7-Zip1
Source: SPpYvykupaNYuUQqOkv0xHw6.exe.18.dr	Static PE information: section name: .7-Zip2
Source: SPpYvykupaNYuUQqOkv0xHw6.exe.18.dr	Static PE information: section name: .7-Zip3
Source: flZM696vxwchmoky86e6PuiE.exe.18.dr	Static PE information: section name:
Source: flZM696vxwchmoky86e6PuiE.exe.18.dr	Static PE information: section name:
Source: flZM696vxwchmoky86e6PuiE.exe.18.dr	Static PE information: section name:
Source: flZM696vxwchmoky86e6PuiE.exe.18.dr	Static PE information: section name:
Source: flZM696vxwchmoky86e6PuiE.exe.18.dr	Static PE information: section name:
Source: flZM696vxwchmoky86e6PuiE.exe.18.dr	Static PE information: section name: .7-Zip0
Source: flZM696vxwchmoky86e6PuiE.exe.18.dr	Static PE information: section name:
Source: flZM696vxwchmoky86e6PuiE.exe.18.dr	Static PE information: section name: .themida
Source: flZM696vxwchmoky86e6PuiE.exe.18.dr	Static PE information: section name: .7-Zip1
Source: flZM696vxwchmoky86e6PuiE.exe.18.dr	Static PE information: section name: .7-Zip2
Source: flZM696vxwchmoky86e6PuiE.exe.18.dr	Static PE information: section name: .7-Zip3

Source: initial sample

Static PE information: section where entry point is pointing to: .7-Zip3

Source: 3958.dll.2.dr	Static PE information: real checksum: 0x0 should be: 0x1a31a3
Source: Ba6UF83A2hR7tzyyn3dRNO2C.exe.18.dr	Static PE information: real checksum: 0xa3638 should be: 0xa2a18
Source: A388.exe.2.dr	Static PE information: real checksum: 0x0 should be: 0x4b724
Source: grenEgiZiRLW7ypJuIUqFvJB.exe.18.dr	Static PE information: real checksum: 0x0 should be: 0xbdb4d
Source: dBv3dMkRlgVVDPZTZMyWgdJN.exe.18.dr	Static PE information: real checksum: 0xa3638 should be: 0xa2a18
Source: GlKtZqXQAiyhJM8NCtTVvYcF.exe.18.dr	Static PE information: real checksum: 0x0 should be: 0x732447
Source: mdVqxBv1FXzpT51i7izhV1L3.exe.18.dr	Static PE information: real checksum: 0x0 should be: 0x31a2ef
Source: BB52.exe.2.dr	Static PE information: real checksum: 0x0 should be: 0x68ec7b
Source: uGG02PvwRtGMBgiPW7q8rUhy.exe.18.dr	Static PE information: real checksum: 0x0 should be: 0xbdb4d
Source: 1oYHJ3b1F3QrpZXBIXgl6loz.exe.18.dr	Static PE information: real checksum: 0x53ba61 should be: 0x5429d6
Source: mbsmLcWDGIknMhQtAUGQxRi5.exe.18.dr	Static PE information: real checksum: 0x0 should be: 0x31a2ef
Source: yRbowIjZdxellWMLi8kEb6gJ.exe.18.dr	Static PE information: real checksum: 0x0 should be: 0x732447
Source: WQ1sXS4A8SPQ3OH5qUwmsfK7.exe.18.dr	Static PE information: real checksum: 0x53ba61 should be: 0x5429d6
Source: 25C8.dll.2.dr	Static PE information: real checksum: 0x0 should be: 0x1a31a3

Source: initial sample	Static PE information: section name: .text entropy: 7.508633480574993
Source: initial sample	Static PE information: section name: .text entropy: 7.508356543362123
Source: initial sample	Static PE information: section name: .text entropy: 7.508673631423719
Source: initial sample	Static PE information: section name: .text entropy: 7.508633480574993

Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Roaming\jwjrtuw	Jump to dropped file
Source: C:\Users\user\Pictures\U58dhzMU8ddvYuIUxUkOSiON.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\s51[1]	Jump to dropped file
Source: C:\Users\user\Pictures\U58dhzMU8ddvYuIUxUkOSiON.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\s51[1]	Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\eKHEatA2YHjGupA41pjTqd4Q.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\Pwp3yspp3pM97CCYpnZxEaEs.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\CluIFFuzrOPmXrVReYWFXWkl.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\build3[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\Users\user\Pictures\Minor Policy\w6vQnvc6GcufcSoPXxqtk9pf.exe.azhi (copy)	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\KK8iAf5MAhkTAWCxUa0tQFbr.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\grenEgiZiRLW7ypJuIUqFvJB.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\WQ1sXS4A8SPQ3OH5qUwmsfK7.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\gTtQqHKsFf9Nsh1JcOtwF10p.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\Users\user\Pictures\qzThW72RYcWSkAonVKQR5Zam.exe.azhi (copy)	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\9fmETiwrp9mvcT9QPdRrgON5.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\jNWzuOIBQ0iWSRmcZK1mILW4.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\QmwuUY15y0L4DcEZ4ogFMHTp.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\iPhp3cV97VGJ34Ref6E2pORE.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\adc91a0e0132170ee1c9ace67d4b\Setup.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\BYpvSgsqBQF2e9VWX5DwhO9b.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\45jOwggrSgiiBeW99lMmxS6j.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\wIL2ZlmqVCEy0oDKdGcGn17c.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\C88Sh505pu9bIEkUIPtIAuGY.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\4A15.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\PgD7qvCHGXafJKVwvHiAw9cK.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\Users\user\Pictures\Minor Policy\uusesdQ3Edo2k5kNA0mkf5gw.exe.azhi (copy)	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\qdXZz0xbr8NxLE1KImKm0Ewp.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\Users\user\Pictures\TDwHwUnikC3d4IvKdWZ8TN8E.exe.azhi (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\Users\user\AppData\Local\4204bcd2-893f-40a6-aea5-23bed3094b06\build3.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\3e7TFXuOpvanKkAtgXUBsjg5.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\KW0cvO7X0axYcWEJHf74m4I5.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\t3PINyJoW83t7JJSZ5BPE6bi.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\Users\user\Pictures\u0apTRIaaBzfoydgvcDO3D8B.exe.azhi (copy)	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\gFd0eLtQK8YMDxXc1BQkGeep.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\Users\user\Pictures\FGncB6Cizu2PKxdPqCgKygMO.exe.azhi (copy)	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\mbsmLcWDGIknMhQtAUGQxRi5.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\YRhJ9y7wcq2JenN54ladams2.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\SGRGSrOrLAvbIwSiEaRMIm3Y.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\TNzDEBB9FdUrEB9ZmBfj0vTU.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\CxjHTt9L9FL0XO680gDmLj9t.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\HZmkan0RtnpmEbbLPyds7uQ6.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\pAN917faLxSCNhjrt1Tur9pL.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\DuDMa6rOf5SGixuVkls53BX0.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\Users\user\Pictures\Minor Policy\dl0eBw1a4nselM03kEjNFUeZ.exe.azhi (copy)	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\LOFVsBSZANM2Xmh0aztGpxRj.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\JNxHITgt9Gfgxa9zzN5RQgfc.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\BB52.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\uYMXNl5sSvaZoW3VwBNxI0U7.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\gcwSzukTSrGmCgHPurGZSV7G.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\FGncB6Cizu2PKxdPqCgKygMO.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\opugKRO9HQIQrHGr6X89OLro.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\Users\user\Pictures\Minor Policy\dHxqqbbMHpGRP1KlVseWr6lF.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\HtIo7KIXeXJCj2oA9gjrZLg4.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\gdGlSTAHRx5XYnptuFFvfF3Y.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\d4dL2ywdYIMevGjO45NXflQu.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\8jjMtFTS9Zlbf6vKPpWxHhte.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\Users\user\Pictures\Minor Policy\dl0eBw1a4nselM03kEjNFUeZ.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\zXDbhoHyWUFQr5mr9s8YwHsD.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\q1a6Hdte5ZphUujirBwwpHRY.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\RoYVZz1e4yTRTjOZHXj4zqUM.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\X91wRWDPO4snjUjOgZjUlicT.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\qX5oeRRpM2S4qHilS3yTr7sq.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\sPCxEY41osSQyAztFqDas2bV.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\Users\user\Pictures\C88Sh505pu9bIEkUIPtIAuGY.exe.azhi (copy)	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\2mAvooCfaVYrwjbi8P7aQwd5.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-23R8R.tmp\Pwp3yspp3pM97CCYpnZxEaEs.tmp	File created: C:\Users\user\AppData\Roaming\DigitalPulse\is-0SIDM.tmp	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\AboFkE91gGtC0jX22BS3GOn1.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\Users\user\Pictures\DuDMa6rOf5SGixuVkls53BX0.exe.azhi (copy)	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\Ba6UF83A2hR7tzyyn3dRNO2C.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\fwfQo65WjnmzC07yXHDaETw8.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\P94EhV34EPtPaMGwUp1MdOBl.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\lWqXWTOTj5tqRWB7LrSzEOfi.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\ZMVfke3FfhAYexvtpGaP7QO0.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\C2TkN5RHqTOX5vO30NGDVLbB.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\mqdlYa5XIp88le49pQN6WBpM.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\SVKcZYT3TwUPvLXOcZVQMjWE.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\Users\user\AppData\Local\d11683cc-0d8b-41c4-a224-c03c55bb751f\4A15.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\LhPgYqY29jVhDYACkOwz5AiJ.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\adc91a0e0132170ee1c9ace67d4b\SetupUtility.exe.azhi (copy)	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\Rh0zrbuPE23tmioMFpoeQvyq.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\OdBy5UCgwCs2zOQ5hgwqYDDW.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\V1NdDWPeq5yoU55PUCrHuT1N.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\Users\user\Pictures\Minor Policy\oM7t40xLe0OgCrSQGKhQ7p6Z.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\9117.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\TtG5py94KsXzXSkP3RqVlzUB.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-23R8R.tmp\Pwp3yspp3pM97CCYpnZxEaEs.tmp	File created: C:\Users\user\AppData\Roaming\DigitalPulse\DigitalPulseService.exe (copy)	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\4nmbyTUdyzoQS5v44sOkHxgO.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\U58dhzMU8ddvYuIUxUkOSiON.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\A388.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\Zm8A45fXl2ofLOUYJkU9Hc7y.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\ex3hWoysxxQp9yfxr1vhsCEu.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\hduocco6pWLP0HaA9bgAhije.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\ghXDF7wc1k0lMAVWTQE9mN9d.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\iTvsD7rneILjrgO7TrPXhsJG.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\OoqQROwr1Yg6cLi95suPlaEZ.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\uHshgHc7dTYJxuLdXX1zGE4V.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\TDwHwUnikC3d4IvKdWZ8TN8E.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\0EM9MRJYNgaQ4VquhLvMZCs2.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\GYngh8EVUEw76N8T1NO6LHCp.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\sXkL3LKFhhFZp9IPDF60kufQ.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-23R8R.tmp\Pwp3yspp3pM97CCYpnZxEaEs.tmp	File created: C:\Users\user\AppData\Roaming\DigitalPulse\is-VGBL0.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\Users\user\Pictures\Minor Policy\MAq6dYMqMOp7jsSy8ZTXM3iM.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\ekOUFFIwIeDOzbw9eNWrMi30.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\PQupt0HW1Hr6CvQnLIpAX9Nn.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\u0apTRIaaBzfoydgvcDO3D8B.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-23R8R.tmp\Pwp3yspp3pM97CCYpnZxEaEs.tmp	File created: C:\Users\user\AppData\Roaming\DigitalPulse\DigitalPulseUpdate.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\Users\user\Pictures\Minor Policy\oM7t40xLe0OgCrSQGKhQ7p6Z.exe.azhi (copy)	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\3zaREjkJ8eT5V6QYRyuztw7a.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\cS0SutwWZwoWvtpaGLPFoC2y.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\ndfd6Kq0UsE3T3ImvDCKwi8c.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\RMGQS3F1UiPheVnWeV2JpDqL.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\z2jspOJECx7C1xJp0mXk8tDq.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\Users\user\Pictures\Minor Policy\KvSnRxw7nRoWWzdlM6L4ADmH.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\adc91a0e0132170ee1c9ace67d4b\Setup.exe.azhi (copy)	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\WMMeMLRqjSsdlkGClauVg3Va.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\941caPIfMmGnCq8PWe7WWHEk.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\GKjBUOzHFWuZkPSfpmsGrIXJ.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\LFQuJgUFeCErm0Je4c8RfLzf.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\Users\user\Pictures\Minor Policy\GXEmL9Hio2yqAqGb8rDpNfoq.exe.azhi (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\Users\user\Pictures\Minor Policy\MAq6dYMqMOp7jsSy8ZTXM3iM.exe.azhi (copy)	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\nG1N9nGRo8GAvgDDfFLRMM5E.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-23R8R.tmp\Pwp3yspp3pM97CCYpnZxEaEs.tmp	File created: C:\Users\user\AppData\Roaming\DigitalPulse\unins000.exe (copy)	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\dBv3dMkRlgVVDPZTZMyWgdJN.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\build2[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\xmJBaRtKA9fm4EreSTrCxLrH.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\jkJntnUiFKCYlUk0tBLKBOQE.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\flZM696vxwchmoky86e6PuiE.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\en2Jyn1qg7jEGhbzerb4PGCA.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\PWW3NllpNWDgvXFV7Tah5Tq9.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\3958.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\F58q5AtuSb0KXmkDjDm8UY4r.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\xWzXbvgqSclHLdENdr90zH0e.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\Users\user\Pictures\Minor Policy\w6vQnvc6GcufcSoPXxqtk9pf.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\f8hJzDp1zQtAPJgciyNSoGpb.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\zUUHNzh5T8q1lb1rXsANRm0p.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\Users\user\Pictures\Minor Policy\XxaWUuSPH3Fo3U3cdFyCwDfN.exe.azhi (copy)	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\qvQF1TKYhYFFgSpHGD6rgb7v.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\soa3mGK83PMJk1RZrnayLoiR.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\Qf1uzkxmrsAEWK29C7uEFmrZ.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\2629.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\Users\user\Pictures\t3PINyJoW83t7JJSZ5BPE6bi.exe.azhi (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-23R8R.tmp\Pwp3yspp3pM97CCYpnZxEaEs.tmp	File created: C:\Users\user\AppData\Roaming\DigitalPulse\is-KJIQ4.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\adc91a0e0132170ee1c9ace67d4b\SetupUtility.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\O4TFp27C2n3WSIh4cH9WqD5A.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\tJU5p8ys1whXWo8BDeT3nnmx.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\NjXePrSynHsARTml2YUxC7hl.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Roaming\jwjrtuw	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\rdOeLIubzEtA5kaQGojFXfzi.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\l4NNL3d0gUhzOZ4YXgbQgdkt.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\uGG02PvwRtGMBgiPW7q8rUhy.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\hypYBFCjte80ItmGLKdfXKZ2.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\SPpYvykupaNYuUQqOkv0xHw6.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\lPklOteJSGW2ZOcLzoL339u4.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\GlKtZqXQAiyhJM8NCtTVvYcF.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\lCgtZ6E4HkEVDH0ClzJMZwZY.exe	Jump to dropped file
Source: C:\Users\user\Pictures\U58dhzMU8ddvYuIUxUkOSiON.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\s51[1]	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\N5fklblcsXVYu4JmfhsKVoFv.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\fyRhz339Pv56oNzsjdndKi51.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\rOWY7QA6HmKaReenlQLKGBVq.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\Uj24luzqBnidcXyEK0ccsV0u.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\90MmY3vsUc9ABzZegEZBdNOJ.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\Users\user\Pictures\Minor Policy\dHxqqbbMHpGRP1KlVseWr6lF.exe.azhi (copy)	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\tIomxm3YzHufqxsKHNVvwAcF.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\mdVqxBv1FXzpT51i7izhV1L3.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\KbXck5SLdtiTd8Kvi7iaPG3v.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\YXm3NwMNdpjawwYFNXTrNGEs.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\D8E5.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\c8KXUlVEBLWKm0FvrBR7FzOQ.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\WzFp4Ue0aRPtu9AGKLArlpQs.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\TUpbZ8vU8BuCVac1Gcxet4HJ.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\zB0tyM6N8N1lhBO2ZyVBkpB0.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\Tc3J3MYPBvAb1zFAQ5lDv3bp.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\MgZKvMc7DV5RedICsSIU2R0o.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\gIwaldePRmh9KRuICLUyfpks.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\yRbowIjZdxellWMLi8kEb6gJ.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\RhAMzHnnu31IkY36iE1sZ1J2.exe	Jump to dropped file
Source: C:\Users\user\Pictures\U58dhzMU8ddvYuIUxUkOSiON.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\s51[1]	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\zDIXJhMuVzNtJxExlDXABWMh.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\Users\user\AppData\Local\4204bcd2-893f-40a6-aea5-23bed3094b06\build2.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\r7udPMXlAvzgwc1HpIoaUJHs.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\cIYKpG6eQ8E5shW60pciCDk9.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\iCCTvyp70q0GmXWM7T6SbAw3.exe	Jump to dropped file
Source: C:\Users\user\Pictures\U58dhzMU8ddvYuIUxUkOSiON.exe	File created: C:\Users\user\AppData\Local\Temp\5838081746.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\szKukjqbkrhlE2n6dTEMyu9d.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\wlmRug0KapvbPX1WnJ7a9tAS.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\2D42.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\t1VMdyrwrvacSZR05WqVdNos.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\PEETw0QK3zD9r7HEE5AR45AO.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\kCzd2hvmIWrMuzzglfLDz5jN.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\25C8.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\qzThW72RYcWSkAonVKQR5Zam.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\ZOi0qzxm5CX6wQOzSpSM9xKZ.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\3R8Ck5RbDm3DwHyYiEHPdMPU.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\Users\user\Pictures\Minor Policy\uusesdQ3Edo2k5kNA0mkf5gw.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\0lRbbbWcsJKvfly5UKkRLgWl.exe	Jump to dropped file
Source: C:\Users\user\Pictures\YRhJ9y7wcq2JenN54ladams2.exe	File created: C:\Users\user\AppData\Local\Temp\is-O59IV.tmp\YRhJ9y7wcq2JenN54ladams2.tmp	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\7NPiD49RQYuqr08A8L1me5Vl.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\Users\user\Pictures\Minor Policy\UZMd9akv_Vfb8MG5RwDjTpGs.exe.azhi (copy)	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\3Q13EXxFz2FZ8WAMgsOWhK6Y.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\46ajs7POqByEYUKIKWz4ttVU.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\18TZ4GlEcXROaMlzQyxlot37.exe	Jump to dropped file
Source: C:\Users\user\Pictures\Pwp3yspp3pM97CCYpnZxEaEs.exe	File created: C:\Users\user\AppData\Local\Temp\is-23R8R.tmp\Pwp3yspp3pM97CCYpnZxEaEs.tmp	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\mGx41hPeYElMLjZ4bbI9SOQq.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\RblTvSwpBJ357KsApRz6smyw.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\2OoGOAjocmnrCO0Kg3mdJjGT.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\3DW8qUWA963x8XKarJJ0WTU1.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\71FtIFRHiuIrBlnLJFT3ZXQN.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\Users\user\Pictures\Minor Policy\KvSnRxw7nRoWWzdlM6L4ADmH.exe.azhi (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\Users\user\Pictures\Minor Policy\UZMd9akv_Vfb8MG5RwDjTpGs.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\Users\user\Pictures\Minor Policy\XxaWUuSPH3Fo3U3cdFyCwDfN.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\Users\user\Pictures\Minor Policy\GXEmL9Hio2yqAqGb8rDpNfoq.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\SXfcayqkk1DZ7GAEIik6FBEC.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\2lVdyQwPNGbHgZp4B3rD4Yqg.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\nlZXac1d8FE86X98ibImDWvF.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\4b20TTfioBavoCXVhZH8FlIL.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\DFhwCIhHEDQ5pEOtcRuwyHkl.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\Users\user\Pictures\OoqQROwr1Yg6cLi95suPlaEZ.exe.azhi (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-23R8R.tmp\Pwp3yspp3pM97CCYpnZxEaEs.tmp	File created: C:\Users\user\AppData\Local\Temp\is-N0LK6.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\t0EOMhSnTVCOCZS9qZwimCQw.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\cDbEZELclwHIblfubBb7q5VJ.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\i4PHS5R0iEKcuu4uBuaRKA3v.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\9315.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\G2DNcZFdbZ5vEmNAUVLs9Ohf.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\X4G1qMGsevrGDCsTxtK3q3TA.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\Mrqt0LPomy7YxUAwjV5w1C4Z.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\VWecoOkiAKSpFQMeoTrTyGCa.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\8XubnCv1993Zn4FRUL2X67x0.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\FJSjysH5UVVCzLZbTWiurcoJ.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\9rjyJ5VsLUcAN5cWEKCTLeAn.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\v5b6ykiuRrf9juwnW3RUfpyP.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\1oYHJ3b1F3QrpZXBIXgl6loz.exe	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\_readme.txt
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\adc91a0e0132170ee1c9ace67d4b\_readme.txt
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\adc91a0e0132170ee1c9ace67d4b\1025\_readme.txt
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\adc91a0e0132170ee1c9ace67d4b\1028\_readme.txt
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\adc91a0e0132170ee1c9ace67d4b\1029\_readme.txt
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\adc91a0e0132170ee1c9ace67d4b\1030\_readme.txt
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\adc91a0e0132170ee1c9ace67d4b\1031\_readme.txt
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\adc91a0e0132170ee1c9ace67d4b\1032\_readme.txt
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\adc91a0e0132170ee1c9ace67d4b\1033\_readme.txt
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\adc91a0e0132170ee1c9ace67d4b\1035\_readme.txt
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\adc91a0e0132170ee1c9ace67d4b\1036\_readme.txt
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\adc91a0e0132170ee1c9ace67d4b\1037\_readme.txt
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\adc91a0e0132170ee1c9ace67d4b\1038\_readme.txt
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\adc91a0e0132170ee1c9ace67d4b\1040\_readme.txt
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\adc91a0e0132170ee1c9ace67d4b\1041\_readme.txt
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\adc91a0e0132170ee1c9ace67d4b\1042\_readme.txt
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\adc91a0e0132170ee1c9ace67d4b\1043\_readme.txt
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\adc91a0e0132170ee1c9ace67d4b\1044\_readme.txt
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\adc91a0e0132170ee1c9ace67d4b\1045\_readme.txt
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\adc91a0e0132170ee1c9ace67d4b\1046\_readme.txt
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\adc91a0e0132170ee1c9ace67d4b\1049\_readme.txt
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\adc91a0e0132170ee1c9ace67d4b\1053\_readme.txt
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\adc91a0e0132170ee1c9ace67d4b\1055\_readme.txt
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\adc91a0e0132170ee1c9ace67d4b\2052\_readme.txt
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\adc91a0e0132170ee1c9ace67d4b\2070\_readme.txt
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\adc91a0e0132170ee1c9ace67d4b\3082\_readme.txt
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\adc91a0e0132170ee1c9ace67d4b\Graphics\_readme.txt
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	File created: C:\Users\user\_readme.txt

Boot Survival

Creates multiple autostart registry keys

Source: C:\Users\user\AppData\Local\Temp\is-23R8R.tmp\Pwp3yspp3pM97CCYpnZxEaEs.tmp	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run DigitalPulse
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run SysHelper			Jump to behavior

Drops script or batch files to the startup folder

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cT1woQpizC6vcsIhG30ZQlQi.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\T84nsKO1CTEA0v5s172Ng97O.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rJML2qbU2x4efJRvXQmhf8RZ.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zQTzjmsbagDNgxuMxxvWCD8k.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ogS6GI971UbwFUMRvTH526Ng.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\o7Ltlgbuhc2pTKM6VdDLYPeY.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cqnfn7K2uSSgR0BK2dmSG6RT.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmuO211gYTn8iCs01aaXkTed.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mgdvdw3c1wBKaXMXrb2EOv9W.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bMV0AJsrIFEu61FsUzZ3Drg4.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mDbURsIxi4UnUxZyhZbmGv8D.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0bUmj41QzTFKxcsKeTSfKkOO.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zmnJRByvDUkcoP7wAlcOz4fD.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Jg7MBx8Eimj9jzWN7SGXgCPJ.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\exzdtm0wZNhsJNbT7QPWRUFE.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EqPIdUUlTMy5tQLkxM9fn0Ae.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DZNdMDc7jqkeF9bqdtQef9yM.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BIDZnNdiQJAaINi14fIkmT0h.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YCn5gwEDkBtWGFrNNMijrH2o.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VYHdYGipdDukoUN4vtDtIoGo.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zwMxzFEl9AYYdEJnYuMrZFRE.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1Q4EkPjCkxeFEQ1Eatt9Dwxh.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jU9C5BnteHyTc9SaNrtdcXLF.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pffVw7spgUfcbHvL0goxMzxQ.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\K0dzfudLJ4R9jr53jDBveT1d.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5FHiG1jFHMv7GsPhOUzodwEo.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OJIkGrj7wa8sdrCAl5rVAqI7.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iwDuhOuTh3OumoPBD4ROUdv1.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PiUS4qsAk3nJglYx9uYKTWKM.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gEatP5rYPHhzi7hzLCguIIkD.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FVSZ5f8OUEP7i1ry4oDQSxqU.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\S4tcLQiJwRoe30tH0sEtEDOs.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4DG0XAULkG4rtQXtfX3kCH5m.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UdmZfQQ5qXAW8NHTfIDGE6mL.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xwwZiWJtqiPyuHGdDeQvFFlw.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nHOXbHeygi9ejoq1v86AFvdZ.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yYAGJkr1nyEU0XfzTRSj3Pt8.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\trQ9bZRspPuCYbV3WtPprw6Q.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mA4Aqg8LeqPlIO7zNJ1CDIlw.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\doYPozeGIFDZmObCagCEQLu8.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aNUjsDMzxrUZ9pMyOMHt7aH1.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KTEYXtNqiWcY5UFNzSqYDslr.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PB9LzXES4aybf4XF2Nl44BCv.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OLS2gd5i4fNCKRL2gGt0JX1k.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zM2HPwdlDIpliCdYrSbuLgMc.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fTbmVIx9tHa82q2Xw16exu7m.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dtKs2tS72ZiQUqQJbm6PlXNn.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MpI6yHPMnpE9wO0VLneXkBvT.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qquxvpgTE06quf47P6Hr5Hix.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OEQ6K9YiI6P1luZke1R8ZVud.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fMA6KEnRS3bOmy31UfZkaOcX.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\62l33e7HUe40sAbIBogbEpmM.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lcCVWu7ZYHEafDMGCkY7sR2G.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QIttVglwj2HtPQeFbGsTsTBG.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\M7S73t6hBdZDj23RDOUIkddh.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\M6d7Epczs7g4ly9ridfMV5Um.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\orm1tV5mrVJ5E8pEGOQYpSH9.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pZRcD6tlAQ9BuiAybpYpvOsT.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qV5iTvTL8Sj2XqX5shxpgs1m.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Yvdmir6PCG9PcsgBUQPDicbH.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e9VF2IVEsQy2wXp3Fmzr839j.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YPBkrWCoxboqSNx8lEtAyzJ0.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0vrHkwSzKoIdyE31xmdhdzW9.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rVQy8crS1kFmaQTOJgtusLjN.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yq4chNFGYAkyzyEdaZH2HqIK.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qsHLHdmkHFgmHHWZoRJcEBWJ.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QETfbaDRTdtgjhXvrYD8MQH8.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oKpQkZx8V8ZMmplldvhOMwLF.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VhTJ6AtzebMaD1wtY1ld826g.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ATKKHBDhrRJwctnRcnUm6Pcg.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LHEl0niwjoltQS39V2LJgECA.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\F0wBxbY5f5DKwVnQVeO4owaC.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sa989uESZtC2k5fPxh7JOAOo.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Aflaw6AZSGKIe0s45Bz4rgPm.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\E7Idc4Rv0o4k8F06OBpETIIR.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xc8ndnBgtKiEp95qA74vXtJn.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ft6shQtleq2YoP6uxtjELNIa.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DdEpoZZi4YOh4OnfrVdHElZb.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FjkoyI2B9AB48Ezj9TYV0Ahw.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eGd4n9cCkUYchxkeXTXmdykg.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nQPwDzQPxeP9tbtTOADsUnQS.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hiUMZ8f6oKK1xINDp3JWAlOW.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dOE732BLSg0lcFC2QsLbsVdq.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\upUS4SXwlCEkOWrOaZRg0iWx.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JWy61aGHvYMDcW2BYZLaPgOc.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0Lfhv80yjQqPZSzTm3yFdWPF.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Cnjktv5SHVaWkmg93IvmjT0w.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XkIN41cGFrm9aGL6NKqH1FLp.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\g66AQFpQYrLlKLwe8BD5OCfh.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\745tzE4k357KTJX9XrGihSFX.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7LUSH97ozicm8oSAzFzv30fB.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UdKSHjICWNJimHBknLaPjXaz.bat	Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QIttVglwj2HtPQeFbGsTsTBG.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\M7S73t6hBdZDj23RDOUIkddh.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\M6d7Epczs7g4ly9ridfMV5Um.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yq4chNFGYAkyzyEdaZH2HqIK.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qsHLHdmkHFgmHHWZoRJcEBWJ.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QETfbaDRTdtgjhXvrYD8MQH8.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LHEl0niwjoltQS39V2LJgECA.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\F0wBxbY5f5DKwVnQVeO4owaC.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sa989uESZtC2k5fPxh7JOAOo.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Aflaw6AZSGKIe0s45Bz4rgPm.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FjkoyI2B9AB48Ezj9TYV0Ahw.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nQPwDzQPxeP9tbtTOADsUnQS.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\upUS4SXwlCEkOWrOaZRg0iWx.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dOE732BLSg0lcFC2QsLbsVdq.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JWy61aGHvYMDcW2BYZLaPgOc.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0Lfhv80yjQqPZSzTm3yFdWPF.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Cnjktv5SHVaWkmg93IvmjT0w.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XkIN41cGFrm9aGL6NKqH1FLp.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\g66AQFpQYrLlKLwe8BD5OCfh.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\745tzE4k357KTJX9XrGihSFX.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7LUSH97ozicm8oSAzFzv30fB.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UdKSHjICWNJimHBknLaPjXaz.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KTEYXtNqiWcY5UFNzSqYDslr.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rVQy8crS1kFmaQTOJgtusLjN.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DdEpoZZi4YOh4OnfrVdHElZb.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\eGd4n9cCkUYchxkeXTXmdykg.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fTbmVIx9tHa82q2Xw16exu7m.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hiUMZ8f6oKK1xINDp3JWAlOW.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iwDuhOuTh3OumoPBD4ROUdv1.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fMA6KEnRS3bOmy31UfZkaOcX.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lcCVWu7ZYHEafDMGCkY7sR2G.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pZRcD6tlAQ9BuiAybpYpvOsT.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Yvdmir6PCG9PcsgBUQPDicbH.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YPBkrWCoxboqSNx8lEtAyzJ0.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0vrHkwSzKoIdyE31xmdhdzW9.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\oKpQkZx8V8ZMmplldvhOMwLF.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VhTJ6AtzebMaD1wtY1ld826g.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ATKKHBDhrRJwctnRcnUm6Pcg.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\E7Idc4Rv0o4k8F06OBpETIIR.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Xc8ndnBgtKiEp95qA74vXtJn.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ft6shQtleq2YoP6uxtjELNIa.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mgdvdw3c1wBKaXMXrb2EOv9W.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mDbURsIxi4UnUxZyhZbmGv8D.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zmnJRByvDUkcoP7wAlcOz4fD.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\exzdtm0wZNhsJNbT7QPWRUFE.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DZNdMDc7jqkeF9bqdtQef9yM.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YCn5gwEDkBtWGFrNNMijrH2o.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\VYHdYGipdDukoUN4vtDtIoGo.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1Q4EkPjCkxeFEQ1Eatt9Dwxh.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\pffVw7spgUfcbHvL0goxMzxQ.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OJIkGrj7wa8sdrCAl5rVAqI7.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FVSZ5f8OUEP7i1ry4oDQSxqU.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\S4tcLQiJwRoe30tH0sEtEDOs.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4DG0XAULkG4rtQXtfX3kCH5m.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UdmZfQQ5qXAW8NHTfIDGE6mL.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xwwZiWJtqiPyuHGdDeQvFFlw.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\nHOXbHeygi9ejoq1v86AFvdZ.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yYAGJkr1nyEU0XfzTRSj3Pt8.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\trQ9bZRspPuCYbV3WtPprw6Q.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mA4Aqg8LeqPlIO7zNJ1CDIlw.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\doYPozeGIFDZmObCagCEQLu8.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\aNUjsDMzxrUZ9pMyOMHt7aH1.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PB9LzXES4aybf4XF2Nl44BCv.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OLS2gd5i4fNCKRL2gGt0JX1k.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zM2HPwdlDIpliCdYrSbuLgMc.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dtKs2tS72ZiQUqQJbm6PlXNn.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MpI6yHPMnpE9wO0VLneXkBvT.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qquxvpgTE06quf47P6Hr5Hix.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OEQ6K9YiI6P1luZke1R8ZVud.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\62l33e7HUe40sAbIBogbEpmM.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\orm1tV5mrVJ5E8pEGOQYpSH9.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qV5iTvTL8Sj2XqX5shxpgs1m.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\e9VF2IVEsQy2wXp3Fmzr839j.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cT1woQpizC6vcsIhG30ZQlQi.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\T84nsKO1CTEA0v5s172Ng97O.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rJML2qbU2x4efJRvXQmhf8RZ.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zQTzjmsbagDNgxuMxxvWCD8k.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ogS6GI971UbwFUMRvTH526Ng.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\o7Ltlgbuhc2pTKM6VdDLYPeY.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cqnfn7K2uSSgR0BK2dmSG6RT.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmuO211gYTn8iCs01aaXkTed.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bMV0AJsrIFEu61FsUzZ3Drg4.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0bUmj41QzTFKxcsKeTSfKkOO.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Jg7MBx8Eimj9jzWN7SGXgCPJ.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EqPIdUUlTMy5tQLkxM9fn0Ae.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BIDZnNdiQJAaINi14fIkmT0h.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\zwMxzFEl9AYYdEJnYuMrZFRE.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\jU9C5BnteHyTc9SaNrtdcXLF.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\K0dzfudLJ4R9jr53jDBveT1d.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5FHiG1jFHMv7GsPhOUzodwEo.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PiUS4qsAk3nJglYx9uYKTWKM.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gEatP5rYPHhzi7hzLCguIIkD.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\f0mlloe6MNO2zJGgbuLGKn4f.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\79IZzBPQMZL8GZZYbkeNKnfs.bat
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hjURrOnfsa0JouNKaF4NqaVe.bat
Source: C:\Users\user\AppData\Local\Temp\is-23R8R.tmp\Pwp3yspp3pM97CCYpnZxEaEs.tmp	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\DigitalPulse
Source: C:\Users\user\AppData\Local\Temp\is-23R8R.tmp\Pwp3yspp3pM97CCYpnZxEaEs.tmp	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\DigitalPulse\DigitalPulse.lnk

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QIttVglwj2HtPQeFbGsTsTBG.bat

Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run SysHelper	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run SysHelper	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-23R8R.tmp\Pwp3yspp3pM97CCYpnZxEaEs.tmp	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run DigitalPulse
Source: C:\Users\user\AppData\Local\Temp\is-23R8R.tmp\Pwp3yspp3pM97CCYpnZxEaEs.tmp	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run DigitalPulse

Hooking and other Techniques for Hiding and Protection

Deletes itself after installation

Source: C:\Windows\explorer.exe

File deleted: c:\users\user\desktop\file.exe

Jump to behavior

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\explorer.exe

File opened: C:\Users\user\AppData\Roaming\jwjrtuw:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\4A15.exe

Code function: 11_2_00427D6C RtlEncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

11_2_00427D6C

Source: C:\Users\user\AppData\Local\Temp\4A15.exe

Process created: C:\Windows\SysWOW64\icacls.exe icacls "C:\Users\user\AppData\Local\d11683cc-0d8b-41c4-a224-c03c55bb751f" /deny *S-1-1-0:(OI)(CI)(DE,DC)

Source: C:\Users\user\Pictures\U58dhzMU8ddvYuIUxUkOSiON.exe	Registry key monitored for changes: HKEY_CURRENT_USER_Classes
Source: C:\Users\user\Pictures\U58dhzMU8ddvYuIUxUkOSiON.exe	Registry key monitored for changes: HKEY_CURRENT_USER_Classes
Source: C:\Users\user\Pictures\941caPIfMmGnCq8PWe7WWHEk.exe	Registry key monitored for changes: HKEY_CURRENT_USER_Classes
Source: C:\Users\user\Pictures\941caPIfMmGnCq8PWe7WWHEk.exe	Registry key monitored for changes: HKEY_CURRENT_USER_Classes
Source: C:\Users\user\Pictures\941caPIfMmGnCq8PWe7WWHEk.exe	Registry key monitored for changes: HKEY_CURRENT_USER_Classes
Source: C:\Users\user\Pictures\941caPIfMmGnCq8PWe7WWHEk.exe	Registry key monitored for changes: HKEY_CURRENT_USER_Classes
Source: C:\Users\user\Pictures\f8hJzDp1zQtAPJgciyNSoGpb.exe	Registry key monitored for changes: HKEY_CURRENT_USER_Classes
Source: C:\Users\user\Pictures\f8hJzDp1zQtAPJgciyNSoGpb.exe	Registry key monitored for changes: HKEY_CURRENT_USER_Classes
Source: C:\Users\user\AppData\Local\Temp\is-O59IV.tmp\YRhJ9y7wcq2JenN54ladams2.tmp	Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\Pwp3yspp3pM97CCYpnZxEaEs.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\YRhJ9y7wcq2JenN54ladams2.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\U58dhzMU8ddvYuIUxUkOSiON.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\941caPIfMmGnCq8PWe7WWHEk.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Users\user\Pictures\941caPIfMmGnCq8PWe7WWHEk.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\f8hJzDp1zQtAPJgciyNSoGpb.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Users\user\Pictures\f8hJzDp1zQtAPJgciyNSoGpb.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-23R8R.tmp\Pwp3yspp3pM97CCYpnZxEaEs.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-23R8R.tmp\Pwp3yspp3pM97CCYpnZxEaEs.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-23R8R.tmp\Pwp3yspp3pM97CCYpnZxEaEs.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-23R8R.tmp\Pwp3yspp3pM97CCYpnZxEaEs.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-23R8R.tmp\Pwp3yspp3pM97CCYpnZxEaEs.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-23R8R.tmp\Pwp3yspp3pM97CCYpnZxEaEs.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-23R8R.tmp\Pwp3yspp3pM97CCYpnZxEaEs.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-23R8R.tmp\Pwp3yspp3pM97CCYpnZxEaEs.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-23R8R.tmp\Pwp3yspp3pM97CCYpnZxEaEs.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-23R8R.tmp\Pwp3yspp3pM97CCYpnZxEaEs.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-23R8R.tmp\Pwp3yspp3pM97CCYpnZxEaEs.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-O59IV.tmp\YRhJ9y7wcq2JenN54ladams2.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-O59IV.tmp\YRhJ9y7wcq2JenN54ladams2.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-O59IV.tmp\YRhJ9y7wcq2JenN54ladams2.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-O59IV.tmp\YRhJ9y7wcq2JenN54ladams2.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX

Malware Analysis System Evasion

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.550001229.0000000004AF0000.00000040.00001000.00020000.00000000.sdmp, 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.525875413.0000000000400000.00000040.00000001.01000000.00000017.sdmp, f8hJzDp1zQtAPJgciyNSoGpb.exe, 00000024.00000002.522431758.0000000000400000.00000040.00000001.01000000.00000019.sdmp	Binary or memory string: RTP.EXESYSTEMROOT=SETFILETIMESIGNWRITINGSOFT_DOTTEDSYSTEMDRIVETTL EXPIREDUNINSTALLERVBOXSERVICEVMUSRVC.EXEVARIANTINITVIRTUALFREEVIRTUALLOCKWSARECVFROMWARANG_CITIWHITE_SPACEWINDEFENDER[:^XDIGIT:]\DSEFIX.EXEADDITIONALSALARM CLOCKAPPLICATIONASSISTQUEUEAUTHORITIESBAD ADDRESSBAD ARGSIZEBAD M VALUEBAD MESSAGEBAD TIMEDIVBITCOINS.SKBROKEN PIPECAMPAIGN_IDCGOCALL NILCLOBBERFREECLOSESOCKETCOMBASE.DLLCREATED BY CRYPT32.DLLE2.KEFF.ORGEMBEDDED/%SEXTERNAL IPFILE EXISTSFINAL TOKENFLOAT32NAN2FLOAT64NAN1FLOAT64NAN2FLOAT64NAN3GCCHECKMARKGENERALIZEDGET CDN: %WGETPEERNAMEGETSOCKNAMEGLOBALALLOCHTTP2CLIENTHTTP2SERVERHTTPS_PROXYI/O TIMEOUTLOCAL ERRORMSPANMANUALMETHODARGS(MINTRIGGER=MOVE %S: %WMSWSOCK.DLLNETPOLLINITNEXT SERVERNIL CONTEXTOPERA-PROXYORANNIS.COMOUT OF SYNCPARSE ERRORPROCESS: %SREFLECT.SETREFLECTOFFSRETRY-AFTERRUNTIME: P RUNTIME: G RUNTIME: P SCHEDDETAILSECHOST.DLLSECUR32.DLLSERVICE: %SSHELL32.DLLSHORT WRITESTACK TRACESTART PROXYTASKMGR.EXETLS: ALERT(TRACEALLOC(TRAFFIC UPDUNREACHABLEUSERENV.DLLVERSION.DLLVERSION=195WININET.DLLWUP_PROCESS (SENSITIVE) B (
Source: file.exe, 00000001.00000002.376731132.0000000002648000.00000004.00000020.00020000.00000000.sdmp, jwjrtuw, 00000007.00000002.428752132.00000000026EA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ASWHOOK
Source: 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.550001229.0000000004AF0000.00000040.00001000.00020000.00000000.sdmp, 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.525875413.0000000000400000.00000040.00000001.01000000.00000017.sdmp, f8hJzDp1zQtAPJgciyNSoGpb.exe, 00000024.00000002.522431758.0000000000400000.00000040.00000001.01000000.00000019.sdmp	Binary or memory string: TOO MANY LINKSTOO MANY USERSTORRC FILENAMEUNEXPECTED EOFUNKNOWN CODE: UNKNOWN ERROR UNKNOWN METHODUNKNOWN MODE: UNREACHABLE: UNSAFE.POINTERUSERARENASTATEVIRTUALBOX: %WVMWARETRAY.EXEVMWAREUSER.EXEWII LIBNUP/1.0WINAPI ERROR #WINDOW CREATEDWORK.FULL != 0XENSERVICE.EXEZERO PARAMETER WITH GC PROG
Source: 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.550001229.0000000004AF0000.00000040.00001000.00020000.00000000.sdmp, 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.525875413.0000000000400000.00000040.00000001.01000000.00000017.sdmp, f8hJzDp1zQtAPJgciyNSoGpb.exe, 00000024.00000002.522431758.0000000000400000.00000040.00000001.01000000.00000019.sdmp	Binary or memory string: ... OMITTING ACCEPT-CHARSETAFTER EFIGUARDALLOCFREETRACEBAD ALLOCCOUNTBAD RECORD MACBAD RESTART PCBAD SPAN STATEBTC.USEBSV.COMCERT INSTALLEDCHECKSUM ERRORCONTENT-LENGTHCOULDN'T PATCHDATA TRUNCATEDDISTRIBUTOR_IDDRIVER REMOVEDERROR RESPONSEFILE TOO LARGEFINALIZER WAITGCSTOPTHEWORLDGET UPTIME: %WGETPROTOBYNAMEGOT SYSTEM PIDINITIAL SERVERINTERNAL ERRORINVALID SYNTAXIS A DIRECTORYKEY SIZE WRONGLEVEL 2 HALTEDLEVEL 3 HALTEDMEMPROFILERATEMULTIPARTFILESNEED MORE DATANIL ELEM TYPE!NO MODULE DATANO SUCH DEVICEOPEN EVENT: %WPARSE CERT: %WPROTOCOL ERRORREAD CERTS: %WREAD_FRAME_EOFREFLECT.VALUE.REMOVE APP: %WRUNTIME: FULL=RUNTIME: WANT=S.ALLOCCOUNT= SEMAROOT QUEUESERVER.VERSIONSTACK OVERFLOWSTOPM SPINNINGSTORE64 FAILEDSYNC.COND.WAITTEXT FILE BUSYTIME.LOCATION(TIMEENDPERIODTOO MANY LINKSTOO MANY USERSTORRC FILENAMEUNEXPECTED EOFUNKNOWN CODE: UNKNOWN ERROR UNKNOWN METHODUNKNOWN MODE: UNREACHABLE: UNSAFE.POINTERUSERARENASTATEVIRTUALBOX: %WVMWARETRAY.EXEVMWAREUSER.EXEWII LIBNUP/1.0WINAPI ERROR #WINDOW CREATEDWORK.FULL != 0XENSERVICE.EXEZERO PARAMETER WITH GC PROG

Checks if the current machine is a virtual machine (disk enumeration)

Source: C:\Users\user\Desktop\file.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jwjrtuw	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jwjrtuw	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jwjrtuw	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jwjrtuw	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jwjrtuw	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jwjrtuw	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Pictures\t3PINyJoW83t7JJSZ5BPE6bi.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\Pictures\t3PINyJoW83t7JJSZ5BPE6bi.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\Pictures\t3PINyJoW83t7JJSZ5BPE6bi.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\Pictures\t3PINyJoW83t7JJSZ5BPE6bi.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\Pictures\t3PINyJoW83t7JJSZ5BPE6bi.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\Pictures\t3PINyJoW83t7JJSZ5BPE6bi.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI

Tries to detect sandboxes / dynamic malware analysis system (file name check)

Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\sElF.exE	Jump to behavior

Source: C:\Windows\explorer.exe TID: 6684	Thread sleep time: -59400s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 6676	Thread sleep time: -109400s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 4288	Thread sleep time: -660000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 2044	Thread sleep time: -46300s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7456	Thread sleep time: -30300s >= -30000s	Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6972	Thread sleep time: -90000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1828	Thread sleep time: -18446744073709540s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1828	Thread sleep time: -600000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 3532	Thread sleep count: 4105 > 30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 3532	Thread sleep count: 4497 > 30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1828	Thread sleep time: -599872s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1828	Thread sleep time: -599765s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1828	Thread sleep time: -599657s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1828	Thread sleep time: -599532s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1828	Thread sleep time: -599407s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1828	Thread sleep time: -599282s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1828	Thread sleep time: -599157s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1828	Thread sleep time: -599029s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1828	Thread sleep time: -598922s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1828	Thread sleep time: -598797s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1828	Thread sleep time: -598672s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1828	Thread sleep time: -598547s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1828	Thread sleep time: -598421s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1828	Thread sleep time: -598313s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1828	Thread sleep time: -598204s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1828	Thread sleep time: -598079s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1828	Thread sleep time: -597954s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1828	Thread sleep time: -597844s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1828	Thread sleep time: -597719s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1828	Thread sleep time: -597610s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1828	Thread sleep time: -597485s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1828	Thread sleep time: -597360s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1828	Thread sleep time: -597235s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1828	Thread sleep time: -597110s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1828	Thread sleep time: -596985s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1828	Thread sleep time: -596860s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1828	Thread sleep time: -596735s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1828	Thread sleep time: -596604s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1828	Thread sleep time: -596485s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1828	Thread sleep time: -596360s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1828	Thread sleep time: -596233s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1828	Thread sleep time: -596107s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1828	Thread sleep time: -595938s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1828	Thread sleep time: -595799s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1828	Thread sleep time: -595641s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1828	Thread sleep time: -595344s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1828	Thread sleep time: -595110s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1828	Thread sleep time: -594856s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1828	Thread sleep time: -594672s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1828	Thread sleep time: -594485s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1828	Thread sleep time: -594296s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1828	Thread sleep time: -594094s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1828	Thread sleep time: -593860s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5460	Thread sleep time: -900000s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1828	Thread sleep time: -593610s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1828	Thread sleep time: -593344s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1828	Thread sleep time: -593141s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1828	Thread sleep time: -592954s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1828	Thread sleep time: -592790s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1828	Thread sleep time: -592554s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1828	Thread sleep time: -592351s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1828	Thread sleep time: -592132s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1828	Thread sleep time: -591979s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1828	Thread sleep time: -591523s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1828	Thread sleep time: -591356s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1828	Thread sleep time: -590934s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1828	Thread sleep time: -590315s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1828	Thread sleep time: -590127s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1828	Thread sleep time: -589929s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1828	Thread sleep time: -589789s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1828	Thread sleep time: -589622s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1828	Thread sleep time: -589305s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1828	Thread sleep time: -588852s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1828	Thread sleep time: -588652s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1828	Thread sleep time: -588308s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1828	Thread sleep time: -588027s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1828	Thread sleep time: -587869s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1828	Thread sleep time: -587415s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1828	Thread sleep time: -587009s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1828	Thread sleep time: -586228s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1828	Thread sleep time: -585949s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1828	Thread sleep time: -585661s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1828	Thread sleep time: -585458s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1828	Thread sleep time: -585207s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1828	Thread sleep time: -584962s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1828	Thread sleep time: -584040s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1828	Thread sleep time: -583228s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1828	Thread sleep time: -583103s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1828	Thread sleep time: -582965s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1828	Thread sleep time: -582855s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1828	Thread sleep time: -582726s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1828	Thread sleep time: -582579s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1828	Thread sleep time: -582440s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1828	Thread sleep time: -582291s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1828	Thread sleep time: -582177s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1828	Thread sleep time: -582054s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1828	Thread sleep time: -581935s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1828	Thread sleep time: -581815s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1828	Thread sleep time: -581685s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1828	Thread sleep time: -581551s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1828	Thread sleep time: -581421s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1828	Thread sleep time: -581300s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1828	Thread sleep time: -581157s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1828	Thread sleep time: -580944s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1828	Thread sleep time: -580822s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1828	Thread sleep time: -580708s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1828	Thread sleep time: -580581s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1828	Thread sleep time: -580436s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1828	Thread sleep time: -580310s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1828	Thread sleep time: -580141s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1828	Thread sleep time: -579885s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1828	Thread sleep time: -579668s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1828	Thread sleep time: -579355s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1828	Thread sleep time: -579215s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1828	Thread sleep time: -579034s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1828	Thread sleep time: -578829s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1828	Thread sleep time: -578703s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1828	Thread sleep time: -578549s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1828	Thread sleep time: -578364s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1828	Thread sleep time: -578160s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1828	Thread sleep time: -577932s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1828	Thread sleep time: -577761s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1828	Thread sleep time: -577584s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1828	Thread sleep time: -577322s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1828	Thread sleep time: -577182s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1828	Thread sleep time: -577066s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1828	Thread sleep time: -576931s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1828	Thread sleep time: -576809s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1828	Thread sleep time: -576486s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1828	Thread sleep time: -576236s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1828	Thread sleep time: -576103s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1828	Thread sleep time: -575944s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1828	Thread sleep time: -575827s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1828	Thread sleep time: -575695s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1828	Thread sleep time: -575567s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1828	Thread sleep time: -575432s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1828	Thread sleep time: -575308s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1828	Thread sleep time: -575186s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1828	Thread sleep time: -575074s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1828	Thread sleep time: -574917s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1828	Thread sleep time: -574758s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1828	Thread sleep time: -574565s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1828	Thread sleep time: -574442s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 1828	Thread sleep time: -574293s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\4A15.exe TID: 5468	Thread sleep time: -700000s >= -30000s
Source: C:\Users\user\Pictures\i4PHS5R0iEKcuu4uBuaRKA3v.exe TID: 6868	Thread sleep time: -3300000s >= -30000s
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe TID: 5704	Thread sleep time: -6456360425798339s >= -30000s
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe TID: 5704	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\Pictures\U58dhzMU8ddvYuIUxUkOSiON.exe TID: 5480	Thread sleep time: -90000s >= -30000s

Source: C:\Users\user\Pictures\i4PHS5R0iEKcuu4uBuaRKA3v.exe	Last function: Thread delayed
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\4A15.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

graph_11-40743

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 600000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 599872
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 599765
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 599657
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 599532
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 599407
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 599282
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 599157
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 599029
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 598922
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 598797
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 598672
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 598547
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 598421
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 598313
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 598204
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 598079
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 597954
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 597844
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 597719
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 597610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 597485
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 597360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 597235
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 597110
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 596985
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 596860
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 596735
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 596604
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 596485
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 596360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 596233
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 596107
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 595938
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 595799
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 595641
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 595344
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 595110
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 594856
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 594672
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 594485
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 594296
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 594094
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 593860
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 300000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 593610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 593344
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 593141
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 592954
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 592790
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 592554
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 592351
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 592132
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 591979
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 591523
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 591356
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 590934
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 590315
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 590127
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 589929
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 589789
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 589622
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 589305
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 588852
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 588652
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 588308
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 588027
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 587869
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 587415
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 587009
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 586228
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 585949
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 585661
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 585458
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 585207
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 584962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 584040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 583228
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 583103
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 582965
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 582855
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 582726
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 582579
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 582440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 582291
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 582177
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 582054
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 581935
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 581815
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 581685
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 581551
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 581421
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 581300
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 581157
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 580944
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 580822
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 580708
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 580581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 580436
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 580310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 580141
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 579885
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 579668
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 579355
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 579215
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 579034
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 578829
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 578703
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 578549
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 578364
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 578160
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 577932
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 577761
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 577584
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 577322
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 577182
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 577066
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 576931
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 576809
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 576486
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 576236
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 576103
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 575944
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 575827
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 575695
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 575567
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 575432
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 575308
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 575186
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 575074
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 574917
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 574758
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 574565
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 574442
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 574293
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Thread delayed: delay time: 700000
Source: C:\Users\user\Pictures\i4PHS5R0iEKcuu4uBuaRKA3v.exe	Thread delayed: delay time: 300000
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 454	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 594	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 1094	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 463	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 597	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 595	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Window / User API: threadDelayed 4105
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Window / User API: threadDelayed 4497
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Window / User API: threadDelayed 6836

Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\Minor Policy\w6vQnvc6GcufcSoPXxqtk9pf.exe.azhi (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\build2[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\build3[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\WQ1sXS4A8SPQ3OH5qUwmsfK7.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\gTtQqHKsFf9Nsh1JcOtwF10p.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\flZM696vxwchmoky86e6PuiE.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\en2Jyn1qg7jEGhbzerb4PGCA.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\qzThW72RYcWSkAonVKQR5Zam.exe.azhi (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Dropped PE file which has not been started: C:\adc91a0e0132170ee1c9ace67d4b\Setup.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\Minor Policy\w6vQnvc6GcufcSoPXxqtk9pf.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\Minor Policy\XxaWUuSPH3Fo3U3cdFyCwDfN.exe.azhi (copy)	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\qvQF1TKYhYFFgSpHGD6rgb7v.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\C88Sh505pu9bIEkUIPtIAuGY.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2629.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\Minor Policy\uusesdQ3Edo2k5kNA0mkf5gw.exe.azhi (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\TDwHwUnikC3d4IvKdWZ8TN8E.exe.azhi (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\t3PINyJoW83t7JJSZ5BPE6bi.exe.azhi (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\4204bcd2-893f-40a6-aea5-23bed3094b06\build3.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Dropped PE file which has not been started: C:\adc91a0e0132170ee1c9ace67d4b\SetupUtility.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\t3PINyJoW83t7JJSZ5BPE6bi.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\u0apTRIaaBzfoydgvcDO3D8B.exe.azhi (copy)	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\rdOeLIubzEtA5kaQGojFXfzi.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\FGncB6Cizu2PKxdPqCgKygMO.exe.azhi (copy)	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\l4NNL3d0gUhzOZ4YXgbQgdkt.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\SGRGSrOrLAvbIwSiEaRMIm3Y.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\hypYBFCjte80ItmGLKdfXKZ2.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\SPpYvykupaNYuUQqOkv0xHw6.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\GlKtZqXQAiyhJM8NCtTVvYcF.exe	Jump to dropped file
Source: C:\Users\user\Pictures\U58dhzMU8ddvYuIUxUkOSiON.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\s51[1]	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\DuDMa6rOf5SGixuVkls53BX0.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\N5fklblcsXVYu4JmfhsKVoFv.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\Minor Policy\dl0eBw1a4nselM03kEjNFUeZ.exe.azhi (copy)	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\JNxHITgt9Gfgxa9zzN5RQgfc.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\BB52.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\uYMXNl5sSvaZoW3VwBNxI0U7.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\FGncB6Cizu2PKxdPqCgKygMO.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\opugKRO9HQIQrHGr6X89OLro.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\Minor Policy\dHxqqbbMHpGRP1KlVseWr6lF.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\gdGlSTAHRx5XYnptuFFvfF3Y.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\Minor Policy\dHxqqbbMHpGRP1KlVseWr6lF.exe.azhi (copy)	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\8jjMtFTS9Zlbf6vKPpWxHhte.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\Minor Policy\dl0eBw1a4nselM03kEjNFUeZ.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\MgZKvMc7DV5RedICsSIU2R0o.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Tc3J3MYPBvAb1zFAQ5lDv3bp.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\q1a6Hdte5ZphUujirBwwpHRY.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\yRbowIjZdxellWMLi8kEb6gJ.exe	Jump to dropped file
Source: C:\Users\user\Pictures\U58dhzMU8ddvYuIUxUkOSiON.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\s51[1]	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\C88Sh505pu9bIEkUIPtIAuGY.exe.azhi (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-23R8R.tmp\Pwp3yspp3pM97CCYpnZxEaEs.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\DigitalPulse\is-0SIDM.tmp	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\AboFkE91gGtC0jX22BS3GOn1.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\zDIXJhMuVzNtJxExlDXABWMh.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\4204bcd2-893f-40a6-aea5-23bed3094b06\build2.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\cIYKpG6eQ8E5shW60pciCDk9.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\DuDMa6rOf5SGixuVkls53BX0.exe.azhi (copy)	Jump to dropped file
Source: C:\Users\user\Pictures\U58dhzMU8ddvYuIUxUkOSiON.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\5838081746.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\szKukjqbkrhlE2n6dTEMyu9d.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\wlmRug0KapvbPX1WnJ7a9tAS.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\2D42.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\P94EhV34EPtPaMGwUp1MdOBl.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\PEETw0QK3zD9r7HEE5AR45AO.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\qzThW72RYcWSkAonVKQR5Zam.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\25C8.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\Minor Policy\uusesdQ3Edo2k5kNA0mkf5gw.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\ZMVfke3FfhAYexvtpGaP7QO0.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\Minor Policy\UZMd9akv_Vfb8MG5RwDjTpGs.exe.azhi (copy)	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\SVKcZYT3TwUPvLXOcZVQMjWE.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Dropped PE file which has not been started: C:\adc91a0e0132170ee1c9ace67d4b\SetupUtility.exe.azhi (copy)	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\Rh0zrbuPE23tmioMFpoeQvyq.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\OdBy5UCgwCs2zOQ5hgwqYDDW.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\Minor Policy\oM7t40xLe0OgCrSQGKhQ7p6Z.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\9117.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\46ajs7POqByEYUKIKWz4ttVU.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-23R8R.tmp\Pwp3yspp3pM97CCYpnZxEaEs.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\DigitalPulse\DigitalPulseService.exe (copy)	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\Zm8A45fXl2ofLOUYJkU9Hc7y.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\ghXDF7wc1k0lMAVWTQE9mN9d.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\mGx41hPeYElMLjZ4bbI9SOQq.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\OoqQROwr1Yg6cLi95suPlaEZ.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\TDwHwUnikC3d4IvKdWZ8TN8E.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\Minor Policy\KvSnRxw7nRoWWzdlM6L4ADmH.exe.azhi (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\Minor Policy\UZMd9akv_Vfb8MG5RwDjTpGs.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\Minor Policy\XxaWUuSPH3Fo3U3cdFyCwDfN.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\Minor Policy\GXEmL9Hio2yqAqGb8rDpNfoq.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-23R8R.tmp\Pwp3yspp3pM97CCYpnZxEaEs.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\DigitalPulse\is-VGBL0.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\OoqQROwr1Yg6cLi95suPlaEZ.exe.azhi (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\Minor Policy\MAq6dYMqMOp7jsSy8ZTXM3iM.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\u0apTRIaaBzfoydgvcDO3D8B.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-23R8R.tmp\Pwp3yspp3pM97CCYpnZxEaEs.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\DigitalPulse\DigitalPulseUpdate.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\Minor Policy\oM7t40xLe0OgCrSQGKhQ7p6Z.exe.azhi (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-23R8R.tmp\Pwp3yspp3pM97CCYpnZxEaEs.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-N0LK6.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\3zaREjkJ8eT5V6QYRyuztw7a.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\t0EOMhSnTVCOCZS9qZwimCQw.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\cDbEZELclwHIblfubBb7q5VJ.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\Minor Policy\KvSnRxw7nRoWWzdlM6L4ADmH.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Dropped PE file which has not been started: C:\adc91a0e0132170ee1c9ace67d4b\Setup.exe.azhi (copy)	Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\9315.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\WMMeMLRqjSsdlkGClauVg3Va.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\Minor Policy\GXEmL9Hio2yqAqGb8rDpNfoq.exe.azhi (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\Minor Policy\MAq6dYMqMOp7jsSy8ZTXM3iM.exe.azhi (copy)	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\VWecoOkiAKSpFQMeoTrTyGCa.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\1oYHJ3b1F3QrpZXBIXgl6loz.exe	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\4A15.exe

Code function: 10_2_0429D71C rdtsc

10_2_0429D71C

Source: C:\Users\user\Pictures\f8hJzDp1zQtAPJgciyNSoGpb.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name FROM Win32_Processor

Source: C:\Users\user\AppData\Local\Temp\4A15.exe

Code function: _malloc,_malloc,_wprintf,_free,GetAdaptersInfo,_free,_malloc,GetAdaptersInfo,_sprintf,_wprintf,_wprintf,_free,

11_2_0040E670

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 600000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 599872
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 599765
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 599657
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 599532
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 599407
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 599282
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 599157
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 599029
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 598922
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 598797
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 598672
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 598547
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 598421
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 598313
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 598204
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 598079
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 597954
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 597844
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 597719
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 597610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 597485
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 597360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 597235
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 597110
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 596985
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 596860
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 596735
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 596604
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 596485
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 596360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 596233
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 596107
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 595938
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 595799
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 595641
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 595344
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 595110
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 594856
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 594672
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 594485
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 594296
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 594094
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 593860
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 300000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 593610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 593344
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 593141
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 592954
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 592790
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 592554
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 592351
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 592132
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 591979
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 591523
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 591356
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 590934
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 590315
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 590127
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 589929
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 589789
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 589622
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 589305
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 588852
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 588652
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 588308
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 588027
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 587869
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 587415
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 587009
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 586228
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 585949
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 585661
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 585458
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 585207
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 584962
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 584040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 583228
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 583103
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 582965
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 582855
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 582726
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 582579
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 582440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 582291
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 582177
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 582054
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 581935
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 581815
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 581685
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 581551
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 581421
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 581300
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 581157
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 580944
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 580822
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 580708
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 580581
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 580436
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 580310
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 580141
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 579885
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 579668
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 579355
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 579215
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 579034
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 578829
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 578703
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 578549
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 578364
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 578160
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 577932
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 577761
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 577584
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 577322
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 577182
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 577066
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 576931
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 576809
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 576486
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 576236
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 576103
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 575944
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 575827
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 575695
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 575567
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 575432
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 575308
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 575186
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 575074
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 574917
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 574758
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 574565
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 574442
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 574293
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Thread delayed: delay time: 700000
Source: C:\Users\user\Pictures\i4PHS5R0iEKcuu4uBuaRKA3v.exe	Thread delayed: delay time: 300000
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\AppData\Local\Temp\4A15.exe

API call chain: ExitProcess graph end node

graph_11-40745

Source: 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.532122429.0000000002A4A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllU
Source: f8hJzDp1zQtAPJgciyNSoGpb.exe, 00000024.00000002.522431758.0000000000400000.00000040.00000001.01000000.00000019.sdmp	Binary or memory string: RTP.exeSYSTEMROOT=SetFileTimeSignWritingSoft_DottedSystemDriveTTL expiredUninstallerVBoxServiceVMUSrvc.exeVariantInitVirtualFreeVirtualLockWSARecvFromWarang_CitiWhite_SpaceWinDefender[:^xdigit:]\dsefix.exeadditionalsalarm clockapplicationassistQueueauthoritiesbad addressbad argSizebad m valuebad messagebad timedivbitcoins.skbroken pipecampaign_idcgocall nilclobberfreeclosesocketcombase.dllcreated by crypt32.dlle2.keff.orgembedded/%sexternal IPfile existsfinal tokenfloat32nan2float64nan1float64nan2float64nan3gccheckmarkgeneralizedget CDN: %wgetpeernamegetsocknameglobalAllochttp2clienthttp2serverhttps_proxyi/o timeoutlocal errormSpanManualmethodargs(minTrigger=move %s: %wmswsock.dllnetpollInitnext servernil contextopera-proxyorannis.comout of syncparse errorprocess: %sreflect.SetreflectOffsretry-afterruntime: P runtime: g runtime: p scheddetailsechost.dllsecur32.dllservice: %sshell32.dllshort writestack tracestart proxytaskmgr.exetls: alert(tracealloc(traffic updunreachableuserenv.dllversion.dllversion=195wininet.dllwup_process (sensitive) B (
Source: f8hJzDp1zQtAPJgciyNSoGpb.exe, 00000024.00000002.522431758.0000000000400000.00000040.00000001.01000000.00000019.sdmp	Binary or memory string: entersyscallexit status failed to %wfound av: %sgcBitsArenasgcpacertracegetaddrinfowgot TI tokenguid_machineharddecommithost is downhttp2debug=1http2debug=2illegal seekinjector.exeinstall_dateinvalid baseinvalid pathinvalid portinvalid slotiphlpapi.dllkernel32.dllmachine_guidmadvdontneedmax-forwardsmheapSpecialmsftedit.dllmspanSpecialnetapi32.dllno such hostnon-existentnot pollableoleaut32.dllout of rangeparse PE: %wproxyconnectrandautoseedrecv_goaway_reflect.Copyreleasep: m=remote errorremoving appruntime: gp=runtime: sp=s ap traffics hs trafficself-preemptsetupapi.dllshort bufferspanSetSpinesweepWaiterstraceStringstraffic/readtransmitfileulrichard.chunexpected )unknown portunknown typevmacthlp.exevmtoolsd.exewatchdog.exewinlogon.exewintrust.dllwirep: p->m=worker mode wtsapi32.dll != sweepgen (default %q) (default %v) MB globals, MB) workers= called from flushedWork idlethreads= in host name is nil, not nStackRoots= out of range pluginpath= s.spanclass= span.base()= syscalltick= work.nproc= work.nwait= %s/rawaddr/%s%s\%s\drivers, gp->status=, not pointer-bind-address-byte block (3814697265625: unknown pc Accept-RangesAuthorizationCLIENT_RANDOMCONNECTION-IDCONNECT_ERRORCache-ControlCertOpenStoreCoTaskMemFreeConnectServerContent-RangeDONT-FRAGMENTDeleteServiceDestroyWindowDistributorIDECDSAWithSHA1EnumProcessesExitWindowsExFQDN too longFindFirstFileFindNextFileWFindResourceWFreeAddrInfoWGC sweep waitGeoIPFile %s
Source: 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.550001229.0000000004AF0000.00000040.00001000.00020000.00000000.sdmp, 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.525875413.0000000000400000.00000040.00000001.01000000.00000017.sdmp, f8hJzDp1zQtAPJgciyNSoGpb.exe, 00000024.00000002.522431758.0000000000400000.00000040.00000001.01000000.00000019.sdmp	Binary or memory string: DnsRecordListFreeENHANCE_YOUR_CALMEnumThreadWindowsFLE Standard TimeFailed DependencyGC assist markingGMT Standard TimeGTB Standard TimeGetCurrentProcessGetShortPathNameWHEADER_TABLE_SIZEHKEY_CLASSES_ROOTHKEY_CURRENT_USERHTTP_1_1_REQUIREDIf-Modified-SinceIsTokenRestrictedLookupAccountSidWMESSAGE-INTEGRITYMoved PermanentlyOld_North_ArabianOld_South_ArabianOther_ID_ContinuePython-urllib/2.5QueryWorkingSetExRESERVATION-TOKENReadProcessMemoryRegLoadMUIStringWRtlGetCurrentPebSafeArrayCopyDataSafeArrayCreateExSentence_TerminalSysAllocStringLenSystemFunction036Too Many RequestsTransfer-EncodingUnexpected escapeUnified_IdeographUnknown AttributeVGAuthService.exeWSAEnumProtocolsWWTSQueryUserTokenWrite after CloseWrong CredentialsX-Idempotency-Key\System32\drivers\\.\VBoxMiniRdrDN
Source: f8hJzDp1zQtAPJgciyNSoGpb.exe, 00000024.00000002.522431758.0000000000400000.00000040.00000001.01000000.00000019.sdmp	Binary or memory string: IP addressIsValidSidKeep-AliveKharoshthiLocalAllocLockFileExLogonUserWManichaeanMessage-IdNo ContentOld_ItalicOld_PermicOld_TurkicOpenEventWOpenMutexWOpenThreadOther_MathPOSTALCODEParseAddr(ParseFloatPhoenicianProcessingPulseEventRIPEMD-160RST_STREAMResetEventSHA256-RSASHA384-RSASHA512-RSASYSTEMROOTSaurashtraSecureBootSet-CookieShowWindowTor uptimeUser-AgentVMSrvc.exeWSACleanupWSASocketWWSAStartupWget/1.9.1Windows 10Windows 11[:^alnum:][:^alpha:][:^ascii:][:^blank:][:^cntrl:][:^digit:][:^graph:][:^lower:][:^print:][:^punct:][:^space:][:^upper:][:xdigit:]\\.\WinMon\patch.exe^{[\w-]+}$app_%d.txtatomicand8attr%d=%s cmd is nilcomplex128connectiondebug calldnsapi.dlldsefix.exedwmapi.dlle.keff.orgexecerrdotexitThreadexp masterfloat32nanfloat64nangetsockoptgoroutine http_proxyimage/avifimage/jpegimage/webpimpossibleindicationinvalid IPinvalidptrkeep-alivemSpanInUsemyhostnameno resultsnot a boolnot signednotifyListowner diedpowershellprl_cc.exeprofInsertres binderres masterresumptionrune <nil>runtime: gs.state = schedtracesemacquiresend stateset-cookiesetsockoptskipping: socks bindstackLarget.Kind == terminatedtext/plaintime.Date(time.Localtracefree(tracegc()
Source: f8hJzDp1zQtAPJgciyNSoGpb.exe, 00000024.00000002.522431758.0000000000400000.00000040.00000001.01000000.00000019.sdmp	Binary or memory string: GetActiveObjectGetAdaptersInfoGetCommTimeoutsGetCommandLineWGetFirmwareTypeGetProcessTimesGetSecurityInfoGetStartupInfoWGlobal\qtxp9g8wHanifi_RohingyaICE-CONTROLLINGIdempotency-KeyImpersonateSelfInstall failureIsWindowUnicodeIsWindowVisibleIsWow64Process2Length RequiredLoadLibraryExALoadLibraryExWNot ImplementedNtSuspendThreadOpenThreadTokenOther_LowercaseOther_UppercasePKCS1WithSHA256PKCS1WithSHA384PKCS1WithSHA512Partial ContentPostQuitMessageProcess32FirstWPsalter_PahlaviQueryDosDeviceWRegCreateKeyExWRegDeleteValueWRequest TimeoutRtlDefaultNpAclSafeArrayCreateSafeArrayGetDimSafeArrayGetIIDSafeArrayUnlockScheduledUpdateSetCommTimeoutsSetSecurityInfoSetVolumeLabelWShellExecuteExWStringFromCLSIDStringFromGUID2TerminateThreadUnescaped quoteUninstallStringUnmapViewOfFileVBoxService.exeVPS.hsmiths.comWinsta0\DefaultX-Forwarded-For\\.\VBoxTrayIPC]
Source: f8hJzDp1zQtAPJgciyNSoGpb.exe, 00000024.00000002.522431758.0000000000400000.00000040.00000001.01000000.00000019.sdmp	Binary or memory string: acceptactivechan<-closedcookiedirectdomainefenceempty exec: expectfamilygeoip6gopherhangupheaderinternip+netkilledlistenminutenetdnsnumberobjectoriginpopcntrdtscpreadatreasonremoverenamereturnrun-v3rune1 secondselectsendtoserversocketsocks socks5statusstringstructsweep sysmontelnettimersuint16uint32uint64unuseduptimevmhgfsvmxnetvpc-s3wup_hsxennetxensvcxenvdb %v=%v, (conn) (scan (scan) MB in Value> allocs dying= flags= len=%d locks= m->g0= nmsys= pad1= pad2= s=nil
Source: 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.550001229.0000000004AF0000.00000040.00001000.00020000.00000000.sdmp, 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.525875413.0000000000400000.00000040.00000001.01000000.00000017.sdmp, f8hJzDp1zQtAPJgciyNSoGpb.exe, 00000024.00000002.522431758.0000000000400000.00000040.00000001.01000000.00000019.sdmp	Binary or memory string: SafeArrayCopyDataSafeArrayCreateExSentence_TerminalSysAllocStringLenSystemFunction036Too Many RequestsTransfer-EncodingUnexpected escapeUnified_IdeographUnknown AttributeVGAuthService.exeWSAEnumProtocolsWWTSQueryUserTokenWrite after CloseWrong CredentialsX-Idempotency-Key\System32\drivers\\.\VBoxMiniRdrDN
Source: f8hJzDp1zQtAPJgciyNSoGpb.exe, 00000024.00000002.522431758.0000000000400000.00000040.00000001.01000000.00000019.sdmp	Binary or memory string: (MISSING)(unknown), newval=, oldval=, size = , tail = -07:00:00/api/cdn?/api/poll127.0.0.1244140625: status=AuthorityBassa_VahBhaiksukiClassINETCuneiformDiacriticEVEN-PORTExecQueryFindCloseForbiddenGetDIBitsHex_DigitInheritedInstMatchInstRune1InterfaceKhudawadiLocalFreeMalayalamMongolianMoveFileWNabataeanNot FoundOP_RETURNOSCaptionPalmyreneParseUintPatchTimePublisherReleaseDCRemoveAllSTUN addrSamaritanSee OtherSeptemberSundaneseSysnativeToo EarlyTrailer: TypeCNAMETypeHINFOTypeMINFOUse ProxyVBoxGuestVBoxMouseVBoxVideoWSASendToWednesdayWindows 7WriteFileZ07:00:00[%v = %d][:^word:][:alnum:][:alpha:][:ascii:][:blank:][:cntrl:][:digit:][:graph:][:lower:][:print:][:punct:][:space:][:upper:]_outboundatomicor8attributeb.ooze.ccbad indirbus errorchallengechan sendcomplex64connectexcopystackcsrss.exectxt != 0d.nx != 0dns,filesecdsa.netempty urlfiles,dnsfn.48.orgfodhelperfork/execfuncargs(gdi32.dllhchanLeafimage/gifimage/pnginittraceinterfaceinterruptinvalid nipv6-icmplocalhostmSpanDeadnew tokennil errorntdll.dllole32.dllomitemptyop_returnpanicwaitpatch.exepclmulqdqpreemptedprintableprofBlockprotocol proxy.exepsapi.dllquestionsreboot inrecover: reflect: rwxrwxrwxscavtracestackpoolsucceededtask %+v
Source: explorer.exe, 00000002.00000000.374261706.0000000000F78000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}:
Source: 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.542182071.00000000046F2000.00000040.00000020.00020000.00000000.sdmp	Binary or memory string: aryvmcixn-SE-
Source: explorer.exe, 00000002.00000000.375180547.00000000087FC000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: 4A15.exe, 0000000B.00000002.436099726.0000000002F30000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: f8hJzDp1zQtAPJgciyNSoGpb.exe, 00000024.00000002.522431758.0000000000400000.00000040.00000001.01000000.00000019.sdmp	Binary or memory string: VirtualUnlockWINDOW_UPDATEWTSFreeMemoryWriteConsoleW[FrameHeader \\.\VBoxGuestaccept-rangesaccess deniedadvapi32.dll
Source: explorer.exe, 00000002.00000000.375180547.00000000087FC000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000s6x
Source: 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.550001229.0000000004AF0000.00000040.00001000.00020000.00000000.sdmp, 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.525875413.0000000000400000.00000040.00000001.01000000.00000017.sdmp, f8hJzDp1zQtAPJgciyNSoGpb.exe, 00000024.00000002.522431758.0000000000400000.00000040.00000001.01000000.00000019.sdmp	Binary or memory string: ><'\'') = ) m=+Inf-Inf.bat.cmd.com.css.exe.gif.htm.jpg.mjs.pdf.png.svg.sys.xml0x%x1.1110803125: p=ACDTACSTAEDTAESTAKDTAKSTAWSTAhomAtoiCDN=CESTChamDATADashDataDateEESTEULAEtagFromGOGCGoneHostJulyJuneLEAFLisuMiaoModiNZDTNZSTNameNewaPINGPOSTPathQEMUROOTSASTSTARSendStatTempThaiTypeUUID"%s"\rss\smb\u00
Source: 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.542182071.00000000046F2000.00000040.00000020.00020000.00000000.sdmp	Binary or memory string: ameNewaPINGPOSTPathQEMUROOTH
Source: svchost.exe, 00000004.00000002.448034271.000001AC75CDF000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.447981283.000001AC75C82000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000004.00000002.448095688.000001AC75CEC000.00000004.00000020.00020000.00000000.sdmp, 4A15.exe, 0000000B.00000003.433599791.0000000000727000.00000004.00000020.00020000.00000000.sdmp, 4A15.exe, 0000000B.00000002.435946180.00000000006D8000.00000004.00000020.00020000.00000000.sdmp, 4A15.exe, 0000000B.00000002.435946180.0000000000727000.00000004.00000020.00020000.00000000.sdmp, 4A15.exe, 00000019.00000002.528784929.00000000005FF000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000002.659717297.000000000143B000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000002.659717297.00000000014BC000.00000004.00000020.00020000.00000000.sdmp, 4A15.exe, 0000001D.00000002.678164342.00000000007CD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: 4A15.exe, 0000001D.00000002.678164342.0000000000748000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW8S}%SystemRoot%\system32\mswsock.dll}}
Source: f8hJzDp1zQtAPJgciyNSoGpb.exe, 00000024.00000002.522431758.0000000000400000.00000040.00000001.01000000.00000019.sdmp	Binary or memory string: too many linkstoo many userstorrc filenameunexpected EOFunknown code: unknown error unknown methodunknown mode: unreachable: unsafe.PointeruserArenaStatevirtualbox: %wvmwaretray.exevmwareuser.exewii libnup/1.0winapi error #window createdwork.full != 0xenservice.exezero parameter with GC prog
Source: 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.542182071.00000000046F2000.00000040.00000020.00020000.00000000.sdmp	Binary or memory string: 11VBoxSFWINDIRWD
Source: 4A15.exe, 00000019.00000002.528784929.0000000000578000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: 4A15.exe, 0000000B.00000002.436099726.0000000002F30000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: AddInProcess32.exe, 00000012.00000002.690591915.00000000010F5000.00000004.00000020.00020000.00000000.sdmp, 4GAUQKCdkFpttJoyS2YGgxr9.exe, 0000001E.00000002.687702533.00000000018CF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.542182071.00000000046F2000.00000040.00000020.00020000.00000000.sdmp	Binary or memory string: \\.\HGFS`
Source: 4A15.exe, 0000001D.00000003.584736156.000000000076E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll}}
Source: f8hJzDp1zQtAPJgciyNSoGpb.exe, 00000024.00000002.522431758.0000000000400000.00000040.00000001.01000000.00000019.sdmp	Binary or memory string: ... omitting accept-charsetafter EfiGuardallocfreetracebad allocCountbad record MACbad restart PCbad span statebtc.usebsv.comcert installedchecksum errorcontent-lengthcouldn't patchdata truncateddistributor_iddriver removederror responsefile too largefinalizer waitgcstoptheworldget uptime: %wgetprotobynamegot system PIDinitial serverinternal errorinvalid syntaxis a directorykey size wronglevel 2 haltedlevel 3 haltedmemprofileratemultipartfilesneed more datanil elem type!no module datano such deviceopen event: %wparse cert: %wprotocol errorread certs: %wread_frame_eofreflect.Value.remove app: %wruntime: full=runtime: want=s.allocCount= semaRoot queueserver.versionstack overflowstopm spinningstore64 failedsync.Cond.Waittext file busytime.Location(timeEndPeriodtoo many linkstoo many userstorrc filenameunexpected EOFunknown code: unknown error unknown methodunknown mode: unreachable: unsafe.PointeruserArenaStatevirtualbox: %wvmwaretray.exevmwareuser.exewii libnup/1.0winapi error #window createdwork.full != 0xenservice.exezero parameter with GC prog
Source: explorer.exe, 00000002.00000000.375180547.0000000008857000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000 X
Source: 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.542182071.00000000046F2000.00000040.00000020.00020000.00000000.sdmp	Binary or memory string: vmhgfsP
Source: i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000002.659717297.00000000014BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: LNFuVMcI
Source: explorer.exe, 00000002.00000000.375180547.00000000087FC000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000]
Source: f8hJzDp1zQtAPJgciyNSoGpb.exe, 00000024.00000002.522431758.0000000000400000.00000040.00000001.01000000.00000019.sdmp	Binary or memory string: tracebackunderflowunhandleduninstallunzip Torunzip: %wurn:uuid:w3m/0.5.1wbufSpanswebsocketxenevtchn} stack=[ netGo = MB goal, flushGen for type gfreecnt= heapGoal= pages at ptrSize= runqsize= runqueue= s.base()= spinning= stopwait= stream=%d sweepgen sweepgen= targetpc= throwing= until pc=%!(NOVERB)%!Weekday(%s.uuid.%s%s\|%s%s\|%s(BADINDEX), bound = , limit = -noprofile-uninstall.localhost/dev/stdin/etc/hosts/show-eula12207031256103515625: parsing :authorityAdditionalBad varintCampaignIDCancelIoExChorasmianClassCHAOSClassCSNETConnectionContent-IdCreateFileCreatePipeDSA-SHA256DeprecatedDevanagariDnsQuery_WECDSA-SHA1END_STREAMERROR-CODEException GC forced
Source: f8hJzDp1zQtAPJgciyNSoGpb.exe, 00000024.00000002.522431758.0000000000400000.00000040.00000001.01000000.00000019.sdmp	Binary or memory string: Not ImplementedNtSuspendThreadOpenThreadTokenOther_LowercaseOther_UppercasePKCS1WithSHA256PKCS1WithSHA384PKCS1WithSHA512Partial ContentPostQuitMessageProcess32FirstWPsalter_PahlaviQueryDosDeviceWRegCreateKeyExWRegDeleteValueWRequest TimeoutRtlDefaultNpAclSafeArrayCreateSafeArrayGetDimSafeArrayGetIIDSafeArrayUnlockScheduledUpdateSetCommTimeoutsSetSecurityInfoSetVolumeLabelWShellExecuteExWStringFromCLSIDStringFromGUID2TerminateThreadUnescaped quoteUninstallStringUnmapViewOfFileVBoxService.exeVPS.hsmiths.comWinsta0\DefaultX-Forwarded-For\\.\VBoxTrayIPC]
Source: 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.550001229.0000000004F33000.00000040.00001000.00020000.00000000.sdmp	Binary or memory string: main.isRunningInsideVMWare
Source: f8hJzDp1zQtAPJgciyNSoGpb.exe, 00000024.00000002.522431758.0000000000400000.00000040.00000001.01000000.00000019.sdmp	Binary or memory string: VirtualUnlockWINDOW_UPDATEWTSFreeMemoryWriteConsoleW[FrameHeader \\.\VBoxGuestaccept-rangesaccess deniedadvapi32.dllauthorizationbad flushGen bad map statebtc.cihar.combtc.xskyx.netcache-controlcontent-rangecouldn't polldalTLDpSugct?data is emptydouble unlockemail addressempty integerexchange fullfatal error: gethostbynamegetservbynamegzip, deflateif-none-matchignoring fileimage/svg+xmlinvalid ASN.1invalid UTF-8invalid base kernel32.dllkey expansionlame referrallast-modifiedlevel 3 resetload64 failedmaster secretmin too largename is emptynil stackbasenot a Float32open file: %wout of memoryparallels: %wparsing time powrprof.dllprl_tools.exeprofMemActiveprofMemFutureread EULA: %wrebooting nowruntime: seq=runtime: val=service stateset event: %wsigner is nilsocks connectsrmount errortimer expiredtraceStackTabtrailing dataunimplementedunsupported: user canceledvalue method virtualpc: %wxadd64 failedxchg64 failed}
Source: f8hJzDp1zQtAPJgciyNSoGpb.exe, 00000024.00000002.522431758.0000000000400000.00000040.00000001.01000000.00000019.sdmp	Binary or memory string: unixpacketunknown pcuser-agentuser32.dllvmusbmousevmware: %wws2_32.dll of size (targetpc= , plugin: ErrCode=%v KiB work, bytes ...
Source: explorer.exe, 00000002.00000000.375180547.00000000088B3000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: #cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f563
Source: f8hJzDp1zQtAPJgciyNSoGpb.exe, 00000024.00000002.522431758.0000000000400000.00000040.00000001.01000000.00000019.sdmp	Binary or memory string: VersionVirtualWSARecvWSASend"%s" %stypes value=abortedalt -> answersany -> booleancharsetchunkedcmd.execonnectconsolecpu: %scpuprofderiveddriversexpiresfloat32float64forcegcgctracehead = http://invalidlog.txtlookup messageminpc= nil keynop -> number pacer: panic: readdirrefererrefreshrequestrunningserial:server=signal svc_versyscalltor.exetraileruintptrunknownupgradeversionvmmousevpcuhubwaitingwindowswsarecvwsasendwup_verxen: %wxennet6 bytes, data=%q etypes incr=%v is not maxpc= mcount= minLC= minutes nalloc= newval= nfreed= ping=%q pointer stack=[ status %!Month(%02d%02d%s %s:%d%s: 0x%x-cleanup2.5.4.102.5.4.112.5.4.1748828125?4#?'1#0AcceptExAcceptedAllocateAltitudeArmenianBAD RANKBalineseBopomofoBugineseCancelIoCherokeeClassANYConflictContinueCurveID(CyrillicDNS nameDSA-SHA1DecemberDefenderDeleteDCDuployanEULA.txtEqualSidEthiopicExtenderFebruaryFirewallFullPathGeorgianGetOEMCPGoStringGujaratiGurmukhiHTTP/1.1HTTP/2.0HiraganaInstFailInstRuneIsWindowJavaneseKatakanaKayah_LiLIFETIMELinear_ALinear_BLocationLsaCloseMD5+SHA1MahajaniNO_ERRORNO_PROXYNovemberOl_ChikiPRIORITYPROGRESSParseIntPersoconPhags_PaQuestionReadFileReceivedSETTINGSSHA1-RSASHA3-224SHA3-256SHA3-384SHA3-512SOFTWARESaturdaySetEventSystem32TagbanwaTai_ThamTai_VietThursdayTifinaghTypeAAAATypeAXFRUSERHASHUSERNAMEUgariticVBoxWddmWSAIoctlWinmonFSWmiPrvSE[::1]:53[:word:][signal \\.\HGFS\\.\vmcistack=[_NewEnum_gatewayacceptexaddress bad instcgocheckcontinuecs deadlockdefault:dial: %wdnsquerydurationeax ebp ebx ecx edi edx eflags eip embeddedesi esp execwaitexporterf is nilfinishedfs gs hijackedhttp/1.1https://if-matchif-rangeinfinityinjectorinvalid linkpathlocationmac_addrmountvolmsvmmoufno anodeno-cacheno_proxypollDescreadfromrecvfromreflect.runnableruntime.rwmutexRrwmutexWscavengeshutdownstrconv.taskkilltor_modetraceBuftrigger=unixgramunknown(usernamevmmemctlvmx_svgawalk: %wwsaioctlwuauservx509sha1yuio.top (forced) B exp.) B work ( blocked= in use)
Source: f8hJzDp1zQtAPJgciyNSoGpb.exe, 00000024.00000002.522431758.0000000000400000.00000040.00000001.01000000.00000019.sdmp	Binary or memory string: m=] = ] n=allgallparchasn1avx2basebindbitsbmi1bmi2boolcallcap cas1cas2cas3cas4cas5cas6chandatedeaddialdoneermsetagethmfailfileflagfromftpsfuncgziphosthourhttpicmpidleigmpint8itabjsonkindlinkmdnsnullopenpathpipepop3quitreadrootsbrkseeksid=sizesmtpsse3tag:tcp4texttruetypeudp4uintunixuuidvaryvmcixn-- -%s (at ...
Source: f8hJzDp1zQtAPJgciyNSoGpb.exe, 00000024.00000002.522431758.0000000000400000.00000040.00000001.01000000.00000019.sdmp	Binary or memory string: , i = , not , val -BEFV--DYOR--FMLD--FZTA--IRXC--JFQI--JQGP--JSKV--JZUF--KGQJ--KSFO--MKND--MOHU--NSFS--PFQJ--PLND--RTMD--VRSM--XQVL-.local.onion/%d-%s370000390625:31461<-chanAcceptAnswerArabicAugustBUTTONBasic BitBltBrahmiCANCELCONIN$CancelCarianChakmaCommonCookieCopticExpectFltMgrFormatFridayGOAWAYGetACPGothicHangulHatranHebrewHyphenKaithiKhojkiLengthLepchaLockedLycianLydianMondayPADDEDPcaSvcPragmaRejangSCHED STREETServerStringSundaySyriacTai_LeTangutTeluguThaanaTypeMXTypeNSUTC+12UTC+13UTC-02UTC-08UTC-09UTC-11VBoxSFWINDIRWanchoWinMonWinmonX25519Yezidi[]byte\??\%s\csrss\ufffd
Source: 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.542182071.00000000046F2000.00000040.00000020.00020000.00000000.sdmp	Binary or memory string: tVMSrvcs\|!
Source: f8hJzDp1zQtAPJgciyNSoGpb.exe, 00000024.00000002.522431758.0000000000400000.00000040.00000001.01000000.00000019.sdmp	Binary or memory string: and got= max= ms, ptr tab= top=%s %q%s %s%s%d%s/%s%s:%d%s=%s"'&+0330+0430+0530+0545+0630+0845+1030+1245+1345, fp:-0930.avif.html.jpeg.json.wasm.webp1.4.2156253.2.250001500025000350004500055000650512560015600278125:**@:path<nil>AdlamAprilBamumBatakBuhidCall ClassCountDograECDSAErrorFlagsFoundGetDCGreekHTTP/KhmerLatinLimbuLocalLstatMarchNONCENushuOghamOriyaOsageP-224P-256P-384P-521PGDSEREALMRangeRealmRunicSHA-1STermTakriTamilTypeAUSTARUUID=\u202] = (allowarrayatimebad nchdirchmodclosecsrssctimedeferfalsefaultfilesfloatgcinggeoipgnamegscanhchanhostshttpsimap2imap3imapsinit int16int32int64matchmheapmkdirmonthmtimentohspanicparsepgdsepop3sproxyrangermdirrouterune scav schedsdsetsleepslicesockssse41sse42ssse3sudogsweeptext/tls: torrctotaltraceuint8unameusageuser=utf-8valuevmusbvmx86write B -> Value addr= alloc base code= ctxt: curg= free goid jobs= list= m->p= max= min= next= p->m= prev= span=% util%s.exe%s.sys%s: %s(...)
Source: 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.550001229.0000000004AF0000.00000040.00001000.00020000.00000000.sdmp, 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.525875413.0000000000400000.00000040.00000001.01000000.00000017.sdmp, f8hJzDp1zQtAPJgciyNSoGpb.exe, 00000024.00000002.522431758.0000000000400000.00000040.00000001.01000000.00000019.sdmp	Binary or memory string: 100-continue127.0.0.1:%d127.0.0.1:53152587890625762939453125AUTHENTICATEBidi_ControlCIDR addressCONTINUATIONCfgMgr32.dllCoCreateGuidCoInitializeContent TypeContent-TypeCookie.ValueCreateEventWCreateMutexWDeleteObjectECDSA-SHA256ECDSA-SHA384ECDSA-SHA512ErrUnknownPCFindNextFileGetAddrInfoWGetConsoleCPGetLastErrorGetLengthSidGetProcessIdGetStdHandleGetTempPathWGetUserGeoIDGlobalUnlockGlobal\csrssI'm a teapotInstAltMatchJoin_ControlLittleEndianLoadLibraryWLoadResourceLockResourceMax-ForwardsMeetei_MayekMime-VersionMulti-StatusNot ExtendedNot ModifiedNtCreateFileOpenServiceWPUSH_PROMISEPahawh_HmongRCodeRefusedRCodeSuccessReadConsoleWReleaseMutexReportEventWResumeThreadRevertToSelfRoInitializeS-1-5-32-544SERIALNUMBERSelectObjectServer ErrorSetEndOfFileSetErrorModeSetStdHandleSora_SompengSyloti_NagriSysStringLenThread32NextTor mode setTransmitFileUnauthorizedUnlockFileExVBoxTray.exeVariantClearVirtualAllocVirtualQueryWinmon32.sysWinmon64.sysWintrust.dllX-ImforwardsX-Powered-By[[:^ascii:]]\/(\d+)-(.*)\\.\WinMonFSabi mismatchadvapi32.dllaltmatch -> anynotnl -> bad flushGenbad g statusbad g0 stackbad recoverybad value %dbootmgfw.efibuild_numberc ap trafficc hs trafficcaller errorcan't happencas64 failedcdn is emptychan receiveclose notifycontent-typecontext.TODOcountry_codedse disableddumping heapend tracegc
Source: 4A15.exe, 0000001D.00000002.678164342.00000000007CD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWD

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Code function: 11_2_00410160 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,FindNextFileW,FindClose,	11_2_00410160
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Code function: 11_2_0040F730 PathFindFileNameW,PathFindFileNameW,_memmove,PathFindFileNameW,_memmove,PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,PathFindExtensionW,_wcsstr,_wcsstr,_wcsstr,_wcsstr,FindNextFileW,FindClose,	11_2_0040F730
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Code function: 11_2_0040FB98 PathAppendW,_memmove,PathFileExistsW,_malloc,lstrcpyW,lstrcatW,_free,FindFirstFileW,FindNextFileW,FindClose,	11_2_0040FB98

Source: C:\Users\user\Desktop\file.exe

System information queried: ModuleInformation

Jump to behavior

Anti Debugging

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Source: C:\Users\user\Desktop\file.exe	System information queried: CodeIntegrityInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jwjrtuw	System information queried: CodeIntegrityInformation	Jump to behavior
Source: C:\Users\user\Pictures\t3PINyJoW83t7JJSZ5BPE6bi.exe	System information queried: CodeIntegrityInformation

Source: C:\Users\user\AppData\Local\Temp\4A15.exe

11_2_00412220

Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Code function: 10_2_0429C0A3 push dword ptr fs:[00000030h]		10_2_0429C0A3
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Code function: 10_2_04470042 push dword ptr fs:[00000030h]		10_2_04470042

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jwjrtuw	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Pictures\t3PINyJoW83t7JJSZ5BPE6bi.exe	Process queried: DebugPort

Source: C:\Users\user\AppData\Local\Temp\4A15.exe

Code function: 11_2_00424168 _memset,IsDebuggerPresent,

11_2_00424168

Source: C:\Users\user\AppData\Local\Temp\4A15.exe

Code function: 11_2_0042A57A EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

11_2_0042A57A

Source: C:\Users\user\AppData\Local\Temp\4A15.exe

Code function: 11_2_004278D5 GetProcessHeap,

11_2_004278D5

Source: C:\Users\user\AppData\Local\Temp\4A15.exe

Code function: 10_2_0429D71C rdtsc

10_2_0429D71C

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Memory allocated: page read and write | page guard

Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Code function: 11_2_004329EC SetUnhandledExceptionFilter,UnhandledExceptionFilter,		11_2_004329EC
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Code function: 11_2_004329BB SetUnhandledExceptionFilter,		11_2_004329BB

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 104.21.18.99 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 79.137.192.18 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 213.6.54.58 443	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 189.232.123.108 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 195.201.202.58 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 162.159.133.233 443	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 193.42.32.101 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 144.76.136.153 443	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 194.169.175.127 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 77.91.68.78 80	Jump to behavior

Benign windows process drops PE files

Source: C:\Windows\explorer.exe

File created: jwjrtuw.2.dr

Jump to dropped file

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\file.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jwjrtuw	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jwjrtuw	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read	Jump to behavior
Source: C:\Users\user\Pictures\t3PINyJoW83t7JJSZ5BPE6bi.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write
Source: C:\Users\user\Pictures\t3PINyJoW83t7JJSZ5BPE6bi.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read

Allocates memory in foreign processes

Source: C:\Users\user\AppData\Local\Temp\A388.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 protect: page execute and read and write

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Memory written: C:\Users\user\AppData\Local\Temp\4A15.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A388.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Memory written: C:\Users\user\AppData\Local\Temp\4A15.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\d11683cc-0d8b-41c4-a224-c03c55bb751f\4A15.exe	Memory written: C:\Users\user\AppData\Local\d11683cc-0d8b-41c4-a224-c03c55bb751f\4A15.exe base: 400000 value starts with: 4D5A

Contains functionality to inject code into remote processes

Source: C:\Users\user\AppData\Local\Temp\4A15.exe

Code function: 10_2_04470110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,SetThreadContext,ResumeThread,ExitProcess,

10_2_04470110

Creates a thread in another existing process (thread injection)

Source: C:\Users\user\Desktop\file.exe	Thread created: C:\Windows\explorer.exe EIP: 4E91B14	Jump to behavior
Source: C:\Users\user\AppData\Roaming\jwjrtuw	Thread created: unknown EIP: 5981B14	Jump to behavior
Source: C:\Users\user\Pictures\t3PINyJoW83t7JJSZ5BPE6bi.exe	Thread created: unknown EIP: 5C31930

Writes to foreign memory regions

Source: C:\Users\user\AppData\Local\Temp\A388.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000
Source: C:\Users\user\AppData\Local\Temp\A388.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 402000
Source: C:\Users\user\AppData\Local\Temp\A388.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 404000
Source: C:\Users\user\AppData\Local\Temp\A388.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 406000
Source: C:\Users\user\AppData\Local\Temp\A388.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: AA3008

Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Process created: C:\Users\user\AppData\Local\Temp\4A15.exe C:\Users\user\AppData\Local\Temp\4A15.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\A388.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
Source: C:\Users\user\AppData\Local\Temp\A388.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
Source: C:\Users\user\AppData\Local\Temp\A388.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: C:\Users\user\Pictures\i4PHS5R0iEKcuu4uBuaRKA3v.exe "C:\Users\user\Pictures\i4PHS5R0iEKcuu4uBuaRKA3v.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: C:\Users\user\Pictures\Pwp3yspp3pM97CCYpnZxEaEs.exe "C:\Users\user\Pictures\Pwp3yspp3pM97CCYpnZxEaEs.exe" /SP- /VERYSILENT /SUPPRESSMSGBOXES /PID=5333
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe "C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: C:\Users\user\Pictures\t3PINyJoW83t7JJSZ5BPE6bi.exe "C:\Users\user\Pictures\t3PINyJoW83t7JJSZ5BPE6bi.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: C:\Users\user\Pictures\YRhJ9y7wcq2JenN54ladams2.exe "C:\Users\user\Pictures\YRhJ9y7wcq2JenN54ladams2.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: C:\Users\user\Pictures\U58dhzMU8ddvYuIUxUkOSiON.exe "C:\Users\user\Pictures\U58dhzMU8ddvYuIUxUkOSiON.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: C:\Users\user\Pictures\941caPIfMmGnCq8PWe7WWHEk.exe "C:\Users\user\Pictures\941caPIfMmGnCq8PWe7WWHEk.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: C:\Users\user\Pictures\V1NdDWPeq5yoU55PUCrHuT1N.exe "C:\Users\user\Pictures\V1NdDWPeq5yoU55PUCrHuT1N.exe" /s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: C:\Users\user\Pictures\f8hJzDp1zQtAPJgciyNSoGpb.exe "C:\Users\user\Pictures\f8hJzDp1zQtAPJgciyNSoGpb.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Process created: C:\Users\user\AppData\Local\Temp\4A15.exe "C:\Users\user\AppData\Local\Temp\4A15.exe" --Admin IsNotAutoStart IsNotTask
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\d11683cc-0d8b-41c4-a224-c03c55bb751f\4A15.exe	Process created: C:\Users\user\AppData\Local\d11683cc-0d8b-41c4-a224-c03c55bb751f\4A15.exe C:\Users\user\AppData\Local\d11683cc-0d8b-41c4-a224-c03c55bb751f\4A15.exe --Task
Source: C:\Users\user\Pictures\t3PINyJoW83t7JJSZ5BPE6bi.exe	Process created: C:\Users\user\Pictures\t3PINyJoW83t7JJSZ5BPE6bi.exe "C:\Users\user\Pictures\t3PINyJoW83t7JJSZ5BPE6bi.exe"
Source: C:\Users\user\Pictures\U58dhzMU8ddvYuIUxUkOSiON.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\U58dhzMU8ddvYuIUxUkOSiON.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\941caPIfMmGnCq8PWe7WWHEk.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\f8hJzDp1zQtAPJgciyNSoGpb.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\is-23R8R.tmp\Pwp3yspp3pM97CCYpnZxEaEs.tmp	Process created: unknown unknown

Source: C:\Users\user\AppData\Local\Temp\4A15.exe

Code function: 11_2_00419F90 GetCurrentProcess,GetLastError,GetLastError,SetPriorityClass,GetLastError,GetModuleFileNameW,PathRemoveFileSpecW,GetCommandLineW,CommandLineToArgvW,lstrcpyW,lstrcmpW,lstrcmpW,lstrcpyW,lstrcpyW,lstrcmpW,lstrcmpW,GlobalFree,lstrcpyW,lstrcpyW,OpenProcess,WaitForSingleObject,CloseHandle,Sleep,GlobalFree,GetCurrentProcess,GetExitCodeProcess,TerminateProcess,CloseHandle,lstrcatW,GetVersion,lstrcpyW,lstrcatW,lstrcatW,_memset,ShellExecuteExW,CreateThread,lstrlenA,lstrcatW,_malloc,lstrcatW,_memset,lstrcatW,MultiByteToWideChar,lstrcatW,lstrlenW,CreateThread,WaitForSingleObject,CreateMutexA,CreateMutexA,lstrlenA,lstrcpyA,_memmove,_memmove,_memmove,GetUserNameW,GetMessageW,GetMessageW,DispatchMessageW,TranslateMessage,TranslateMessage,DispatchMessageW,GetMessageW,PostThreadMessageW,PeekMessageW,PostThreadMessageW,PeekMessageW,DispatchMessageW,PeekMessageW,WaitForSingleObject,PostThreadMessageW,PeekMessageW,DispatchMessageW,PeekMessageW,WaitForSingleObject,CloseHandle,

11_2_00419F90

Source: explorer.exe, 00000002.00000000.374737169.0000000005F10000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.374314416.0000000001530000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000002.00000000.374314416.0000000001530000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000002.00000000.374314416.0000000001530000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: mProgram Manager
Source: explorer.exe, 00000002.00000000.374261706.0000000000F78000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ProgmanDat
Source: explorer.exe, 00000002.00000000.374314416.0000000001530000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000002.00000000.375180547.0000000008857000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWndEZS

Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	10_2_044A3F87
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Code function: ___crtGetLocaleInfoA,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,__invoke_watson,	10_2_0449C8B7
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free,_free,_free,	10_2_044A394D
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,___crtLCMapStringA,___crtLCMapStringA,___crtGetStringTypeA,_free,_free,_free,_free,_free,_free,_free,_free,_free,	10_2_044A49EA
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	10_2_044B0AB6
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtLCMapStringA,___crtLCMapStringA,___crtGetStringTypeA,_free,_free,_free,_free,_free,_free,_free,_free,_free,	11_2_0043404A
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Code function: _LcidFromHexString,GetLocaleInfoW,_TestDefaultLanguage,	11_2_00438178
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	11_2_00440116
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	11_2_004382A2
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Code function: GetLocaleInfoW,_GetPrimaryLen,	11_2_0043834F
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Code function: _memset,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_GetLcidFromCountry,GetUserDefaultLCID,IsValidCodePage,IsValidLocale,___crtDownlevelLCIDToLocaleName,___crtDownlevelLCIDToLocaleName,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,__itow_s,	11_2_00438423
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	11_2_004335E7
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Code function: EnumSystemLocalesW,	11_2_004387C8
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Code function: GetLocaleInfoW,	11_2_0043884E
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,_free,_free,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,_free,_free,_free,_free,_free,	11_2_00432B6D
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Code function: _TranslateName,_TranslateName,IsValidCodePage,_wcschr,_wcschr,__itow_s,_LcidFromHexString,GetLocaleInfoW,	11_2_00437BB3
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Code function: EnumSystemLocalesW,	11_2_00437E27
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,	11_2_00437E83
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Code function: _GetPrimaryLen,EnumSystemLocalesW,	11_2_00437F00
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,_free,_free,__calloc_crt,_free,	11_2_0042BF17
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Code function: _LcidFromHexString,GetLocaleInfoW,GetLocaleInfoW,__wcsnicmp,GetLocaleInfoW,_TestDefaultLanguage,	11_2_00437F83
Source: C:\Users\user\AppData\Local\Temp\4A15.exe	Code function: __calloc_crt,__malloc_crt,_free,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,_free,_free,_free,_free,	11_2_00432FAD

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Users\user\Pictures\4GAUQKCdkFpttJoyS2YGgxr9.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\is-23R8R.tmp\Pwp3yspp3pM97CCYpnZxEaEs.tmp	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\4A15.exe

Code function: 10_2_044980F6 cpuid

10_2_044980F6

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\4A15.exe

Code function: 10_2_00409507 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

10_2_00409507

Source: C:\Users\user\AppData\Local\Temp\4A15.exe

Code function: 11_2_0042FE47 __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

11_2_0042FE47

Source: C:\Users\user\AppData\Local\Temp\4A15.exe

11_2_00419F90

Source: C:\Users\user\AppData\Local\Temp\4A15.exe

11_2_00419F90

Stealing of Sensitive Information

Yara detected RedLine Stealer

Source: Yara match	File source: 33.3.U58dhzMU8ddvYuIUxUkOSiON.exe.50dd858.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.3.U58dhzMU8ddvYuIUxUkOSiON.exe.27c2060.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.3.U58dhzMU8ddvYuIUxUkOSiON.exe.50dd858.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.3.U58dhzMU8ddvYuIUxUkOSiON.exe.508b050.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.3.U58dhzMU8ddvYuIUxUkOSiON.exe.506d050.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.3.U58dhzMU8ddvYuIUxUkOSiON.exe.508b050.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.3.U58dhzMU8ddvYuIUxUkOSiON.exe.506d050.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.3.U58dhzMU8ddvYuIUxUkOSiON.exe.5146010.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.3.U58dhzMU8ddvYuIUxUkOSiON.exe.27c1058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.3.U58dhzMU8ddvYuIUxUkOSiON.exe.5146010.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000021.00000003.469268991.00000000056E7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.468431350.0000000005643000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.469512589.00000000057D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.470885243.0000000005859000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.469454471.000000000564C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.483991106.00000000057FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.516044938.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.472304844.0000000005778000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.470469816.000000000581B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.507376862.0000000005644000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.470206409.0000000005645000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.485627593.000000000564A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.482035496.000000000597E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.496675989.00000000057BD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.496428031.00000000056DB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.506833901.0000000005641000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.481731356.00000000057D9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.510356408.0000000005642000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.471354546.000000000576B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.467924288.0000000005041000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.505042457.000000000574D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.474548520.000000000591A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.509183662.0000000005641000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.473692356.0000000005641000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.476789219.0000000005648000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.497850220.0000000005649000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.507439123.0000000005772000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.471831991.0000000005644000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.496379528.0000000005640000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.507822905.0000000005BA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.473229721.00000000058DC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.494997611.000000000506D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.496490328.0000000005643000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.472464804.00000000058AC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.467980289.000000000508B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.468510767.00000000056D5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.494027534.0000000005041000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.506566555.0000000005858000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.509036426.0000000005BA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.500072033.0000000005724000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.470706005.000000000574C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.468398950.0000000005145000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.505246801.0000000005646000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.507273041.0000000005885000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.482427984.000000000564C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.506178613.0000000005740000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.513208460.000000000564D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.493953689.00000000027BB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.481357469.0000000005640000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.467436264.00000000027BA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.473342046.0000000005647000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.468889858.0000000005767000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.507966249.0000000005647000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.473782346.00000000057A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.469115055.0000000005646000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.469602619.0000000005712000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.496104252.0000000005644000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.469476494.000000000570E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.496455854.0000000005781000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.522960258.0000000005BAF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.473123019.0000000005789000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.511094027.0000000005BAB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.496888012.00000000057FE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.496634961.00000000056F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.469550002.0000000005648000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.470580270.000000000564E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.509627314.00000000057AD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.496838267.000000000571E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.509729277.0000000005BA3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.496201408.00000000056DD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.509922852.00000000057C1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.470309156.0000000005728000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.472618978.0000000005642000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.509816939.000000000564A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.504449157.0000000005647000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.507153782.0000000005763000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.496753788.0000000005647000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.471595724.000000000588F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.468158250.00000000050DE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.479409950.000000000595A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.471064264.000000000564D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.518524175.0000000005BAB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.508451891.000000000579B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.473582112.00000000057A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.510464244.00000000057C1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.469421690.000000000579A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.522225873.00000000057F4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.477931726.00000000057CA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.469945364.00000000057E2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.486685012.000000000580D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.485093495.00000000059BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.502766048.0000000005801000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.521207744.0000000005649000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\s51[1], type: DROPPED
Source: Yara match	File source: C:\Users\user\Pictures\Minor Policy\oM7t40xLe0OgCrSQGKhQ7p6Z.exe, type: DROPPED

Yara detected SmokeLoader

Source: Yara match	File source: 37.2.t3PINyJoW83t7JJSZ5BPE6bi.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.t3PINyJoW83t7JJSZ5BPE6bi.exe.27d15a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000025.00000002.457133950.00000000004E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.376788233.0000000004111000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.376714688.0000000002600000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.428808631.00000000040F1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.428789330.00000000040C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.457074870.00000000004B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected Glupteba

Source: Yara match	File source: 36.2.f8hJzDp1zQtAPJgciyNSoGpb.exe.4b20e67.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.941caPIfMmGnCq8PWe7WWHEk.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.2.f8hJzDp1zQtAPJgciyNSoGpb.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.941caPIfMmGnCq8PWe7WWHEk.exe.4af0e67.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000022.00000002.525875413.0000000000843000.00000040.00000001.01000000.00000017.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.541185132.0000000004F63000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.522431758.0000000000843000.00000040.00000001.01000000.00000019.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.550001229.0000000004F33000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 941caPIfMmGnCq8PWe7WWHEk.exe PID: 7140, type: MEMORYSTR

Yara detected Clipboard Hijacker

Source: Yara match	File source: C:\Users\user\AppData\Local\4204bcd2-893f-40a6-aea5-23bed3094b06\build3.exe, type: DROPPED
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\build3[1].exe, type: DROPPED

Yara detected Fabookie

Source: Yara match	File source: 0000001A.00000003.621914047.00000000039FF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000003.507939167.0000000003A33000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000003.497133342.00000000039C1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000003.487597561.00000000039C1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000003.529764912.0000000003A33000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000003.557010087.0000000003A32000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000003.540745976.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000003.555251999.0000000003A32000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000003.540098239.0000000003A02000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000003.555268660.00000000039CF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000003.529294566.0000000003A32000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000003.624585849.0000000003A10000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000003.565892568.00000000039EF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000003.587270076.0000000003A24000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: i4PHS5R0iEKcuu4uBuaRKA3v.exe PID: 6864, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Pictures\i4PHS5R0iEKcuu4uBuaRKA3v.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\b7e4c0503c392ad23e181d12e1775bfc
Source: C:\Users\user\Pictures\i4PHS5R0iEKcuu4uBuaRKA3v.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\Pictures\i4PHS5R0iEKcuu4uBuaRKA3v.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies

Remote Access Functionality

Yara detected RedLine Stealer

Source: Yara match	File source: 33.3.U58dhzMU8ddvYuIUxUkOSiON.exe.50dd858.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.3.U58dhzMU8ddvYuIUxUkOSiON.exe.27c2060.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.3.U58dhzMU8ddvYuIUxUkOSiON.exe.50dd858.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.3.U58dhzMU8ddvYuIUxUkOSiON.exe.508b050.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.3.U58dhzMU8ddvYuIUxUkOSiON.exe.506d050.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.3.U58dhzMU8ddvYuIUxUkOSiON.exe.508b050.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.3.U58dhzMU8ddvYuIUxUkOSiON.exe.506d050.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.3.U58dhzMU8ddvYuIUxUkOSiON.exe.5146010.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.3.U58dhzMU8ddvYuIUxUkOSiON.exe.27c1058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.3.U58dhzMU8ddvYuIUxUkOSiON.exe.5146010.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000021.00000003.469268991.00000000056E7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.468431350.0000000005643000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.469512589.00000000057D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.470885243.0000000005859000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.469454471.000000000564C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.483991106.00000000057FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.516044938.00000000057E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.472304844.0000000005778000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.470469816.000000000581B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.507376862.0000000005644000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.470206409.0000000005645000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.485627593.000000000564A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.482035496.000000000597E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.496675989.00000000057BD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.496428031.00000000056DB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.506833901.0000000005641000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.481731356.00000000057D9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.510356408.0000000005642000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.471354546.000000000576B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.467924288.0000000005041000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.505042457.000000000574D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.474548520.000000000591A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.509183662.0000000005641000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.473692356.0000000005641000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.476789219.0000000005648000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.497850220.0000000005649000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.507439123.0000000005772000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.471831991.0000000005644000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.496379528.0000000005640000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.507822905.0000000005BA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.473229721.00000000058DC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.494997611.000000000506D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.496490328.0000000005643000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.472464804.00000000058AC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.467980289.000000000508B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.468510767.00000000056D5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.494027534.0000000005041000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.506566555.0000000005858000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.509036426.0000000005BA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.500072033.0000000005724000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.470706005.000000000574C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.468398950.0000000005145000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.505246801.0000000005646000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.507273041.0000000005885000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.482427984.000000000564C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.506178613.0000000005740000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.513208460.000000000564D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.493953689.00000000027BB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.481357469.0000000005640000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.467436264.00000000027BA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.473342046.0000000005647000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.468889858.0000000005767000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.507966249.0000000005647000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.473782346.00000000057A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.469115055.0000000005646000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.469602619.0000000005712000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.496104252.0000000005644000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.469476494.000000000570E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.496455854.0000000005781000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.522960258.0000000005BAF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.473123019.0000000005789000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.511094027.0000000005BAB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.496888012.00000000057FE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.496634961.00000000056F9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.469550002.0000000005648000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.470580270.000000000564E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.509627314.00000000057AD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.496838267.000000000571E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.509729277.0000000005BA3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.496201408.00000000056DD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.509922852.00000000057C1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.470309156.0000000005728000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.472618978.0000000005642000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.509816939.000000000564A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.504449157.0000000005647000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.507153782.0000000005763000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.496753788.0000000005647000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.471595724.000000000588F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.468158250.00000000050DE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.479409950.000000000595A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.471064264.000000000564D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.518524175.0000000005BAB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.508451891.000000000579B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.473582112.00000000057A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.510464244.00000000057C1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.469421690.000000000579A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.522225873.00000000057F4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.477931726.00000000057CA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.469945364.00000000057E2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.486685012.000000000580D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.485093495.00000000059BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.502766048.0000000005801000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000003.521207744.0000000005649000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\s51[1], type: DROPPED
Source: Yara match	File source: C:\Users\user\Pictures\Minor Policy\oM7t40xLe0OgCrSQGKhQ7p6Z.exe, type: DROPPED

Yara detected SmokeLoader

Source: Yara match	File source: 37.2.t3PINyJoW83t7JJSZ5BPE6bi.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 31.2.t3PINyJoW83t7JJSZ5BPE6bi.exe.27d15a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000025.00000002.457133950.00000000004E1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.376788233.0000000004111000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.376714688.0000000002600000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.428808631.00000000040F1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.428789330.00000000040C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.457074870.00000000004B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected Glupteba

Source: Yara match	File source: 36.2.f8hJzDp1zQtAPJgciyNSoGpb.exe.4b20e67.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.941caPIfMmGnCq8PWe7WWHEk.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 36.2.f8hJzDp1zQtAPJgciyNSoGpb.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 34.2.941caPIfMmGnCq8PWe7WWHEk.exe.4af0e67.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000022.00000002.525875413.0000000000843000.00000040.00000001.01000000.00000017.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.541185132.0000000004F63000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.522431758.0000000000843000.00000040.00000001.01000000.00000019.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000002.550001229.0000000004F33000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 941caPIfMmGnCq8PWe7WWHEk.exe PID: 7140, type: MEMORYSTR

Yara detected Fabookie

Source: Yara match	File source: 0000001A.00000003.621914047.00000000039FF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000003.507939167.0000000003A33000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000003.497133342.00000000039C1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000003.487597561.00000000039C1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000003.529764912.0000000003A33000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000003.557010087.0000000003A32000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000003.540745976.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000003.555251999.0000000003A32000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000003.540098239.0000000003A02000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000003.555268660.00000000039CF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000003.529294566.0000000003A32000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000003.624585849.0000000003A10000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000003.565892568.00000000039EF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000003.587270076.0000000003A24000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: i4PHS5R0iEKcuu4uBuaRKA3v.exe PID: 6864, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	11 Windows Management Instrumentation	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Ingress Tool Transfer	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	2 Data Encrypted for Impact
Default Accounts	1 Scripting	1 Windows Service	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	1 Input Capture	1 Account Discovery	Remote Desktop Protocol	1 Data from Local System	Exfiltration Over Bluetooth	2 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	2 Native API	121 Registry Run Keys / Startup Folder	1 Windows Service	1 Scripting	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	1 Screen Capture	Automated Exfiltration	1 Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	1 Exploitation for Client Execution	1 Services File Permissions Weakness	712 Process Injection	3 Obfuscated Files or Information	NTDS	36 System Information Discovery	Distributed Component Object Model	1 Input Capture	Scheduled Transfer	1 Proxy	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	3 Command and Scripting Interpreter	Network Logon Script	121 Registry Run Keys / Startup Folder	33 Software Packing	LSA Secrets	1 Query Registry	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	1 Services File Permissions Weakness	1 Timestomp	Cached Domain Credentials	561 Security Software Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	241 Virtualization/Sandbox Evasion	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	1 File Deletion	Proc Filesystem	3 Process Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	11 Masquerading	/etc/passwd and /etc/shadow	1 Application Window Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	241 Virtualization/Sandbox Evasion	Network Sniffing	3 System Owner/User Discovery	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact
Compromise Software Dependencies and Development Tools	Windows Command Shell	Cron	Cron	712 Process Injection	Input Capture	1 Remote System Discovery	Replication Through Removable Media	Remote Data Staging	Exfiltration Over Physical Medium	Mail Protocols			Service Stop
Compromise Software Supply Chain	Unix Shell	Launchd	Launchd	1 Hidden Files and Directories	Keylogging	1 System Network Configuration Discovery	Component Object Model and Distributed COM	Screen Capture	Exfiltration over USB	DNS			Inhibit System Recovery
Compromise Hardware Supply Chain	Visual Basic	Scheduled Task	Scheduled Task	1 Regsvr32	GUI Input Capture	Domain Groups	Exploitation of Remote Services	Email Collection	Commonly Used Port	Proxy			Defacement
Trusted Relationship	Python	Hypervisor	Process Injection	1 Services File Permissions Weakness	Web Portal Capture	Cloud Groups	Attack PC via USB Connection	Local Email Collection	Standard Application Layer Protocol	Internal Proxy			Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	100%	Avira	HEUR/AGEN.1312455
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\FJSjysH5UVVCzLZbTWiurcoJ.exe	100%	Avira	TR/Spy.Stealer.hpqrg
C:\Users\user\AppData\Local\3R8Ck5RbDm3DwHyYiEHPdMPU.exe	100%	Avira	TR/AD.Swrort.wizll
C:\Users\user\AppData\Local\4204bcd2-893f-40a6-aea5-23bed3094b06\build3.exe	100%	Avira	TR/Crypt.XPACK.Gen8
C:\Users\user\AppData\Local\C2TkN5RHqTOX5vO30NGDVLbB.exe	100%	Avira	HEUR/AGEN.1338858
C:\Users\user\AppData\Local\4204bcd2-893f-40a6-aea5-23bed3094b06\build2.exe	100%	Avira	TR/Crypt.Agent.oqzji
C:\Users\user\AppData\Local\2lVdyQwPNGbHgZp4B3rD4Yqg.exe	100%	Avira	TR/AD.Swrort.wizll
C:\Users\user\AppData\Local\0lRbbbWcsJKvfly5UKkRLgWl.exe	100%	Avira	HEUR/AGEN.1312455
C:\Users\user\AppData\Local\71FtIFRHiuIrBlnLJFT3ZXQN.exe	100%	Avira	HEUR/AGEN.1312455
C:\Users\user\AppData\Local\7NPiD49RQYuqr08A8L1me5Vl.exe	100%	Avira	TR/AD.Swrort.wizll
C:\Users\user\AppData\Local\2mAvooCfaVYrwjbi8P7aQwd5.exe	100%	Avira	HEUR/AGEN.1338858
C:\Users\user\AppData\Local\LhPgYqY29jVhDYACkOwz5AiJ.exe	100%	Avira	HEUR/AGEN.1312455
C:\Users\user\AppData\Local\4nmbyTUdyzoQS5v44sOkHxgO.exe	100%	Avira	HEUR/AGEN.1312455
C:\Users\user\AppData\Local\G2DNcZFdbZ5vEmNAUVLs9Ohf.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\s51[1]	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\4204bcd2-893f-40a6-aea5-23bed3094b06\build2.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\0lRbbbWcsJKvfly5UKkRLgWl.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\71FtIFRHiuIrBlnLJFT3ZXQN.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\CluIFFuzrOPmXrVReYWFXWkl.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\DFhwCIhHEDQ5pEOtcRuwyHkl.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\LhPgYqY29jVhDYACkOwz5AiJ.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\45jOwggrSgiiBeW99lMmxS6j.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\4nmbyTUdyzoQS5v44sOkHxgO.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\0lRbbbWcsJKvfly5UKkRLgWl.exe	47%	ReversingLabs	Win32.Ransomware.GandCrab
C:\Users\user\AppData\Local\2lVdyQwPNGbHgZp4B3rD4Yqg.exe	71%	ReversingLabs	Win64.Trojan.Lgoogloader
C:\Users\user\AppData\Local\2mAvooCfaVYrwjbi8P7aQwd5.exe	22%	ReversingLabs	Win32.Trojan.Babar
C:\Users\user\AppData\Local\3DW8qUWA963x8XKarJJ0WTU1.exe	4%	ReversingLabs
C:\Users\user\AppData\Local\3R8Ck5RbDm3DwHyYiEHPdMPU.exe	71%	ReversingLabs	Win64.Trojan.Lgoogloader
C:\Users\user\AppData\Local\3e7TFXuOpvanKkAtgXUBsjg5.exe	48%	ReversingLabs	Win32.Trojan.ProxyNation
C:\Users\user\AppData\Local\4204bcd2-893f-40a6-aea5-23bed3094b06\build2.exe	96%	ReversingLabs	Win32.Trojan.SmokeLoader
C:\Users\user\AppData\Local\4204bcd2-893f-40a6-aea5-23bed3094b06\build3.exe	82%	ReversingLabs	Win32.Trojan.ClipBanker
C:\Users\user\AppData\Local\4nmbyTUdyzoQS5v44sOkHxgO.exe	47%	ReversingLabs	Win32.Ransomware.GandCrab
C:\Users\user\AppData\Local\7NPiD49RQYuqr08A8L1me5Vl.exe	71%	ReversingLabs	Win64.Trojan.Lgoogloader
C:\Users\user\AppData\Local\90MmY3vsUc9ABzZegEZBdNOJ.exe	48%	ReversingLabs	Win32.Trojan.ProxyNation
C:\Users\user\AppData\Local\9rjyJ5VsLUcAN5cWEKCTLeAn.exe	4%	ReversingLabs
C:\Users\user\AppData\Local\AboFkE91gGtC0jX22BS3GOn1.exe	35%	ReversingLabs	Win64.Trojan.InjectorX
C:\Users\user\AppData\Local\BYpvSgsqBQF2e9VWX5DwhO9b.exe	48%	ReversingLabs	Win32.Trojan.ProxyNation
C:\Users\user\AppData\Local\C2TkN5RHqTOX5vO30NGDVLbB.exe	22%	ReversingLabs	Win32.Trojan.Babar
C:\Users\user\AppData\Local\FJSjysH5UVVCzLZbTWiurcoJ.exe	70%	ReversingLabs	Win32.Trojan.Zusy
C:\Users\user\AppData\Local\HZmkan0RtnpmEbbLPyds7uQ6.exe	48%	ReversingLabs	Win32.Trojan.ProxyNation
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\s51[1]	17%	ReversingLabs	Win32.Trojan.RedLine
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\build2[1].exe	96%	ReversingLabs	Win32.Trojan.SmokeLoader
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\build3[1].exe	82%	ReversingLabs	Win32.Trojan.ClipBanker
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WJ8I2OL4\s51[1]	17%	ReversingLabs	Win32.Trojan.RedLine
C:\Users\user\AppData\Local\Mrqt0LPomy7YxUAwjV5w1C4Z.exe	47%	ReversingLabs	Win32.Ransomware.GandCrab
C:\Users\user\AppData\Local\N5fklblcsXVYu4JmfhsKVoFv.exe	47%	ReversingLabs	Win32.Trojan.Lgoogloader
C:\Users\user\AppData\Local\OdBy5UCgwCs2zOQ5hgwqYDDW.exe	78%	ReversingLabs	Win64.Trojan.Lgoogloader
C:\Users\user\AppData\Local\PEETw0QK3zD9r7HEE5AR45AO.exe	35%	ReversingLabs	Win64.Trojan.InjectorX
C:\Users\user\AppData\Local\QmwuUY15y0L4DcEZ4ogFMHTp.exe	22%	ReversingLabs	Win32.Trojan.Babar
C:\Users\user\AppData\Local\SXfcayqkk1DZ7GAEIik6FBEC.exe	22%	ReversingLabs	Win32.Trojan.Babar
C:\Users\user\AppData\Local\TNzDEBB9FdUrEB9ZmBfj0vTU.exe	47%	ReversingLabs	Win32.Ransomware.GandCrab
C:\Users\user\AppData\Local\TUpbZ8vU8BuCVac1Gcxet4HJ.exe	70%	ReversingLabs	Win32.Trojan.Zusy
C:\Users\user\AppData\Local\Tc3J3MYPBvAb1zFAQ5lDv3bp.exe	78%	ReversingLabs	Win64.Trojan.Lgoogloader
C:\Users\user\AppData\Local\Temp\2629.exe	53%	ReversingLabs	Win32.Ransomware.MintZard
C:\Users\user\AppData\Local\Temp\4A15.exe	56%	ReversingLabs	Win32.Ransomware.MintZard
C:\Users\user\AppData\Local\Temp\5838081746.exe	17%	ReversingLabs	Win32.Trojan.RedLine
C:\Users\user\AppData\Local\Temp\A388.exe	70%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Local\Temp\BB52.exe	78%	ReversingLabs	ByteCode-MSIL.Trojan.Smokeloader
C:\Users\user\AppData\Local\Temp\is-23R8R.tmp\Pwp3yspp3pM97CCYpnZxEaEs.tmp	30%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Local\Temp\is-N0LK6.tmp\_isetup\_setup64.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-O59IV.tmp\YRhJ9y7wcq2JenN54ladams2.tmp	6%	ReversingLabs
C:\Users\user\AppData\Local\TtG5py94KsXzXSkP3RqVlzUB.exe	48%	ReversingLabs	Win32.Trojan.ProxyNation
C:\Users\user\AppData\Local\VWecoOkiAKSpFQMeoTrTyGCa.exe	47%	ReversingLabs	Win32.Trojan.Lgoogloader
C:\Users\user\AppData\Local\WQ1sXS4A8SPQ3OH5qUwmsfK7.exe	78%	ReversingLabs	Win64.Trojan.Lgoogloader
C:\Users\user\AppData\Local\X4G1qMGsevrGDCsTxtK3q3TA.exe	70%	ReversingLabs	Win32.Trojan.Zusy
C:\Users\user\AppData\Local\ZMVfke3FfhAYexvtpGaP7QO0.exe	47%	ReversingLabs	Win32.Trojan.Lgoogloader
C:\Users\user\AppData\Local\c8KXUlVEBLWKm0FvrBR7FzOQ.exe	71%	ReversingLabs	Win64.Trojan.Lgoogloader
C:\Users\user\AppData\Local\cIYKpG6eQ8E5shW60pciCDk9.exe	35%	ReversingLabs	Win64.Trojan.InjectorX

Source	Detection	Scanner	Label	Link
http://components.groove.net/Groove/Components/Root.osd?Package=net.groove.Groove.Tools.System.Groov	0%	URL Reputation	safe
http://app.nnnaajjjgc.com/	100%	URL Reputation	malware
https://java.sun.com	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://components.groove.net/Groove/Components/SystemComponents/SystemComponents.osd?Package=net.gro	0%	URL Reputation	safe
http://app.nnnaajjjgc.com/check/safe	100%	URL Reputation	malware
https://www.amsangroup.com/wp-includes/net/gate4.exe	0%	Avira URL Cloud	safe
http://app.nnnaajjjgc.com/check/?sid=1134664&key=5a5e7537a8885a65fb2b4176d4c48e2c	100%	Avira URL Cloud	malware
http://app.nnnaajjjgc.com/check/?sid=1134940&key=9c360413b20472b92e1b278c2654cd9bec507f97304d55a	100%	Avira URL Cloud	malware
http://app.nnnaajjjgc.com/check/?sid=1135340&key=86810d751c0aa0fa28346472918311d6	100%	Avira URL Cloud	malware
http://colisumy.com/dl/build2.exe$run	18%	Virustotal		Browse
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	0%	Virustotal		Browse
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	0%	Avira URL Cloud	safe
http://colisumy.com/dl/build2.exe$run	100%	Avira URL Cloud	malware
https://pastebin.comG	0%	Avira URL Cloud	safe
https://justsafepay.com/03ea740ea772f2ff2218e4ed0bfbac4b/7a54bdb20779c4359694feaa1398dd25.exe	0%	Avira URL Cloud	safe
http://app.nnnaajjjgc.com/check/?sid=1134718&key=abd6c79d9cdea0adf3c5fbb50faa6372y	100%	Avira URL Cloud	malware
http://app.nnnaajjjgc.com/check/?sid=1134916&key=3167af0b34b5a44fdec507f97304d55aad23e1	100%	Avira URL Cloud	malware
http://app.nnnaajjjgc.com/check/?sid=1134916&key=3167af0b34b5a44fdec507f97304d55a	100%	Avira URL Cloud	malware
http://novanosa5org.org/	100%	Avira URL Cloud	malware
http://app.nnnaajjjgc.com/check/safebt	100%	Avira URL Cloud	malware
http://novanosa5org.org/	19%	Virustotal		Browse
http://app.nnnaajjjgc.com/check/?sid=1135418&key=af1ae34227e74b84877a2b0bbf3bee9bmi	100%	Avira URL Cloud	malware
https://www.remobjects.com/ps	0%	Avira URL Cloud	safe
https://www.innosetup.com/	0%	Avira URL Cloud	safe
http://app.nnnaajjjgc.com/check/?sid=1135340&key=86810d751c0aa0fa28346472918311d61:ut	100%	Avira URL Cloud	malware
https://zaoshanghao.suhttps://zaoshanghao.suRegQueryValueExWUUIDPGDSE	0%	Avira URL Cloud	safe
https://www.innosetup.com/	2%	Virustotal		Browse
http://app.nnnaajjjgc.com/check/?sid=1134790&key=72224396aab18bba753981c520d8b1a5Gh	100%	Avira URL Cloud	malware
http://app.nnnaajjjgc.com/check/?sid=1135652&key=52a1fa091a2d98cce516cbabc104bbb1	100%	Avira URL Cloud	malware
http://app.nnnaajjjgc.com:80/check/safe	100%	Avira URL Cloud	malware
http://cvwwajk56uu2la7jl4e2fdxy56veg5hqlaondeb7whvy2vlmreq6jnid.onionS-1-5-21-3853321935-2125563209-	0%	Avira URL Cloud	safe
https://www.remobjects.com/ps	0%	Virustotal		Browse
http://app.nnnaajjjgc.com/check/?sid=1134916&key=3167af0b34b5a44fdec507f97304d55a#	100%	Avira URL Cloud	malware
http://www.innosetup.com/	0%	Avira URL Cloud	safe
http://app.nnnaajjjgc.com:80/check/safe	20%	Virustotal		Browse
http://5.42.64.10/api/files/software/s5.exe	100%	Avira URL Cloud	malware
http://script.google.cpp.nnnaajjjgc.com/check/safe	100%	Avira URL Cloud	malware
http://www.innosetup.com/	2%	Virustotal		Browse
http://app.nnnaajjjgc.com/check/?sid=1134940&key=9c360413b20472b92e1b278c2654cd9b6C92	100%	Avira URL Cloud	malware
http://app.nnnaajjjgc.com/check/?sid=1135340&key=86810d751c0aa0fa28346472918311d66C92	100%	Avira URL Cloud	malware
http://link.storjshare.io/jw6d5ycuf7e6mtiudwapyqs22o2q/less-bucket%2F3la%20barra%2FLightCleaner.exe?	0%	Avira URL Cloud	safe
http://crl.ver)	0%	Avira URL Cloud	safe
http://app.nnnaajjjgc.com/check/?sid=1136320&key=f4073b8c48cdf506608aafebc7c710bd	100%	Avira URL Cloud	malware
http://5.42.64.10/api/files/software/s5.exe	13%	Virustotal		Browse
http://link.storjshare.io/jw6d5ycuf7e6mtiudwapyqs22o2q/less-bucket%2F3la%20barra%2FLightCleaner.exe?	0%	Virustotal		Browse
http://www.360totalsecurity.comIDS_LOAD_P2SP_ERROR/tswin10/tsewin10IDS_UPDATE_QUESTIONIDS_UPDATE_WAR	0%	Avira URL Cloud	safe
http://https://_bad_pdb_file.pdb	0%	Avira URL Cloud	safe
http://app.nnnaajjjgc.com/check/?sid=1136118&key=18166b66b4c087f47773dacf194063c06C92	100%	Avira URL Cloud	malware
https://stats.vk-portal.net	0%	Avira URL Cloud	safe
http://app.nnnaajjjgc.com/check/?sid=1136118&key=18166b66b4c087f47773dacf194063c0	100%	Avira URL Cloud	malware
https://downloads.digitalpulsedata.com/0.16.16/DigitalPulse.exe	100%	Avira URL Cloud	malware
http://app.nnnaajjjgc.com/check/?sid=1135184&key=e2b003b01e4d0eb6ffeb7affbde6d54b	100%	Avira URL Cloud	malware
http://app.nnnaajjjgc.com/check/safe7OM	100%	Avira URL Cloud	malware
https://blockchain.infoindex	0%	Avira URL Cloud	safe
https://potatogoose.com/03ea740ea772f2ff2218e4ed0bfbac4b/baf14778c246e15550645e30ba78ce1c.exe	100%	Avira URL Cloud	malware
https://downloads.digitalpulsedata.com/0.16.16/DigitalPulse.exe	14%	Virustotal		Browse
https://digitalpulsedata.com/pp/	100%	Avira URL Cloud	malware
http://app.nnnaajjjgc.com/check/?sid=1135324&key=7d66a132c21ba63fc78546c9d24589f2	100%	Avira URL Cloud	malware
http://app.nnnaajjjgc.com/check/?sid=1134966&key=0fd5f12a596a555ef492fb98f379fab8	100%	Avira URL Cloud	malware
http://app.nnnaajjjgc.com/check/?sid=1135184&key=e2b003b01e4d0eb6ffeb7affbde6d54b5	100%	Avira URL Cloud	malware
http://ji.alie3ksgbb.com/m/ss29	100%	Avira URL Cloud	malware
https://digitalpulsedata.com/pp/	8%	Virustotal		Browse
http://app.nnnaajjjgc.com/check/?sid=1134718&key=abd6c79d9cdea0adf3c5fbb50faa6372	100%	Avira URL Cloud	malware
https://we.tl/t-e5pgPH03c	0%	Avira URL Cloud	safe
http://app.nnnaajjjgc.com/check/?sid=1134752&key=b91eaeee1ec96f7344a52c72e78649e0w	100%	Avira URL Cloud	malware
http://app.nnnaajjjgc.com/check/?sid=1136320&key=f4073b8c48cdf506608aafebc7c710bdkO	100%	Avira URL Cloud	malware
https://www.amsangroup.com	0%	Avira URL Cloud	safe
http://soryytlic4.net/	100%	Avira URL Cloud	malware
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#	0%	Avira URL Cloud	safe
http://zexeq.com/files/1/build3.exe$run	100%	Avira URL Cloud	malware
https://desktop-netinspp.nnnaajjjgc.com/check/?sid=1136320&key=f4073b8c48cdf506608aafebc7c710bd	100%	Avira URL Cloud	malware
https://m7val1dat0r.info	0%	Avira URL Cloud	safe
http://app.nnnaajjjgc.com/check/?sid=1134966&key=0fd5f12a596a555ef492fb9	100%	Avira URL Cloud	malware
http://https://ns1.kriston.ugns2.chalekin.ugns3.unalelath.ugns4.andromath.ug/Error	0%	Avira URL Cloud	safe
http://app.nnnaajjjgc.com/check/?sid=1135184&key=e2b003b01e4d0eb6ffeb7affbde6d54b30	100%	Avira URL Cloud	malware
http://zexeq.com/filespp.nnnaajjjgc.com/	100%	Avira URL Cloud	malware
http://app.nnnaajjjgc.com/check/	100%	Avira URL Cloud	malware
http://app.nnnaajjjgc.com/check/?sid=1134810&key=2e80054952ba0f1faf1a5db7f7ffcc01G	100%	Avira URL Cloud	malware
https://potatogoose.com	100%	Avira URL Cloud	malware
http://app.nnnaajjjgc.com/check/?sid=1134630&key=a7f738ef34a58abfd14b211f7ae4d75a;	100%	Avira URL Cloud	malware
http://app.nnnaajjjgc.com/0vx	100%	Avira URL Cloud	malware
http://app.nnnaajjjgc.com/check/?sid=1135652&key=52a1fa091a2d98cce516cbabc104bbb1081221o	100%	Avira URL Cloud	malware
http://zexeq.com/files/1/build3.exerun	100%	Avira URL Cloud	malware
http://app.nnnaajjjgc.com/check/?sid=1134810&key=2e80054952ba0f1faf1a5db7f7ffcc01;	100%	Avira URL Cloud	malware

Name	Malicious	Antivirus Detection	Reputation
http://novanosa5org.org/	true	19%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://soryytlic4.net/	true	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.amsangroup.com/wp-includes/net/gate4.exe	AddInProcess32.exe, 00000012.00000002.709315982.0000000002D51000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000012.00000002.709315982.0000000002DC0000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000012.00000002.709315982.0000000002E77000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000012.00000002.709315982.0000000002D83000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000012.00000002.709315982.0000000002D9B000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://app.nnnaajjjgc.com/check/?sid=1134664&key=5a5e7537a8885a65fb2b4176d4c48e2c	i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.484324155.00000000039E5000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.482007401.00000000039E5000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.483619386.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.478481171.00000000039E5000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.477596745.00000000039C9000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.481490961.00000000039D8000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	AddInProcess32.exe, 00000012.00000002.709315982.0000000002DB0000.00000004.00000800.00020000.00000000.sdmp, Pwp3yspp3pM97CCYpnZxEaEs.exe, 0000001C.00000003.440105042.00000000025E8000.00000004.00001000.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://hbn42414.beget.tech	AddInProcess32.exe, 00000012.00000002.709315982.0000000002D83000.00000004.00000800.00020000.00000000.sdmp	false		high
http://app.nnnaajjjgc.com/check/?sid=1134940&key=9c360413b20472b92e1b278c2654cd9bec507f97304d55a	i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.510056403.0000000003A1E000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://colisumy.com/dl/build2.exe$run	4A15.exe, 00000019.00000002.528784929.00000000005FF000.00000004.00000020.00020000.00000000.sdmp	false	18%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://papi.vk.com/pushsse/ruim	4A15.exe, 00000019.00000003.523963155.0000000003170000.00000004.00001000.00020000.00000000.sdmp, 4A15.exe, 00000019.00000003.526468027.0000000003170000.00000004.00001000.00020000.00000000.sdmp, 4A15.exe, 00000019.00000003.523571046.0000000003170000.00000004.00001000.00020000.00000000.sdmp	false		high
http://app.nnnaajjjgc.com/check/?sid=1135340&key=86810d751c0aa0fa28346472918311d6	i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.555268660.00000000039CF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://api.ipify.org/iphttps://api.my-ip.io	U58dhzMU8ddvYuIUxUkOSiON.exe, 00000021.00000003.444125965.0000000004260000.00000004.00001000.00020000.00000000.sdmp	false		high
https://justsafepay.com/03ea740ea772f2ff2218e4ed0bfbac4b/7a54bdb20779c4359694feaa1398dd25.exe	AddInProcess32.exe, 00000012.00000002.709315982.0000000002D93000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000012.00000002.709315982.0000000002DC0000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://pastebin.comG	AddInProcess32.exe, 00000012.00000002.709315982.0000000002D9B000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://app.nnnaajjjgc.com/check/?sid=1134718&key=abd6c79d9cdea0adf3c5fbb50faa6372y	i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.504972513.00000000039E1000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.487859289.00000000039E5000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.504033756.00000000039D4000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.508038273.00000000039E6000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.484324155.00000000039E5000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.487163158.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.483619386.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.487415421.00000000039DA000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.494963976.00000000039D4000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.500068426.00000000039E5000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.510336455.00000000039E5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://app.nnnaajjjgc.com/check/?sid=1134916&key=3167af0b34b5a44fdec507f97304d55aad23e1	i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.507939167.0000000003A2D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://vk.com	4A15.exe, 00000019.00000003.523963155.0000000003170000.00000004.00001000.00020000.00000000.sdmp, 4A15.exe, 00000019.00000003.526468027.0000000003170000.00000004.00001000.00020000.00000000.sdmp, 4A15.exe, 00000019.00000003.523571046.0000000003170000.00000004.00001000.00020000.00000000.sdmp	false		high
http://app.nnnaajjjgc.com/check/?sid=1134916&key=3167af0b34b5a44fdec507f97304d55a	i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.507939167.0000000003A33000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.507939167.0000000003A2D000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.510336455.00000000039E5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://app.nnnaajjjgc.com/check/safebt	i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.555268660.00000000039CF000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.571334117.00000000039C9000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.559968655.00000000039CF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://app.nnnaajjjgc.com/check/?sid=1135418&key=af1ae34227e74b84877a2b0bbf3bee9bmi	i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.580765017.0000000003A2B000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.568847528.0000000003A2C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.remobjects.com/ps	Pwp3yspp3pM97CCYpnZxEaEs.exe, 0000001C.00000003.440105042.00000000024F0000.00000004.00001000.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.innosetup.com/	Pwp3yspp3pM97CCYpnZxEaEs.exe, 0000001C.00000003.440105042.00000000024F0000.00000004.00001000.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://app.nnnaajjjgc.com/check/?sid=1135340&key=86810d751c0aa0fa28346472918311d61:ut	i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.555251999.0000000003A32000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://zaoshanghao.suhttps://zaoshanghao.suRegQueryValueExWUUIDPGDSE	941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.557680058.000000000DC88000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://app.nnnaajjjgc.com/check/?sid=1134790&key=72224396aab18bba753981c520d8b1a5Gh	i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.493610182.0000000003A2D000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.503664579.0000000003A1E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://app.nnnaajjjgc.com/check/?sid=1135652&key=52a1fa091a2d98cce516cbabc104bbb1	i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.587270076.0000000003A32000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.588792935.0000000003A2B000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.587270076.0000000003A24000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://turnitin.com/robot/crawlerinfo.html)cannot	941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.550001229.0000000004AF0000.00000040.00001000.00020000.00000000.sdmp, 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.525875413.0000000000400000.00000040.00000001.01000000.00000017.sdmp, f8hJzDp1zQtAPJgciyNSoGpb.exe, 00000024.00000002.522431758.0000000000400000.00000040.00000001.01000000.00000019.sdmp	false		high
http://app.nnnaajjjgc.com:80/check/safe	i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000002.659717297.00000000014B2000.00000004.00000020.00020000.00000000.sdmp	false	20%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	AddInProcess32.exe, 00000012.00000002.709315982.0000000002D51000.00000004.00000800.00020000.00000000.sdmp, 4GAUQKCdkFpttJoyS2YGgxr9.exe, 0000001E.00000002.699952372.00000000035F1000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.reddit.com/	4A15.exe, 00000019.00000003.516279370.0000000003170000.00000004.00001000.00020000.00000000.sdmp	false		high
http://cvwwajk56uu2la7jl4e2fdxy56veg5hqlaondeb7whvy2vlmreq6jnid.onionS-1-5-21-3853321935-2125563209-	941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.557680058.000000000DCD4000.00000004.00001000.00020000.00000000.sdmp	true	Avira URL Cloud: safe	low
http://down.360safe.com/setup.exehttp://down.360safe.com/setupbeta.exe360	V1NdDWPeq5yoU55PUCrHuT1N.exe, 00000023.00000002.445817611.0000000000487000.00000008.00000001.01000000.00000018.sdmp	false		high
http://app.nnnaajjjgc.com/check/?sid=1134916&key=3167af0b34b5a44fdec507f97304d55a#	i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.508038273.00000000039E6000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.510336455.00000000039E5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.innosetup.com/	YRhJ9y7wcq2JenN54ladams2.exe, 00000020.00000003.442316567.0000000002440000.00000004.00001000.00020000.00000000.sdmp, YRhJ9y7wcq2JenN54ladams2.exe, 00000020.00000003.443753613.0000000002330000.00000004.00001000.00020000.00000000.sdmp	false	2%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://5.42.64.10/api/files/software/s5.exe	AddInProcess32.exe, 00000012.00000002.709315982.0000000002DE7000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000012.00000002.709315982.0000000002D51000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000012.00000002.709315982.0000000002E77000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000012.00000002.709315982.0000000002D83000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000012.00000002.709315982.0000000002D9B000.00000004.00000800.00020000.00000000.sdmp	false	13%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://script.google.cpp.nnnaajjjgc.com/check/safe	i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.640934427.0000000003A3E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://app.nnnaajjjgc.com/check/?sid=1134940&key=9c360413b20472b92e1b278c2654cd9b6C92	i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.510056403.0000000003A32000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://app.nnnaajjjgc.com/check/?sid=1135340&key=86810d751c0aa0fa28346472918311d66C92	i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.555251999.0000000003A32000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://link.storjshare.io/jw6d5ycuf7e6mtiudwapyqs22o2q/less-bucket%2F3la%20barra%2FLightCleaner.exe?	YRhJ9y7wcq2JenN54ladams2.exe, 00000020.00000003.526186837.0000000002051000.00000004.00001000.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://components.groove.net/Groove/Components/Root.osd?Package=net.groove.Groove.Tools.System.Groov	explorer.exe, 00000002.00000000.376345728.00007FFC2B229000.00000002.00000001.01000000.00000005.sdmp	false	URL Reputation: safe	unknown
http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdline	YRhJ9y7wcq2JenN54ladams2.exe, 00000020.00000002.526416925.0000000000401000.00000020.00000001.01000000.00000015.sdmp	false		high
http://crl.ver)	svchost.exe, 00000004.00000002.448095688.000001AC75CEC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://app.nnnaajjjgc.com/	i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000002.659928263.0000000003840000.00000040.00001000.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.508069337.00000000039D4000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000002.659717297.00000000014BC000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.521926205.00000000039D4000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000002.659906409.00000000036C0000.00000040.00001000.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.510371610.00000000039D4000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.621914047.0000000003A32000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000002.659798164.0000000002DF0000.00000004.00001000.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.624585849.0000000003A32000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.522984526.00000000039D4000.00000004.00000020.00020000.00000000.sdmp	true	URL Reputation: malware	unknown
http://app.nnnaajjjgc.com/check/?sid=1136320&key=f4073b8c48cdf506608aafebc7c710bd	i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.650934958.0000000003A16000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000002.659975363.0000000003A22000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://api.2ip.ua/geo.jsoni	4A15.exe, 0000001D.00000002.678164342.0000000000748000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.360totalsecurity.comIDS_LOAD_P2SP_ERROR/tswin10/tsewin10IDS_UPDATE_QUESTIONIDS_UPDATE_WAR	V1NdDWPeq5yoU55PUCrHuT1N.exe, 00000023.00000002.445804410.0000000000471000.00000002.00000001.01000000.00000018.sdmp	false	Avira URL Cloud: safe	low
http://app.nnnaajjjgc.com/check/?sid=1136118&key=18166b66b4c087f47773dacf194063c06C92	i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.640934427.0000000003A32000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://down.360safe.com/setup.exePathSOFTWARE	V1NdDWPeq5yoU55PUCrHuT1N.exe, 00000023.00000002.445804410.0000000000471000.00000002.00000001.01000000.00000018.sdmp	false		high
http://https://_bad_pdb_file.pdb	941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.550001229.00000000051BB000.00000040.00001000.00020000.00000000.sdmp, 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.525875413.0000000000ACC000.00000040.00000001.01000000.00000017.sdmp, f8hJzDp1zQtAPJgciyNSoGpb.exe, 00000024.00000002.541185132.00000000051EB000.00000040.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://stats.vk-portal.net	4A15.exe, 00000019.00000003.523963155.0000000003170000.00000004.00001000.00020000.00000000.sdmp, 4A15.exe, 00000019.00000003.526468027.0000000003170000.00000004.00001000.00020000.00000000.sdmp, 4A15.exe, 00000019.00000003.523571046.0000000003170000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://app.nnnaajjjgc.com/check/?sid=1136118&key=18166b66b4c087f47773dacf194063c0	i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.641242547.00000000039DA000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.639907595.00000000039C4000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.640934427.0000000003A32000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://downloads.digitalpulsedata.com/0.16.16/DigitalPulse.exe	AddInProcess32.exe, 00000012.00000002.709315982.0000000002DAB000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000012.00000002.709315982.0000000002DE7000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000012.00000002.709315982.0000000002DC0000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000012.00000002.709315982.0000000002E77000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000012.00000002.709315982.0000000002D83000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000012.00000002.709315982.0000000002D9B000.00000004.00000800.00020000.00000000.sdmp	false	14%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://app.nnnaajjjgc.com/check/?sid=1135184&key=e2b003b01e4d0eb6ffeb7affbde6d54b	i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.540098239.0000000003A02000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://app.nnnaajjjgc.com/check/safe7OM	i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.646375492.00000000039C2000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.639907595.00000000039C4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.google.com/feedfetcher.html)HKLM	941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.550001229.0000000004AF0000.00000040.00001000.00020000.00000000.sdmp, 941caPIfMmGnCq8PWe7WWHEk.exe, 00000022.00000002.525875413.0000000000400000.00000040.00000001.01000000.00000017.sdmp, f8hJzDp1zQtAPJgciyNSoGpb.exe, 00000024.00000002.522431758.0000000000400000.00000040.00000001.01000000.00000019.sdmp	false		high
https://api.2ip.ua/geo.json7	4A15.exe, 0000001D.00000002.678164342.000000000078C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://java.sun.com	explorer.exe, 00000002.00000000.374746176.00000000068D2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.374517074.0000000004AFA000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://blockchain.infoindex	f8hJzDp1zQtAPJgciyNSoGpb.exe, 00000024.00000002.522431758.0000000000400000.00000040.00000001.01000000.00000019.sdmp	false	Avira URL Cloud: safe	unknown
https://potatogoose.com/03ea740ea772f2ff2218e4ed0bfbac4b/baf14778c246e15550645e30ba78ce1c.exe	AddInProcess32.exe, 00000012.00000002.709315982.0000000002D97000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000012.00000002.709315982.0000000002DC0000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000012.00000002.709315982.0000000002D9B000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://telegram.org/pp.nnnaajjjgc.com/	i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.582090716.00000000039DA000.00000004.00000020.00020000.00000000.sdmp	false		high
https://digitalpulsedata.com/pp/	Pwp3yspp3pM97CCYpnZxEaEs.exe, 0000001C.00000003.439723896.00000000024F0000.00000004.00001000.00020000.00000000.sdmp, Pwp3yspp3pM97CCYpnZxEaEs.exe, 0000001C.00000002.677592753.0000000002287000.00000004.00001000.00020000.00000000.sdmp	false	8%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://app.nnnaajjjgc.com/check/?sid=1135324&key=7d66a132c21ba63fc78546c9d24589f2	i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.555268660.00000000039CF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://app.nnnaajjjgc.com/check/?sid=1134966&key=0fd5f12a596a555ef492fb98f379fab8	i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.518699245.0000000003A25000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.522164708.0000000003A32000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.521926205.00000000039D4000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.522164708.0000000003A2D000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.518699245.0000000003A32000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.522984526.00000000039D4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://app.nnnaajjjgc.com/check/?sid=1135184&key=e2b003b01e4d0eb6ffeb7affbde6d54b5	i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.541322508.00000000039E4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://ji.alie3ksgbb.com/m/ss29	AddInProcess32.exe, 00000012.00000002.709315982.0000000002DAB000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000012.00000002.709315982.0000000002DE7000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000012.00000002.709315982.0000000002DC0000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000012.00000002.709315982.0000000002E77000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000012.00000002.709315982.0000000002D83000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000012.00000002.709315982.0000000002D9B000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://api.2ip.ua/geo.jsonB	4A15.exe, 0000001D.00000002.678164342.0000000000748000.00000004.00000020.00020000.00000000.sdmp	false		high
http://app.nnnaajjjgc.com/check/?sid=1134718&key=abd6c79d9cdea0adf3c5fbb50faa6372	i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.487859289.00000000039E5000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.484324155.00000000039E5000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.482007401.00000000039E5000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.487163158.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.483619386.00000000039D8000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.487415421.00000000039DA000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.494963976.00000000039D4000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.500068426.00000000039E5000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.481490961.00000000039D8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://we.tl/t-e5pgPH03c	4A15.exe, 00000019.00000002.528888660.0000000000629000.00000004.00000020.00020000.00000000.sdmp, 4A15.exe, 00000019.00000003.528105248.0000000000629000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://app.nnnaajjjgc.com/check/?sid=1134752&key=b91eaeee1ec96f7344a52c72e78649e0w	i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.487382669.0000000003A33000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://ocsp.sectigo.com0	AddInProcess32.exe, 00000012.00000002.709315982.0000000002D51000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000012.00000002.709315982.0000000002DA7000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000012.00000002.709315982.0000000002D83000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000012.00000002.709315982.0000000002DB0000.00000004.00000800.00020000.00000000.sdmp, Pwp3yspp3pM97CCYpnZxEaEs.exe, 0000001C.00000003.440105042.00000000025E8000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://app.nnnaajjjgc.com/check/?sid=1136320&key=f4073b8c48cdf506608aafebc7c710bdkO	i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.650934958.0000000003A16000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://components.groove.net/Groove/Components/SystemComponents/SystemComponents.osd?Package=net.gro	explorer.exe, 00000002.00000000.376345728.00007FFC2B229000.00000002.00000001.01000000.00000005.sdmp	false	URL Reputation: safe	unknown
http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU	YRhJ9y7wcq2JenN54ladams2.exe, 00000020.00000002.526416925.0000000000401000.00000020.00000001.01000000.00000015.sdmp	false		high
https://www.amsangroup.com	AddInProcess32.exe, 00000012.00000002.709315982.0000000002DAB000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000012.00000002.709315982.0000000002D9B000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.amazon.com/	4A15.exe, 00000019.00000003.516080817.0000000003170000.00000004.00001000.00020000.00000000.sdmp	false		high
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#	AddInProcess32.exe, 00000012.00000002.709315982.0000000002DB0000.00000004.00000800.00020000.00000000.sdmp, Pwp3yspp3pM97CCYpnZxEaEs.exe, 0000001C.00000003.440105042.00000000025E8000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://zexeq.com/files/1/build3.exe$run	4A15.exe, 00000019.00000002.528784929.00000000005FF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.twitter.com/	4A15.exe, 00000019.00000003.516314996.0000000003170000.00000004.00001000.00020000.00000000.sdmp	false		high
https://desktop-netinspp.nnnaajjjgc.com/check/?sid=1136320&key=f4073b8c48cdf506608aafebc7c710bd	i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.650934958.0000000003A32000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://m7val1dat0r.info	4GAUQKCdkFpttJoyS2YGgxr9.exe, 0000001E.00000002.699952372.00000000035F1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://app.nnnaajjjgc.com/check/?sid=1134966&key=0fd5f12a596a555ef492fb9	i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.521926205.00000000039D4000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.522984526.00000000039D4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.openssl.org/support/faq.html	4A15.exe, 0000001D.00000002.665875140.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false		high
http://https://ns1.kriston.ugns2.chalekin.ugns3.unalelath.ugns4.andromath.ug/Error	4A15.exe, 0000000A.00000002.419357601.0000000004470000.00000040.00001000.00020000.00000000.sdmp, 4A15.exe, 0000000B.00000002.435887482.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 4A15.exe, 00000018.00000002.436925476.0000000004380000.00000040.00001000.00020000.00000000.sdmp, 4A15.exe, 00000019.00000002.528674260.0000000000400000.00000040.00000400.00020000.00000000.sdmp, 4A15.exe, 0000001B.00000002.521687562.0000000004390000.00000040.00001000.00020000.00000000.sdmp, 4A15.exe, 0000001D.00000002.665875140.0000000000400000.00000040.00000400.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://app.nnnaajjjgc.com/check/?sid=1135184&key=e2b003b01e4d0eb6ffeb7affbde6d54b30	i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.541322508.00000000039E4000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.550000806.00000000039C9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://zexeq.com/filespp.nnnaajjjgc.com/	i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.555268660.00000000039CF000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.559968655.00000000039CF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://api.2ip.ua/geo.jsonz	4A15.exe, 0000001D.00000002.678164342.0000000000748000.00000004.00000020.00020000.00000000.sdmp	false		high
https://st6-20.vk.com/css/al/base.2e3fc345b3e9701dafc5.css	4A15.exe, 00000019.00000003.523963155.0000000003170000.00000004.00001000.00020000.00000000.sdmp, 4A15.exe, 00000019.00000003.526468027.0000000003170000.00000004.00001000.00020000.00000000.sdmp, 4A15.exe, 00000019.00000003.523571046.0000000003170000.00000004.00001000.00020000.00000000.sdmp	false		high
http://app.nnnaajjjgc.com/check/	i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.644710934.0000000003A19000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.650934958.0000000003A1E000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000002.659975363.0000000003A22000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.559968655.00000000039CF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://app.nnnaajjjgc.com/check/?sid=1134810&key=2e80054952ba0f1faf1a5db7f7ffcc01G	i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.493610182.0000000003A33000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.503664579.0000000003A33000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://potatogoose.com	AddInProcess32.exe, 00000012.00000002.709315982.0000000002DC0000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://app.nnnaajjjgc.com/check/safe	i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.559968655.00000000039CF000.00000004.00000020.00020000.00000000.sdmp	true	URL Reputation: malware	unknown
https://api.2ip.ua/geo.jsonp	4A15.exe, 00000019.00000002.528784929.0000000000578000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.2ip.ua/geo.jsonr	4A15.exe, 0000001D.00000003.584736156.000000000076E000.00000004.00000020.00020000.00000000.sdmp, 4A15.exe, 0000001D.00000002.678164342.0000000000748000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.360safe.com/totalsecurity/en/101/tswin10u/d7http://www.360safe.com/totalsecurity/en/101/t	V1NdDWPeq5yoU55PUCrHuT1N.exe, 00000023.00000000.444126937.000000000056E000.00000002.00000001.01000000.00000018.sdmp	false		high
http://app.nnnaajjjgc.com/check/?sid=1134630&key=a7f738ef34a58abfd14b211f7ae4d75a;	i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.478481171.00000000039E5000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.477596745.00000000039C9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://app.nnnaajjjgc.com/0vx	i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000002.659717297.00000000014BC000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://app.nnnaajjjgc.com/check/?sid=1135652&key=52a1fa091a2d98cce516cbabc104bbb1081221o	i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.587270076.0000000003A32000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://zexeq.com/files/1/build3.exerun	4A15.exe, 00000019.00000003.526920988.00000000030B1000.00000004.00000020.00020000.00000000.sdmp, 4A15.exe, 00000019.00000003.528078249.00000000030B1000.00000004.00000020.00020000.00000000.sdmp, 4A15.exe, 00000019.00000002.529745378.00000000030B1000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://app.nnnaajjjgc.com/check/?sid=1134810&key=2e80054952ba0f1faf1a5db7f7ffcc01;	i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.494963976.00000000039D4000.00000004.00000020.00020000.00000000.sdmp, i4PHS5R0iEKcuu4uBuaRKA3v.exe, 0000001A.00000003.500068426.00000000039E5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://dev.vk.com	4A15.exe, 00000019.00000003.523963155.0000000003170000.00000004.00001000.00020000.00000000.sdmp, 4A15.exe, 00000019.00000003.526468027.0000000003170000.00000004.00001000.00020000.00000000.sdmp, 4A15.exe, 00000019.00000003.523571046.0000000003170000.00000004.00001000.00020000.00000000.sdmp	false		high
http://www.nytimes.com/	4A15.exe, 00000019.00000003.516248171.0000000003170000.00000004.00001000.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
87.236.19.5	unknown	Russian Federation	198610	BEGET-ASRU	false
65.8.243.45	unknown	United States	16509	AMAZON-02US	false
195.201.202.58	unknown	Germany	24940	HETZNER-ASDE	true
8.8.8.8	unknown	United States	15169	GOOGLEUS	false
144.76.136.153	unknown	Germany	24940	HETZNER-ASDE	true
162.0.217.254	unknown	Canada	35893	ACPCA	false
65.8.243.52	unknown	United States	16509	AMAZON-02US	false
172.67.180.173	unknown	United States	13335	CLOUDFLARENETUS	false
65.8.243.108	unknown	United States	16509	AMAZON-02US	false
172.67.202.56	unknown	United States	13335	CLOUDFLARENETUS	false
172.67.187.122	unknown	United States	13335	CLOUDFLARENETUS	false
143.204.29.6	unknown	United States	16509	AMAZON-02US	false
142.250.188.14	unknown	United States	15169	GOOGLEUS	false
143.204.29.2	unknown	United States	16509	AMAZON-02US	false
20.99.184.37	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
172.67.34.170	unknown	United States	13335	CLOUDFLARENETUS	false
162.159.133.233	unknown	United States	13335	CLOUDFLARENETUS	true
143.204.29.20	unknown	United States	16509	AMAZON-02US	false
193.42.32.101	unknown	Germany	3221	EENET-ASEE	true
185.244.226.4	unknown	unknown	197540	NETCUP-ASnetcupGmbHDE	false
194.169.175.127	unknown	Germany	43659	CLOUDCOMPUTINGDE	true
20.99.133.109	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
148.251.234.93	unknown	Germany	24940	HETZNER-ASDE	false
107.167.110.216	unknown	United States	21837	OPERASOFTWAREUS	false
104.21.35.235	unknown	United States	13335	CLOUDFLARENETUS	false
104.21.32.208	unknown	United States	13335	CLOUDFLARENETUS	false
107.167.110.211	unknown	United States	21837	OPERASOFTWAREUS	false
172.67.199.174	unknown	United States	13335	CLOUDFLARENETUS	false
5.42.64.10	unknown	Russian Federation	39493	RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU	false
104.21.18.99	unknown	United States	13335	CLOUDFLARENETUS	true
79.137.192.18	unknown	Russian Federation	42569	PSKSET-ASRU	true
172.67.222.167	unknown	United States	13335	CLOUDFLARENETUS	false
104.21.90.117	unknown	United States	13335	CLOUDFLARENETUS	false
172.67.200.102	unknown	United States	13335	CLOUDFLARENETUS	false
142.250.189.225	unknown	United States	15169	GOOGLEUS	false
181.197.76.240	unknown	Panama	18809	CableOndaPA	false
190.8.176.96	unknown	Colombia	52335	ColombiaHostingCO	false
143.204.29.13	unknown	United States	16509	AMAZON-02US	false
154.221.26.108	unknown	Seychelles	133115	HKKFGL-AS-APHKKwaifongGroupLimitedHK	false
156.236.72.121	unknown	Seychelles	133115	HKKFGL-AS-APHKKwaifongGroupLimitedHK	false
104.21.14.50	unknown	United States	13335	CLOUDFLARENETUS	false
85.217.144.143	unknown	Bulgaria	41995	WS171-ASRU	false
168.119.1.241	unknown	Germany	24940	HETZNER-ASDE	false
213.6.54.58	unknown	Palestinian Territory Occupied	12975	PALTEL-ASPALTELAutonomousSystemPS	true
189.232.123.108	unknown	Mexico	8151	UninetSAdeCVMX	true
104.21.21.180	unknown	United States	13335	CLOUDFLARENETUS	false
172.67.216.81	unknown	United States	13335	CLOUDFLARENETUS	false
77.91.68.78	unknown	Russian Federation	42861	FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU	true
104.20.67.143	unknown	United States	13335	CLOUDFLARENETUS	false
104.21.93.225	unknown	United States	13335	CLOUDFLARENETUS	false

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	38.0.0 Beryl
Analysis ID:	1313517
Start date and time:	2023-09-24 14:03:04 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 13m 54s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	66
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	2
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	file.exe
Detection:	MAL
Classification:	mal100.rans.troj.spyw.expl.evad.winEXE@149/755@0/51
EGA Information:	Successful, ratio: 100%
HDC Information:	Failed
HCA Information:	Successful, ratio: 89% Number of executed functions: 46 Number of non-executed functions: 112
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, Conhost.exe, dllhost.exe, consent.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtQueryVolumeInformationFile calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Report size getting too big, too many NtWriteFile calls found.
Skipping network analysis since amount of network traffic is too extensive

Simulations

Behavior and APIs

Time	Type	Description
05:04:20	Task Scheduler	Run new task: Firefox Default Browser Agent 9AA5E0263B54956D path: C:\Users\user\AppData\Roaming\jwjrtuw
05:04:31	Task Scheduler	Run new task: Time Trigger Task path: C:\Users\user\AppData\Local\d11683cc-0d8b-41c4-a224-c03c55bb751f\4A15.exe s>--Task
05:04:32	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run SysHelper "C:\Users\user\AppData\Local\d11683cc-0d8b-41c4-a224-c03c55bb751f\4A15.exe" --AutoStart
05:04:43	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run SysHelper "C:\Users\user\AppData\Local\d11683cc-0d8b-41c4-a224-c03c55bb751f\4A15.exe" --AutoStart
05:04:50	Task Scheduler	Run new task: Azure-Update-Task path: C:\Users\user\AppData\Roaming\Microsoft\Network\mstsca.exe
05:04:53	Task Scheduler	Run new task: DigitalPulseUpdateTask path: C:\Users\user\AppData\Roaming\DigitalPulse\DigitalPulseUpdate.exe
05:05:10	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run DigitalPulse "C:\Users\user\AppData\Roaming\DigitalPulse\DigitalPulseService.exe" 5333:::clickId=:::srcId=
05:05:20	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0Lfhv80yjQqPZSzTm3yFdWPF.bat
05:05:36	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\745tzE4k357KTJX9XrGihSFX.bat
05:05:51	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7LUSH97ozicm8oSAzFzv30fB.bat
05:06:04	Task Scheduler	Run new task: GoogleUpdateTaskMachineQC path: %ProgramFiles%\Google\Chrome\updater.exe
05:06:11	Task Scheduler	Run new task: Opera scheduled Autoupdate 1695557137 path: C:\Users\user\AppData\Local\Programs\Opera\launcher.exe s>--scheduledautoupdate $(Arg0)
05:06:31	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Aflaw6AZSGKIe0s45Bz4rgPm.bat
05:06:51	Task Scheduler	Run new task: PowerControl HR path: C:\Program s>Files (x86)\PowerControl\PowerControl_Svc.exe
05:06:54	Task Scheduler	Run new task: PowerControl LG path: C:\Program s>Files (x86)\PowerControl\PowerControl_Svc.exe
14:04:17	API Interceptor	7202x Sleep call for process: explorer.exe modified
14:04:22	API Interceptor	7x Sleep call for process: svchost.exe modified
14:04:29	API Interceptor	507x Sleep call for process: AddInProcess32.exe modified
14:04:34	API Interceptor	3x Sleep call for process: U58dhzMU8ddvYuIUxUkOSiON.exe modified
14:04:35	API Interceptor	397x Sleep call for process: 4GAUQKCdkFpttJoyS2YGgxr9.exe modified
14:04:41	API Interceptor	3x Sleep call for process: 941caPIfMmGnCq8PWe7WWHEk.exe modified
14:04:43	API Interceptor	1x Sleep call for process: 4A15.exe modified
14:04:44	API Interceptor	13x Sleep call for process: i4PHS5R0iEKcuu4uBuaRKA3v.exe modified
14:04:44	API Interceptor	3x Sleep call for process: f8hJzDp1zQtAPJgciyNSoGpb.exe modified

Process:	C:\Users\user\AppData\Local\Temp\4A15.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	42
Entropy (8bit):	4.802915339393917
Encrypted:	false
SSDEEP:	3:YEPMxilI5dSPppv:Yccfgppv
MD5:	5C6F2CA9408DEE38EF6CB44FDBC49C2B
SHA1:	79E05E85BC156B203373D28405E898876C47A557
SHA-256:	7D9D14E40566109ED303E3979B4DF2CC07FBEF3C8AB95F26663885A8329719F6
SHA-512:	78A989B804552A6E14535FAF9D4362CB9078871B16AE98CC56BF1104556F33606250104027419FD2D94EE206AF226EE2A822537AF46B8B585FC8308E6EFF3754
Malicious:	false
Reputation:	low
Preview:	lfyRgbm7aZ5zpjJggzyGva9vFH6Xpmk3xwjgrUmT..

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	388096
Entropy (8bit):	6.051227739620757
Encrypted:	false
SSDEEP:	6144:CsURDnkqygQwEGZ3ac2LwMkA15AW1cBmRL1Yh87A2tusOm+Nae:C/DkngjJ2AqxYh8XusGb
MD5:	E4FA45F80EC75D24124D434010023355
SHA1:	D495157BA5FF2408B7EF2A1AD6BE1B3C55BF7A1A
SHA-256:	C6D7D32807A9342D95E865E9828CF214722A097EC3F903FF8225D5A2E9C257C2
SHA-512:	717119CB492E9B9818BC86B436ADB67ACDFB4F08E0CCDD666B7B148A01969C18A8DA8BB083D7C86DC4A4857871FC8537CF33E49C75CC189FA3A40442542FB7BA
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 47%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......#uN)g. zg. zg. z.Z.zf. z.b.z}. z.b.z.. z.b.zA. znl.zn. zg.!z.. z.b.zf. z.b.zf. z.b.zf. zRichg. z........PE..L...sw.b.............................T............@.......................... ......S.......................................T...d....0..P...........................................................XB..@............................................text..."........................... ..`.data...DL.......>..................@....rsrc...P....0......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................

Process:	C:\Users\user\Pictures\i4PHS5R0iEKcuu4uBuaRKA3v.exe
File Type:	SQLite 3.x database, last written using SQLite version 3041002, file counter 24, database pages 7, 1st free page 5, free pages 2, cookie 0x13, schema 4, UTF-8, version-valid-for 24
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	2.1205625672251087
Encrypted:	false
SSDEEP:	96:cephLnwke2HOPYeTdPC5ss/9DvJ9S0Rwhba5DXMcF0jMoiUZepk8U7MiRmgmdBv:cNBdPC5lF7JlRwE5QjoD1U7MiArZ
MD5:	02837B0227A4435A23DA1AA7256FD333
SHA1:	4E04DCD998641CD9CD1BA94423008FB88AAFBDEA
SHA-256:	13133F5A0C72E224C1CA61F5C4EE66FAEEFF0AEF5B407BE5B6B223559F721EF8
SHA-512:	AFB9BAC4743EECED456797D7FFE354A22BC320B1F8A8DAE68DD2E6394F3580D64615E1511583C7ED5CD5337711D315E244A0437C3E6CC09CA8BF0E619598DC27
Malicious:	true
Reputation:	low
Preview:	SQLite format 3......@ ..........................................................................f..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Process:	C:\Windows\explorer.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	984
Entropy (8bit):	5.227423502376633
Encrypted:	false
SSDEEP:	24:Yq6CUXyhm5IUmtQlbNdB6hm5VUmtQlz0Jahm5SUmtQlHZ6T06Mhm5vUmtQlbxdB8:YqDUXycIwbNdUcpwz0JacWwHZ6T06Mcb
MD5:	D9512E54D33D06E68E0C0D36726F7776
SHA1:	2E2ED852C188E0F96FCF861D7B73B8C479379845
SHA-256:	C70B840F192B885EF63C8426B0667EF175424A96DEC79A988C9525AD8E6997D2
SHA-512:	AAFCD49F2C87D4D43076CB4C1357FFAC9AB224ADBD4CEB06961755A0D6305D550090DDA34CAAA3C9B2700EF182CC9D6000BAB87A1A31D15A6A9F7565F60BA515
Malicious:	false
Reputation:	low
Preview:	{"RecentItems":[{"AppID":"Microsoft.Office.OneNote_8wekyb3d8bbwe!microsoft.onenoteim","PenUsageSec":15,"LastSwitchedLowPart":2360844864,"LastSwitchedHighPart":30747916,"PrePopulated":true},{"AppID":"Microsoft.WindowsMaps_8wekyb3d8bbwe!App","PenUsageSec":15,"LastSwitchedLowPart":2350844864,"LastSwitchedHighPart":30747916,"PrePopulated":true},{"AppID":"Microsoft.MSPaint_8wekyb3d8bbwe!Microsoft.MSPaint","PenUsageSec":15,"LastSwitchedLowPart":2340844864,"LastSwitchedHighPart":30747916,"PrePopulated":true},{"AppID":"Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge","PenUsageSec":15,"LastSwitchedLowPart":2330844864,"LastSwitchedHighPart":30747916,"PrePopulated":true},{"AppID":"Microsoft.Windows.Photos_8wekyb3d8bbwe!App","PenUsageSec":15,"LastSwitchedLowPart":2320844864,"LastSwitchedHighPart":30747916,"PrePopulated":true},{"AppID":"Microsoft.Getstarted_8wekyb3d8bbwe!App","PenUsageSec":15,"LastSwitchedLowPart":2310844864,"LastSwitchedHighPart":30747916,"PrePopulated":true}]}

Process:	C:\Users\user\Pictures\U58dhzMU8ddvYuIUxUkOSiON.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1826208
Entropy (8bit):	7.978777574746798
Encrypted:	false
SSDEEP:	49152:rkQTAVchw7doMe+3u+ZVWpGPUMfN7YFRM1UN5:raVchwhd3uolPpfdcCM5
MD5:	878FEE717881CD44FBD351816A653142
SHA1:	8AEFBF1CEFF42F90980CB054BC6AC90089A4F014
SHA-256:	55BF635BE312162A07A1F07AADA3796DC672C8342BADEC00DD33F5E458AAB456
SHA-512:	7E21B7BB78D2D6F3391CCF3DFA6D7F87D12E8719506FD80594DB4F431CB0DD15E0C63EBF11FFCB0B66AFBBB16BF5B51EF9BE4B541EFEBF0424C41172E1AF189E
Malicious:	true
Yara Hits:	Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\s51[1], Author: Joe Security Rule: MALWARE_Win_RedLine, Description: Detects RedLine infostealer, Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\0W10PBUV\s51[1], Author: ditekSHen
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 17%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......h..-,q.~,q.~,q.~2#.~?q.~...~+q.~,q.~\q.~2#n~.q.~2#i~.q.~2#{~-q.~Rich,q.~................j.......PE..L...t..P..........#................./.............@..................................;..........................................P....`...P...........r...k..............................................@............................................text............................... ..`.rdata...m.......n..................@..@.data....0... ......................@....rsrc....P...`...R... ..............@..@................................................................................................................................................................................................................................................................................................................................................................................

Process:	C:\Users\user\Pictures\Pwp3yspp3pM97CCYpnZxEaEs.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3209984
Entropy (8bit):	6.332725013720404
Encrypted:	false
SSDEEP:	49152:CWGtLBcXqFpBR6SVb8kq4pgquLMMji4NYxtJpkxhGjIHTbQ333TYt:utLutqgwh4NYxtJpkxhGj333Ti
MD5:	5B1D2E9056C5F18324FA9DD4041B5463
SHA1:	64A703559E8D67514181F5449A1493ADE67227AF
SHA-256:	DDA18B38700CA62172BA3BD0D2D3B3B0DD43E91FDB67B2B8E24044046FF17769
SHA-512:	961183656C2E0ED1F01EC937E01C5023B9AEA5A9922AA9170735895A3A1E4BBE2B7DE89F16F8C7DF231B145975D103A02DEBF2F24B07DAF0B90C341FE070A324
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 30%
Reputation:	low
Preview:	MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......c.................L,.........hf,......p,...@...........................1.....w.1...@......@....................-.......-..9....................0..)...........................................................-.......-......................text.... ,......",................. ..`.itext...(...@,.....&,............. ..`.data...X....p,......P,.............@....bss.....y....-..........................idata...9....-..:....,.............@....didata.......-.......-.............@....edata........-......-.............@..@.tls....L.....-..........................rdata..]............,-.............@..@.rsrc.................-.............@..@..............1.......0.............@..@........................................................

Process:	C:\Users\user\Pictures\YRhJ9y7wcq2JenN54ladams2.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1062400
Entropy (8bit):	5.4815484240015175
Encrypted:	false
SSDEEP:	24576:XQYh1yLmSKrPD37zzH2A6QD/IpqggE2CfNafM8yx9k0:J02rPD37zzH2A6SBIfNafMlB
MD5:	83827C13D95750C766E5BD293469A7F8
SHA1:	D21B45E9C672D0F85B8B451EE0E824567BB23F91
SHA-256:	8BD7E6B4A6BE9F3887AC6439E97D3D3C8AAA27211D02ECBD925AB1DF39AFE7AE
SHA-512:	CDBDD93FC637772B12BDEDB59C4FB72A291DA61E8C6B0061AD2F9448E8C949543F003646B1F5CE3E1E3AEBC12DE27409DDD76D3874B8F4F098163A1FF328B6F0
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 6%
Reputation:	low
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*..........................................@..........................0............@......@...............................&.......f...................0............................... ......................................................CODE....$........................... ..`DATA.... ...........................@...BSS......................................idata...&.......(..................@....tls.....................................rdata....... ......................@..P.reloc......0......................@..P.rsrc....f.......h..................@..P.....................f..............@..P........................................................................................................................................

Entrypoint:	0x4054ed
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x630DC310 [Tue Aug 30 07:58:08 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	2d6b4f4a9e62e7d851c0b57974ea64af

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3adb4	0x64	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x2191000	0xdbe8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x4288	0x40	.text
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x1fc	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x3a96e	0x3aa00	False	0.515550039978678	data	5.644961988138778	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x3c000	0x2154c24	0x3e00	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x2191000	0xdbe8	0xdc00	False	0.36851917613636365	data	3.7542698511474337	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Name	RVA	Size	Type	ZLIB Complexity
AFX_DIALOG_LAYOUT	0x219e300	0x2	data	5.0
AFX_DIALOG_LAYOUT	0x219e308	0x2	data	5.0
AFX_DIALOG_LAYOUT	0x219e310	0x2	data	5.0
AFX_DIALOG_LAYOUT	0x219e318	0x2	data	5.0
RT_ICON	0x2191500	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	0.26514522821576764
RT_ICON	0x2193aa8	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	0.3155737704918033
RT_ICON	0x2194458	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	0.6574909747292419
RT_ICON	0x2194d00	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	0.47894190871369297
RT_ICON	0x21972a8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	0.5058630393996247
RT_ICON	0x2198380	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	0.27798507462686567
RT_ICON	0x2199228	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	0.39285714285714285
RT_ICON	0x21998f0	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	0.4046242774566474
RT_ICON	0x2199e58	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	0.22292531120331951
RT_ICON	0x219c400	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	0.2774390243902439
RT_ICON	0x219d4a8	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	0.30040983606557375
RT_ICON	0x219de30	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	0.34397163120567376
RT_STRING	0x219e4e8	0x2a2	Matlab v4 mat-file (little endian) D, numeric, rows 0, columns 0	0.48516320474777447
RT_STRING	0x219e790	0x354	data	0.4671361502347418
RT_STRING	0x219eae8	0x100	data	0.5546875
RT_GROUP_ICON	0x2198350	0x30	data	0.9375
RT_GROUP_ICON	0x2194430	0x22	data	0.9705882352941176
RT_GROUP_ICON	0x219e298	0x68	data	0.7307692307692307
RT_VERSION	0x219e320	0x1c4	ARMv7 Thumb COFF executable, no relocation info, not stripped, 52 sections, symbol offset=0x5f0053, 4522070 symbols, optional header size 82, created Sat Mar 7 05:34:56 1970	0.5530973451327433

DLL	Import
KERNEL32.dll	EnumCalendarInfoW, ReadConsoleA, GetCurrentProcess, SetDefaultCommConfigW, GetEnvironmentStringsW, GetModuleHandleExW, GetComputerNameW, SetCommBreak, CreateHardLinkA, GetSystemDefaultLCID, FreeEnvironmentStringsA, GetConsoleAliasesA, ReadConsoleW, GetConsoleAliasExesW, EnumTimeFormatsW, GetCommandLineA, TzSpecificLocalTimeToSystemTime, GlobalAlloc, LoadLibraryW, SetCommConfig, GetLocaleInfoW, InterlockedPopEntrySList, TransactNamedPipe, EnumSystemCodePagesA, HeapQueryInformation, GetCompressedFileSizeA, MultiByteToWideChar, GetStartupInfoW, DisconnectNamedPipe, DeleteVolumeMountPointA, GetNamedPipeHandleStateW, GetLastError, GetCurrentDirectoryW, ChangeTimerQueueTimer, SetLastError, GetTempFileNameA, LocalAlloc, GetFileType, MoveFileA, RemoveDirectoryW, FindAtomA, FindNextFileA, GetModuleHandleA, SetLocaleInfoW, FatalExit, RequestDeviceWakeup, CreateMailslotA, GetStringTypeW, VirtualProtect, QueryPerformanceFrequency, PeekConsoleInputA, SetCalendarInfoA, FindFirstVolumeA, FindAtomW, GetWindowsDirectoryW, AddConsoleAliasA, OpenFileMappingA, FindResourceW, GetCommandLineW, GetDriveTypeW, GetConsoleAliasesLengthW, WriteConsoleInputW, GetShortPathNameA, GetProcAddress, GetModuleHandleW, ExitProcess, DecodePointer, DeleteFileA, HeapReAlloc, HeapSetInformation, RaiseException, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, EncodePointer, TerminateProcess, HeapAlloc, HeapFree, IsProcessorFeaturePresent, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, InterlockedIncrement, GetCurrentThreadId, InterlockedDecrement, WriteFile, GetStdHandle, GetModuleFileNameW, HeapCreate, SetFilePointer, FreeEnvironmentStringsW, SetHandleCount, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, Sleep, RtlUnwind, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, WideCharToMultiByte, HeapSize, SetStdHandle, GetConsoleCP, GetConsoleMode, FlushFileBuffers, LCMapStringW, ReadFile, WriteConsoleW, CloseHandle, CreateFileW
USER32.dll	CharUpperA
GDI32.dll	SetBkColor, GetCharWidthA, GetKerningPairsA
ADVAPI32.dll	ReadEventLogA

Target ID:	0
Start time:	14:03:55
Start date:	24/09/2023
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k netsvcs -p
Imagebase:	0x7ff7b1050000
File size:	51'288 bytes
MD5 hash:	32569E403279B3FD2EDB7EBD036273FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Target ID:	1
Start time:	14:03:56
Start date:	24/09/2023
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\file.exe
Imagebase:	0x400000
File size:	313'344 bytes
MD5 hash:	2BA491F6B487017A1C58B647A7E05D3C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000001.00000002.376788233.0000000004111000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000001.00000002.376788233.0000000004111000.00000004.10000000.00040000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000001.00000002.376743466.0000000002659000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000001.00000002.376714688.0000000002600000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000001.00000002.376714688.0000000002600000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000001.00000002.376709250.00000000025F0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Target ID:	2
Start time:	14:04:01
Start date:	24/09/2023
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff763730000
File size:	3'933'184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Target ID:	7
Start time:	14:04:21
Start date:	24/09/2023
Path:	C:\Users\user\AppData\Roaming\jwjrtuw
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\jwjrtuw
Imagebase:	0x400000
File size:	313'344 bytes
MD5 hash:	2BA491F6B487017A1C58B647A7E05D3C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000007.00000002.428763684.00000000026F8000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000007.00000002.428808631.00000000040F1000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000007.00000002.428808631.00000000040F1000.00000004.10000000.00040000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000007.00000002.428745109.00000000026D0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000007.00000002.428789330.00000000040C0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000007.00000002.428789330.00000000040C0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Target ID:	12
Start time:	14:04:23
Start date:	24/09/2023
Path:	C:\Windows\System32\regsvr32.exe
Wow64 process (32bit):	false
Commandline:	regsvr32 /s C:\Users\user\AppData\Local\Temp\3958.dll
Imagebase:	0x7ff62df40000
File size:	24'064 bytes
MD5 hash:	D78B75FC68247E8A63ACBA846182740E
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Target ID:	14
Start time:	14:04:26
Start date:	24/09/2023
Path:	C:\Users\user\AppData\Local\Temp\A388.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\Temp\A388.exe
Imagebase:	0x7ff68a2f0000
File size:	244'736 bytes
MD5 hash:	3240F8928A130BB155571570C563200A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 70%, ReversingLabs
Reputation:	low
Has exited:	true

Target ID:	24
Start time:	14:04:30
Start date:	24/09/2023
Path:	C:\Users\user\AppData\Local\Temp\4A15.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\4A15.exe" --Admin IsNotAutoStart IsNotTask
Imagebase:	0x400000
File size:	836'608 bytes
MD5 hash:	0511A0C819ADE47392A2F3A51EAF1F0B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Djvu, Description: Yara detected Djvu Ransomware, Source: 00000018.00000002.436925476.0000000004380000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Ransomware_Stop_1e8d48ff, Description: unknown, Source: 00000018.00000002.436925476.0000000004380000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000018.00000002.436833878.0000000004194000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Target ID:	26
Start time:	14:04:31
Start date:	24/09/2023
Path:	C:\Users\user\Pictures\i4PHS5R0iEKcuu4uBuaRKA3v.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Pictures\i4PHS5R0iEKcuu4uBuaRKA3v.exe"
Imagebase:	0x7ff77a410000
File size:	651'776 bytes
MD5 hash:	2D05CB7FB4726BB51C6059540F0E013E
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Fabookie, Description: Yara detected Fabookie, Source: 0000001A.00000003.621914047.00000000039FF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Fabookie, Description: Yara detected Fabookie, Source: 0000001A.00000003.507939167.0000000003A33000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Fabookie, Description: Yara detected Fabookie, Source: 0000001A.00000003.497133342.00000000039C1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Fabookie, Description: Yara detected Fabookie, Source: 0000001A.00000003.487597561.00000000039C1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Fabookie, Description: Yara detected Fabookie, Source: 0000001A.00000003.529764912.0000000003A33000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Fabookie, Description: Yara detected Fabookie, Source: 0000001A.00000003.557010087.0000000003A32000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Fabookie, Description: Yara detected Fabookie, Source: 0000001A.00000003.540745976.0000000003ABB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Fabookie, Description: Yara detected Fabookie, Source: 0000001A.00000003.555251999.0000000003A32000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Fabookie, Description: Yara detected Fabookie, Source: 0000001A.00000003.540098239.0000000003A02000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Fabookie, Description: Yara detected Fabookie, Source: 0000001A.00000003.555268660.00000000039CF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Fabookie, Description: Yara detected Fabookie, Source: 0000001A.00000003.529294566.0000000003A32000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Fabookie, Description: Yara detected Fabookie, Source: 0000001A.00000003.624585849.0000000003A10000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Fabookie, Description: Yara detected Fabookie, Source: 0000001A.00000003.565892568.00000000039EF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Fabookie, Description: Yara detected Fabookie, Source: 0000001A.00000003.587270076.0000000003A24000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Target ID:	28
Start time:	14:04:32
Start date:	24/09/2023
Path:	C:\Users\user\Pictures\Pwp3yspp3pM97CCYpnZxEaEs.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Pictures\Pwp3yspp3pM97CCYpnZxEaEs.exe" /SP- /VERYSILENT /SUPPRESSMSGBOXES /PID=5333
Imagebase:	0x400000
File size:	5'550'656 bytes
MD5 hash:	3E74B7359F603F61B92CF7DF47073D4A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	Borland Delphi
Reputation:	low
Has exited:	false

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: SmokeLoader

Threatname: Djvu

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Data Obfuscation

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Bitcoin Miner

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\SystemID\PersonalID.txt

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old

C:\Users\user\AppData\LocalLow\Adobe\AcroCef\DC\Acrobat\Cache\LOG.old.azhi (copy)

C:\Users\user\AppData\LocalLow\Microsoft\Internet Explorer\DOMStore\2EM0SFDW\www.msn[1].xml

C:\Users\user\AppData\LocalLow\Microsoft\Internet Explorer\DOMStore\2EM0SFDW\www.msn[1].xml.azhi (copy)

C:\Users\user\AppData\LocalLow\Microsoft\Internet Explorer\DOMStore\NJ1L9FBN\www.google[1].xml

Windows Analysis Report
file.exe

Target ID:	32
Start time:	14:04:33
Start date:	24/09/2023
Path:	C:\Users\user\Pictures\YRhJ9y7wcq2JenN54ladams2.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Pictures\YRhJ9y7wcq2JenN54ladams2.exe"
Imagebase:	0x400000
File size:	763'826 bytes
MD5 hash:	A2CC32A235869FF08CE951A7C159D2A3
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Execution Coverage:	3.6%
Dynamic/Decrypted Code Coverage:	65.8%
Signature Coverage:	36.7%
Total number of Nodes:	79
Total number of Limit Nodes:	6

Execution Coverage:	1.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	47.2%
Total number of Nodes:	36
Total number of Limit Nodes:	8

Execution Coverage:	2.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	37.6%
Total number of Nodes:	812
Total number of Limit Nodes:	94

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre