Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1367739
MD5:	b8324acaafaf40cebfe3c91ff01a33b6
SHA1:	fe686866bb58ae8c4c72edd1686ca2fa5bda16c0
SHA256:	8fca1f9021a9ced5f64038dfd78e59a5aa1250758d1455064a752fd142da4a14
Tags:	exe
Infos:

Detection

Glupteba, Petite Virus, SmokeLoader, Socks5Systemz, Stealc

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Benign windows process drops PE files

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

UAC bypass detected (Fodhelper)

Yara detected Glupteba

Yara detected Petite Virus

Yara detected SmokeLoader

Yara detected Socks5Systemz

Yara detected Stealc

C2 URLs / IPs found in malware configuration

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Checks if the current machine is a virtual machine (disk enumeration)

Contains functionality to inject code into remote processes

Creates a thread in another existing process (thread injection)

Deletes itself after installation

Drops PE files with benign system names

Found Tor onion address

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

Injects code into the Windows Explorer (explorer.exe)

Machine Learning detection for sample

Maps a DLL or memory area into another process

PE file contains section with special chars

PE file has nameless sections

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Tries to detect sandboxes / dynamic malware analysis system (file name check)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Tries to steal Mail credentials (via file / registry access)

Writes to foreign memory regions

Abnormal high CPU Usage

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Connects to several IPs in different countries

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Entry point lies outside standard sections

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evaded block containing many API calls

Found evasive API chain (may stop execution after checking a module file name)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries disk information (often used to detect virtual machines)

Queries information about the installed CPU (vendor, model number etc)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Registers a DLL

Sample execution stops while process was sleeping (likely an evasion)

Searches for user specific document files

Tries to load missing DLLs

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

file.exe (PID: 7960 cmdline: C:\Users\user\Desktop\file.exe MD5: B8324ACAAFAF40CEBFE3C91FF01A33B6)

explorer.exe (PID: 3968 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)

83BC.exe (PID: 2372 cmdline: C:\Users\user\AppData\Local\Temp\83BC.exe MD5: 15184ED11B2354EDA1F1787DCBBCF04A)

83BC.exe (PID: 7768 cmdline: C:\Users\user\AppData\Local\Temp\83BC.exe MD5: 15184ED11B2354EDA1F1787DCBBCF04A)

9561.exe (PID: 3488 cmdline: C:\Users\user\AppData\Local\Temp\9561.exe MD5: 3954CC01C26D1962284F3B95602F2367)

288c47bbc1871b439df19ff4df68f076.exe (PID: 7848 cmdline: "C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe" MD5: 1894F7AA0F57BEC640F13E2EC87840E1)

cmd.exe (PID: 2068 cmdline: C:\Windows\Sysnative\cmd.exe /C fodhelper MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 2092 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

fodhelper.exe (PID: 3076 cmdline: fodhelper MD5: 85018BE1FD913656BC9FF541F017EACD)

fodhelper.exe (PID: 2952 cmdline: "C:\Windows\system32\fodhelper.exe" MD5: 85018BE1FD913656BC9FF541F017EACD)

fodhelper.exe (PID: 3108 cmdline: "C:\Windows\system32\fodhelper.exe" MD5: 85018BE1FD913656BC9FF541F017EACD)

288c47bbc1871b439df19ff4df68f076.exe (PID: 3844 cmdline: "C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe" MD5: 1894F7AA0F57BEC640F13E2EC87840E1)

powershell.exe (PID: 1668 cmdline: powershell -nologo -noprofile MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7628 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

InstallSetup9.exe (PID: 6508 cmdline: "C:\Users\user\AppData\Local\Temp\InstallSetup9.exe" MD5: B244F23C876D3F9A81F2C2B395408E70)

InstallSetup9.exe (PID: 1840 cmdline: "C:\Users\user\AppData\Local\Temp\InstallSetup9.exe" MD5: B244F23C876D3F9A81F2C2B395408E70)

BroomSetup.exe (PID: 8000 cmdline: C:\Users\user\AppData\Local\Temp\BroomSetup.exe MD5: 00E93456AA5BCF9F60F84B0C0760A212)

nsuAC75.tmp.exe (PID: 8048 cmdline: C:\Users\user\AppData\Local\Temp\nsuAC75.tmp.exe MD5: 8D7509943A544938231EAF3A6BE9332E)

toolspub2.exe (PID: 7992 cmdline: "C:\Users\user\AppData\Local\Temp\toolspub2.exe" MD5: 85E39A9EF8C8F1BEEF408EFC12256FF4)

toolspub2.exe (PID: 1200 cmdline: "C:\Users\user\AppData\Local\Temp\toolspub2.exe" MD5: 85E39A9EF8C8F1BEEF408EFC12256FF4)

B137.exe (PID: 3768 cmdline: C:\Users\user\AppData\Local\Temp\B137.exe MD5: 54CD75DEB7E9DBE5151324D48EF485A0)

B137.tmp (PID: 3960 cmdline: "C:\Users\user\AppData\Local\Temp\is-3QNR8.tmp\B137.tmp" /SL5="$30510,4192226,54272,C:\Users\user\AppData\Local\Temp\B137.exe" MD5: A7662827ECAEB4FC68334F6B8791B917)

B137.exe (PID: 4908 cmdline: "C:\Users\user\AppData\Local\Temp\B137.exe" /SPAWNWND=$404C0 /NOTIFYWND=$30510 MD5: 54CD75DEB7E9DBE5151324D48EF485A0)

B137.tmp (PID: 7344 cmdline: "C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp" /SL5="$205C2,4192226,54272,C:\Users\user\AppData\Local\Temp\B137.exe" /SPAWNWND=$404C0 /NOTIFYWND=$30510 MD5: A7662827ECAEB4FC68334F6B8791B917)

net.exe (PID: 4196 cmdline: "C:\Windows\system32\net.exe" helpmsg 28 MD5: 31890A7DE89936F922D44D677F681A7F)

conhost.exe (PID: 6808 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

net1.exe (PID: 7532 cmdline: C:\Windows\system32\net1 helpmsg 28 MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)

cpointasp.exe (PID: 1672 cmdline: "C:\Program Files (x86)\CPointASP\cpointasp.exe" -i MD5: 9DCE8CBCB90200F461757260260F7FB7)

cpointasp.exe (PID: 1964 cmdline: "C:\Program Files (x86)\CPointASP\cpointasp.exe" -s MD5: 9DCE8CBCB90200F461757260260F7FB7)

regsvr32.exe (PID: 5076 cmdline: regsvr32 /s C:\Users\user\AppData\Local\Temp\C1C2.dll MD5: B0C2FA35D14A9FAD919E99D9D75E1B9E)

regsvr32.exe (PID: 4924 cmdline: /s C:\Users\user\AppData\Local\Temp\C1C2.dll MD5: 878E47C8656E53AE8A8A21E927C6F7E0)

CDAA.exe (PID: 6044 cmdline: C:\Users\user\AppData\Local\Temp\CDAA.exe MD5: BD21400B49D3C712466E20A9C4422C60)

explorer.exe (PID: 8184 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: DD6597597673F72E10C9DE7901FBA0A8)

explorer.exe (PID: 3644 cmdline: C:\Windows\explorer.exe MD5: 662F4F92FDE3557E86D110526BB578D5)

gferuhf (PID: 7520 cmdline: C:\Users\user\AppData\Roaming\gferuhf MD5: B8324ACAAFAF40CEBFE3C91FF01A33B6)

rundll32.exe (PID: 4180 cmdline: C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding MD5: EF3179D498793BF4234F708D3BE28633)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Glupteba	Glupteba is a trojan horse malware that is one of the top ten malware variants of 2021. After infecting a system, the Glupteba malware can be used to deliver additional malware, steal user authentication information, and enroll the infected system in a cryptomining botnet.	No Attribution	http://resources.infosecinstitute.com/tdss4-part-1/ https://blog.chainalysis.com/reports/2022-crypto-crime-report-preview-malware/ https://blog.google/technology/safety-security/new-action-combat-cyber-crime/ https://blog.google/threat-analysis-group/disrupting-glupteba-operation/ https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/	https://malpedia.caad.fkie.fraunhofer.de/details/win.glupteba

Name	Description	Attribution	Blogpost URLs	Link
SmokeLoader	The SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body.	SMOKY SPIDER	http://security.neurolabs.club/2019/08/smokeloaders-hardcoded-domains-sneaky.html http://security.neurolabs.club/2019/10/dynamic-imports-and-working-around.html http://security.neurolabs.club/2020/04/diffing-malware-samples-using-bindiff.html http://security.neurolabs.club/2020/06/unpacking-smokeloader-and.html https://0xc0decafe.com/2020/12/23/detect-rc4-in-malicious-binaries	https://malpedia.caad.fkie.fraunhofer.de/details/win.smokeloader

Name	Description	Attribution	Blogpost URLs	Link
Stealc	Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.	No Attribution	https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-2/ https://cocomelonc.github.io/book/2023/12/13/malwild-book.html https://g0njxa.medium.com/approaching-stealers-devs-a-brief-interview-with-stealc-cbe5c94b84af https://github.com/muha2xmad/Python/blob/bdc7a711d5a775f8ae47b591f20fdd2e1360b77b/Stealc/stealc_config_extractor.ipynb	https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://5.42.66.58/3886d2276f6914c4.php"}

Threatname: SmokeLoader

{"Version": 2020, "C2 list": ["http://host-file-host6.com/", "http://host-host-file8.com/"]}

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Program Files (x86)\CPointASP\bin\x86\is-9SQN6.tmp	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
C:\Program Files (x86)\CPointASP\bin\x86\is-9JRC1.tmp	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
C:\Program Files (x86)\CPointASP\bin\x86\is-1TTMQ.tmp	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
C:\Program Files (x86)\CPointASP\bin\x86\is-01D6N.tmp	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
C:\Program Files (x86)\CPointASP\bin\x86\is-EJ9G2.tmp	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
C:\Program Files (x86)\CPointASP\bin\x86\is-4CSOT.tmp	JoeSecurity_PetiteVirus	Yara detected Petite Virus	Joe Security
C:\Users\user\AppData\Local\Temp\9561.exe	MALWARE_Win_DLInjector04	Detects downloader / injector	ditekSHen	0x6bf141:$s1: Runner 0x6bf2a6:$s3: RunOnStartup 0x6bf155:$a1: Antis 0x6bf182:$a2: antiVM 0x6bf189:$a3: antiSandbox 0x6bf195:$a4: antiDebug 0x6bf19f:$a5: antiEmulator 0x6bf1ac:$a6: enablePersistence 0x6bf1be:$a7: enableFakeError 0x6bf2cf:$a8: DetectVirtualMachine 0x6bf2f4:$a9: DetectSandboxie 0x6bf31f:$a10: DetectDebugger 0x6bf32e:$a11: CheckEmulator
C:\Users\user\AppData\Local\Temp\BroomSetup.exe	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
Click to see the 3 entries

Memory Dumps

Source	Rule	Description	Author	Strings
0000000F.00000002.1876773105.0000000001F61000.00000004.10000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
0000000F.00000002.1876773105.0000000001F61000.00000004.10000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x2f4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
0000000F.00000002.1863090998.0000000000470000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
0000000F.00000002.1863090998.0000000000470000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x6f4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
0000001A.00000002.2605092891.0000000002250000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
0000001A.00000002.2605092891.0000000002250000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000022.00000003.2128321951.000000000137A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000022.00000003.2077254246.000000000137A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000003.1346186233.00000000005E0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000008.00000002.4075648542.0000000000843000.00000040.00000001.01000000.0000000A.sdmp	JoeSecurity_Glupteba	Yara detected Glupteba	Joe Security
00000000.00000002.1414909359.00000000020A1000.00000004.10000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000000.00000002.1414909359.00000000020A1000.00000004.10000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x2e4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
0000002C.00000002.4100878154.0000000002A54000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Socks5Systemz	Yara detected Socks5Systemz	Joe Security
0000000E.00000000.1772834822.0000000000401000.00000020.00000001.01000000.0000000D.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
00000022.00000003.2096984534.000000000137A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.1677531544.00000000020A1000.00000004.10000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000004.00000002.1677531544.00000000020A1000.00000004.10000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x2e4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000017.00000002.4084338772.0000000000843000.00000040.00000001.01000000.0000000A.sdmp	JoeSecurity_Glupteba	Yara detected Glupteba	Joe Security
00000004.00000002.1677336992.0000000000498000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x3219:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000004.00000003.1614832570.0000000000580000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000017.00000002.4106141741.0000000003353000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Glupteba	Yara detected Glupteba	Joe Security
0000001A.00000002.2604104518.0000000000400000.00000040.00000001.01000000.00000011.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000008.00000002.4107945303.00000000030F0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000000.00000002.1414773059.0000000000609000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x3ad1:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
0000002C.00000002.4101862181.0000000002B01000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Socks5Systemz	Yara detected Socks5Systemz	Joe Security
00000000.00000002.1414691831.00000000005E0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000000.00000002.1414691831.00000000005E0000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x6e4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000004.00000002.1677390187.0000000000580000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000004.00000002.1677390187.0000000000580000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x6e4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000022.00000003.2137389333.000000000137A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000017.00000002.4106141741.0000000002F10000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000000.00000002.1414674284.00000000005D0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000008.00000002.4107945303.0000000003533000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Glupteba	Yara detected Glupteba	Joe Security
0000001A.00000002.2604597299.0000000000728000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x1178:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000008.00000002.4107329248.0000000002CF4000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x798:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000022.00000003.2120331383.000000000137A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.1677220887.0000000000470000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
0000001A.00000003.1852497320.0000000002270000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
0000001A.00000002.2605183067.00000000022D5000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000017.00000002.4104489388.0000000002B0C000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x798:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
0000000D.00000002.1778201107.000000000084C000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x13d0:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000022.00000003.2112222291.000000000137A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000022.00000003.2087024904.000000000137A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000005.00000002.1708502854.0000000002318000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x798:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000008.00000003.1763762171.0000000003E22000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Glupteba	Yara detected Glupteba	Joe Security
Click to see the 40 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
4.2.gferuhf.470e67.1.raw.unpack	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
26.2.nsuAC75.tmp.exe.2250e67.1.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
26.2.nsuAC75.tmp.exe.2250e67.1.unpack	INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation	Detects executables containing potential Windows Defender anti-emulation checks	ditekSHen	0x7efc1:$s1: JohnDoe 0x7ee41:$s2: HAL9TH
4.2.gferuhf.400000.0.unpack	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
26.2.nsuAC75.tmp.exe.2250e67.1.raw.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
4.3.gferuhf.580000.0.raw.unpack	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
13.2.toolspub2.exe.5c15a0.1.raw.unpack	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
26.3.nsuAC75.tmp.exe.2270000.0.raw.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
26.2.nsuAC75.tmp.exe.400000.0.raw.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
26.2.nsuAC75.tmp.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
26.2.nsuAC75.tmp.exe.400000.0.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
15.2.toolspub2.exe.400000.0.unpack	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
0.3.file.exe.5e0000.0.raw.unpack	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
0.2.file.exe.5d0e67.1.raw.unpack	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
0.2.file.exe.400000.0.unpack	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
23.2.288c47bbc1871b439df19ff4df68f076.exe.400000.0.unpack	JoeSecurity_Glupteba	Yara detected Glupteba	Joe Security
14.0.BroomSetup.exe.400000.0.unpack	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
7.0.9561.exe.580000.0.unpack	MALWARE_Win_DLInjector04	Detects downloader / injector	ditekSHen	0x6bf141:$s1: Runner 0x6bf2a6:$s3: RunOnStartup 0x6bf155:$a1: Antis 0x6bf182:$a2: antiVM 0x6bf189:$a3: antiSandbox 0x6bf195:$a4: antiDebug 0x6bf19f:$a5: antiEmulator 0x6bf1ac:$a6: enablePersistence 0x6bf1be:$a7: enableFakeError 0x6bf2cf:$a8: DetectVirtualMachine 0x6bf2f4:$a9: DetectSandboxie 0x6bf31f:$a10: DetectDebugger 0x6bf32e:$a11: CheckEmulator
8.2.288c47bbc1871b439df19ff4df68f076.exe.400000.5.unpack	JoeSecurity_Glupteba	Yara detected Glupteba	Joe Security
8.2.288c47bbc1871b439df19ff4df68f076.exe.30f0e67.15.unpack	JoeSecurity_Glupteba	Yara detected Glupteba	Joe Security
23.2.288c47bbc1871b439df19ff4df68f076.exe.2f10e67.8.unpack	JoeSecurity_Glupteba	Yara detected Glupteba	Joe Security
8.3.288c47bbc1871b439df19ff4df68f076.exe.39e0000.3.unpack	JoeSecurity_Glupteba	Yara detected Glupteba	Joe Security
Click to see the 17 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://host-host-file8.com/	URL Reputation: Label: malware
Source: http://host-file-host6.com/	URL Reputation: Label: malware

Found malware configuration

Source: 0000000F.00000002.1863090998.0000000000470000.00000004.00001000.00020000.00000000.sdmp	Malware Configuration Extractor: SmokeLoader {"Version": 2020, "C2 list": ["http://host-file-host6.com/", "http://host-host-file8.com/"]}
Source: 0000001A.00000002.2605092891.0000000002250000.00000040.00001000.00020000.00000000.sdmp	Malware Configuration Extractor: StealC {"C2 url": "http://5.42.66.58/3886d2276f6914c4.php"}

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\Drivers\csrss.exe	ReversingLabs: Detection: 73%
Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe	ReversingLabs: Detection: 91%
Source: C:\Users\user\AppData\Local\Temp\3205.exe	ReversingLabs: Detection: 56%
Source: C:\Users\user\AppData\Local\Temp\83BC.exe	ReversingLabs: Detection: 73%
Source: C:\Users\user\AppData\Local\Temp\9561.exe	ReversingLabs: Detection: 91%
Source: C:\Users\user\AppData\Local\Temp\973D.exe	ReversingLabs: Detection: 51%
Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exe	ReversingLabs: Detection: 29%
Source: C:\Users\user\AppData\Local\Temp\C1C2.dll	ReversingLabs: Detection: 30%
Source: C:\Users\user\AppData\Local\Temp\InstallSetup9.exe	ReversingLabs: Detection: 86%

Multi AV Scanner detection for submitted file

Source: file.exe	ReversingLabs: Detection: 37%
Source: file.exe	Virustotal: Detection: 44%			Perma Link

Yara detected Glupteba

Source: Yara match	File source: 23.2.288c47bbc1871b439df19ff4df68f076.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.288c47bbc1871b439df19ff4df68f076.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.288c47bbc1871b439df19ff4df68f076.exe.30f0e67.15.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.288c47bbc1871b439df19ff4df68f076.exe.2f10e67.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.288c47bbc1871b439df19ff4df68f076.exe.39e0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.4075648542.0000000000843000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.4084338772.0000000000843000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.4106141741.0000000003353000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4107945303.0000000003533000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.1763762171.0000000003E22000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Machine Learning detection for sample

Source: file.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: GetProcAddress
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: LoadLibraryA
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: lstrcatA
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: OpenEventA
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: CreateEventA
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: CloseHandle
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: Sleep
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: GetUserDefaultLangID
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: VirtualAllocExNuma
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: VirtualFree
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: GetSystemInfo
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: VirtualAlloc
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: HeapAlloc
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: GetComputerNameA
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: lstrcpyA
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: GetProcessHeap
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: GetCurrentProcess
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: lstrlenA
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: ExitProcess
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: GlobalMemoryStatusEx
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: GetSystemTime
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: SystemTimeToFileTime
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: advapi32.dll
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: gdi32.dll
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: user32.dll
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: crypt32.dll
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: ntdll.dll
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: GetUserNameA
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: CreateDCA
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: GetDeviceCaps
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: ReleaseDC
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: CryptStringToBinaryA
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: sscanf
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: VMwareVMware
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: HAL9TH
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: JohnDoe
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: DISPLAY
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: default4
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: GetEnvironmentVariableA
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: GetFileAttributesA
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: GlobalLock
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: HeapFree
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: GetFileSize
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: GlobalSize
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: CreateToolhelp32Snapshot
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: IsWow64Process
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: Process32Next
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: GetLocalTime
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: FreeLibrary
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: GetTimeZoneInformation
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: GetSystemPowerStatus
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: GetVolumeInformationA
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: GetWindowsDirectoryA
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: Process32First
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: GetLocaleInfoA
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: GetUserDefaultLocaleName
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: GetModuleFileNameA
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: DeleteFileA
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: FindNextFileA
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: LocalFree
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: FindClose
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: SetEnvironmentVariableA
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: LocalAlloc
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: GetFileSizeEx
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: ReadFile
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: SetFilePointer
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: WriteFile
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: CreateFileA
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: FindFirstFileA
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: CopyFileA
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: VirtualProtect
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: GetLogicalProcessorInformationEx
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: GetLastError
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: lstrcpynA
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: MultiByteToWideChar
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: GlobalFree
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: WideCharToMultiByte
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: GlobalAlloc
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: OpenProcess
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: TerminateProcess
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: GetCurrentProcessId
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: gdiplus.dll
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: ole32.dll
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: bcrypt.dll
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: wininet.dll
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: shlwapi.dll
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: shell32.dll
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: psapi.dll
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: rstrtmgr.dll
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: CreateCompatibleBitmap
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: SelectObject
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: BitBlt
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: DeleteObject
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: CreateCompatibleDC
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: GdipGetImageEncodersSize
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: GdipGetImageEncoders
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: GdipCreateBitmapFromHBITMAP
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: GdiplusStartup
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: GdiplusShutdown
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: GdipSaveImageToStream
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: GdipDisposeImage
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: GdipFree
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: GetHGlobalFromStream
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: CreateStreamOnHGlobal
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: CoUninitialize
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: CoInitialize
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: CoCreateInstance
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: BCryptGenerateSymmetricKey
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: BCryptCloseAlgorithmProvider
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: BCryptDecrypt
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: BCryptSetProperty
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: BCryptDestroyKey
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: BCryptOpenAlgorithmProvider
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: GetWindowRect
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: GetDesktopWindow
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: GetDC
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: CloseWindow
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: wsprintfA
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: EnumDisplayDevicesA
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: GetKeyboardLayoutList
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: CharToOemW
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: wsprintfW
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: RegQueryValueExA
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: RegEnumKeyExA
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: RegOpenKeyExA
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: RegCloseKey
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: RegEnumValueA
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: CryptBinaryToStringA
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: CryptUnprotectData
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: SHGetFolderPathA
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: ShellExecuteExA
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: InternetOpenUrlA
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: InternetConnectA
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: InternetCloseHandle
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: InternetOpenA
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: HttpSendRequestA
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: HttpOpenRequestA
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: InternetReadFile
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: InternetCrackUrlA
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: StrCmpCA
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: StrStrA
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: StrCmpCW
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: PathMatchSpecA
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: GetModuleFileNameExA
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: RmStartSession
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: RmRegisterResources
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: RmGetList
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: RmEndSession
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: sqlite3_open
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: sqlite3_prepare_v2
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: sqlite3_step
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: sqlite3_column_text
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: sqlite3_finalize
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: sqlite3_close
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: sqlite3_column_bytes
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: sqlite3_column_blob
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: encrypted_key
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: PK11SDR_Decrypt
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: browser:
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: profile:
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: login:
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: password:
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: Opera
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: OperaGX
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: Network
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: cookies
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: FALSE
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: autofill
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: SELECT name, value FROM autofill
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: history
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: SELECT url FROM urls LIMIT 1000
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: month:
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: Cookies
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: Login Data
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: History
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: logins.json
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: formSubmitURL
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: usernameField
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: encryptedUsername
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: encryptedPassword
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: formhistory.sqlite
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: SELECT fieldname, value FROM moz_formhistory
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: SELECT url FROM moz_places LIMIT 1000
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: cookies.sqlite
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: places.sqlite
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: plugins
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: Local Extension Settings
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: IndexedDB
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: Opera Stable
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: Opera GX Stable
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: CURRENT
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: chrome-extension_
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: Local State
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: profiles.ini
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: chrome
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: opera
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: firefox
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: wallets
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: SOFTWARE\Microsoft\Windows NT\CurrentVersion
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: ProductName
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: DisplayName
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: ProcessorNameString
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: DisplayVersion
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: Network Info:
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: System Summary:
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: Installed Apps:
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: Current User:
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: Process List:
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: system_info.txt
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: freebl3.dll
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: mozglue.dll
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: msvcp140.dll
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: softokn3.dll
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: vcruntime140.dll
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: runas
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: files
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: D877F783D5D3EF8C*
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: A7FDF864FBC10B77*
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: A92DAA6EA6F891F2*
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: F8806DD0C461824F*
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: Telegram
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: Password
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: Pidgin
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: accounts.xml
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: dQw4w9WgXcQ
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: config.vdf
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: 00000001
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: 00000002
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: 00000003
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: 00000004
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: token:
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: Software\Valve\Steam
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: SteamPath
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: DialogConfig.vdf
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: DialogConfigOverlay*.vdf
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: libraryfolders.vdf
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: loginusers.vdf
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: sqlite3.dll
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: browsers
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: https
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: Content-Type: multipart/form-data; boundary=----
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: Content-Disposition: form-data; name="
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: build
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: token
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: message
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: ABCDEFGHIJKLMNOPQRSTUVWXYZ1234567890
Source: 26.2.nsuAC75.tmp.exe.400000.0.unpack	String decryptor: screenshot.jpg

Source: 83BC.exe, 00000006.00000003.3038776130.0000000004425000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: -----BEGIN RSA PUBLIC KEY-----

memstr_3b2eff99-4

Privilege Escalation

UAC bypass detected (Fodhelper)

Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe	Registry value created: DelegateExecute
Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe	Registry value created: NULL "C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"

Bitcoin Miner

Yara detected Glupteba

Source: Yara match	File source: 23.2.288c47bbc1871b439df19ff4df68f076.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.288c47bbc1871b439df19ff4df68f076.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.288c47bbc1871b439df19ff4df68f076.exe.30f0e67.15.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.288c47bbc1871b439df19ff4df68f076.exe.2f10e67.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.288c47bbc1871b439df19ff4df68f076.exe.39e0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.4075648542.0000000000843000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.4084338772.0000000000843000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.4106141741.0000000003353000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4107945303.0000000003533000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.1763762171.0000000003E22000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe	Unpacked PE file: 8.2.288c47bbc1871b439df19ff4df68f076.exe.400000.5.unpack
Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe	Unpacked PE file: 23.2.288c47bbc1871b439df19ff4df68f076.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\nsuAC75.tmp.exe	Unpacked PE file: 26.2.nsuAC75.tmp.exe.400000.0.unpack
Source: C:\Program Files (x86)\CPointASP\cpointasp.exe	Unpacked PE file: 40.2.cpointasp.exe.400000.0.unpack
Source: C:\Program Files (x86)\CPointASP\cpointasp.exe	Unpacked PE file: 44.2.cpointasp.exe.400000.0.unpack

Source: file.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\file.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source:	Binary string: EfiGuardDxe.pdb7 source: 288c47bbc1871b439df19ff4df68f076.exe
Source:	Binary string: symsrv.pdbGCTL source: 288c47bbc1871b439df19ff4df68f076.exe, 00000017.00000002.4106141741.0000000003789000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: symsrv.pdb source: 288c47bbc1871b439df19ff4df68f076.exe, 288c47bbc1871b439df19ff4df68f076.exe, 00000017.00000002.4106141741.0000000003789000.00000040.00001000.00020000.00000000.sdmp

Source: C:\Users\user\AppData\Local\Temp\nsuAC75.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\
Source: C:\Users\user\AppData\Local\Temp\nsuAC75.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\
Source: C:\Users\user\AppData\Local\Temp\nsuAC75.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\
Source: C:\Users\user\AppData\Local\Temp\nsuAC75.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\
Source: C:\Users\user\AppData\Local\Temp\nsuAC75.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\
Source: C:\Users\user\AppData\Local\Temp\nsuAC75.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://5.42.66.58/3886d2276f6914c4.php
Source: Malware configuration extractor	URLs: http://host-file-host6.com/
Source: Malware configuration extractor	URLs: http://host-host-file8.com/

Found Tor onion address

Source: 288c47bbc1871b439df19ff4df68f076.exe	String found in binary or memory: s25519: internal error: setShortBytes called with a long stringhttp2: Transport closing idle conn %p (forSingleUse=%v, maxStream=%v)http://vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.oniontls: handshake message of length %d bytes exceeds maximum o
Source: 288c47bbc1871b439df19ff4df68f076.exe	String found in binary or memory: nvalid checksumheadTailIndex overflowheader field %q = %q%shide process ID %d: %whpack: string too longhsmiths4fyqlw5xw.onionhsmiths5mjk6uijs.onionhttp2: frame too largehttp://localhost:3433/https://duniadekho.baridna: invalid label %qinappropriate fallbackint

Source: unknown

Network traffic detected: IP country count 20

Source: Joe Sandbox View

IP Address: 172.67.202.60 172.67.202.60

Source: 288c47bbc1871b439df19ff4df68f076.exe	String found in binary or memory: OS X; U; en) Presto/2.6.30 Version/10.61facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)tls: internal error: handshake returned an error but is marked successfultls: received unexpected handshake message of type %T when waiting for %T equals www.facebook.com (Facebook)
Source: 288c47bbc1871b439df19ff4df68f076.exe	String found in binary or memory: o Debian/1.6-7Mozilla/5.0 (compatible; Konqueror/3.3; Linux 2.6.8-gentoo-r3; X11;facebookscraper/1.0( http://www.facebook.com/sharescraper_help.php)2695994666715063979466701508701962594045780771442439172168272236806126959946667150639794667015087019630673557916 equals www.facebook.com (Facebook)

Source: 288c47bbc1871b439df19ff4df68f076.exe	String found in binary or memory: http://archive.org/details/archive.org_bot)Mozilla/5.0
Source: explorer.exe, 00000002.00000000.1401121668.00000000094DC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1401121668.000000000952D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: explorer.exe, 00000002.00000000.1401121668.00000000094DC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1401121668.000000000952D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: explorer.exe, 00000002.00000000.1401121668.00000000094DC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1401121668.000000000952D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1401121668.0000000009519000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: 288c47bbc1871b439df19ff4df68f076.exe	String found in binary or memory: http://devlog.gregarius.net/docs/ua)Links
Source: 288c47bbc1871b439df19ff4df68f076.exe	String found in binary or memory: http://grub.org)Mozilla/5.0
Source: 288c47bbc1871b439df19ff4df68f076.exe	String found in binary or memory: http://help.yahoo.com/help/us/ysearch/slurp)SonyEricssonK550i/R1JD
Source: 288c47bbc1871b439df19ff4df68f076.exe	String found in binary or memory: http://invalidlog.txtlookup
Source: 288c47bbc1871b439df19ff4df68f076.exe	String found in binary or memory: http://localhost:3433/https://duniadekho.baridna:
Source: 288c47bbc1871b439df19ff4df68f076.exe	String found in binary or memory: http://misc.yahoo.com.cn/help.html)QueryPerformanceFrequency
Source: explorer.exe, 00000002.00000000.1401121668.00000000094DC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1401121668.000000000952D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 00000002.00000000.1398152644.000000000305D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: explorer.exe, 00000002.00000000.1400138185.0000000007AF0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.1397922890.0000000002C00000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.1400153686.0000000007B10000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: 288c47bbc1871b439df19ff4df68f076.exe	String found in binary or memory: http://search.msn.com/msnbot.htm)msnbot/1.1
Source: 288c47bbc1871b439df19ff4df68f076.exe	String found in binary or memory: http://search.msn.com/msnbot.htm)net/http:
Source: 288c47bbc1871b439df19ff4df68f076.exe	String found in binary or memory: http://search.msn.com/msnbot.htm)pkcs7:
Source: 288c47bbc1871b439df19ff4df68f076.exe	String found in binary or memory: http://vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.oniontls:
Source: 288c47bbc1871b439df19ff4df68f076.exe	String found in binary or memory: http://www.alexa.com/help/webmasters;
Source: 288c47bbc1871b439df19ff4df68f076.exe	String found in binary or memory: http://www.alltheweb.com/help/webmaster/crawler)Mozilla/5.0
Source: 288c47bbc1871b439df19ff4df68f076.exe	String found in binary or memory: http://www.archive.org/details/archive.org_bot)Opera/9.80
Source: explorer.exe, 00000002.00000000.1399234102.00000000070CE000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: 288c47bbc1871b439df19ff4df68f076.exe	String found in binary or memory: http://www.avantbrowser.com)MOT-V9mm/
Source: 288c47bbc1871b439df19ff4df68f076.exe	String found in binary or memory: http://www.baidu.com/search/spider.htm)MobileSafari/600.1.4
Source: 288c47bbc1871b439df19ff4df68f076.exe	String found in binary or memory: http://www.bloglines.com)Frame
Source: 288c47bbc1871b439df19ff4df68f076.exe	String found in binary or memory: http://www.everyfeed.com)explicit
Source: 288c47bbc1871b439df19ff4df68f076.exe	String found in binary or memory: http://www.exabot.com/go/robot)Opera/9.80
Source: 288c47bbc1871b439df19ff4df68f076.exe	String found in binary or memory: http://www.google.c
Source: 288c47bbc1871b439df19ff4df68f076.exe	String found in binary or memory: http://www.google.com/bot.html)Mozilla/5.0
Source: 288c47bbc1871b439df19ff4df68f076.exe	String found in binary or memory: http://www.google.com/bot.html)crypto/ecdh:
Source: 288c47bbc1871b439df19ff4df68f076.exe	String found in binary or memory: http://www.google.com/feedfetcher.html)HKLM
Source: 288c47bbc1871b439df19ff4df68f076.exe	String found in binary or memory: http://www.googlebot.com/bot.html)Links
Source: 288c47bbc1871b439df19ff4df68f076.exe	String found in binary or memory: http://www.spidersoft.com)
Source: 288c47bbc1871b439df19ff4df68f076.exe	String found in binary or memory: http://yandex.com/bots)Opera
Source: 288c47bbc1871b439df19ff4df68f076.exe	String found in binary or memory: http://yandex.com/bots)Opera/9.51
Source: explorer.exe, 00000002.00000000.1403829585.000000000D1B6000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppin
Source: explorer.exe, 00000002.00000000.1403829585.000000000D1B6000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000002.00000000.1401121668.00000000093B4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/$
Source: explorer.exe, 00000002.00000000.1401121668.00000000093B4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/X
Source: explorer.exe, 00000002.00000000.1397371484.00000000008DE000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1398152644.0000000002FA0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000002.00000000.1401121668.00000000093B4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?
Source: explorer.exe, 00000002.00000000.1399234102.0000000006F96000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=C2BB6DDCE8D847D6B779FE8AEC27D161&timeOut=5000&oc
Source: explorer.exe, 00000002.00000000.1399234102.0000000006F96000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1398152644.0000000002FA0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 00000002.00000000.1401121668.0000000009390000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.comWzE
Source: explorer.exe, 00000002.00000000.1399234102.0000000006F96000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
Source: explorer.exe, 00000002.00000000.1399234102.0000000006F96000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/MostlyClearNight.svg
Source: explorer.exe, 00000002.00000000.1399234102.0000000006F96000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/recordhigh.svg
Source: explorer.exe, 00000002.00000000.1399234102.0000000006F96000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/taskbar/animation/WeatherInsights/WeatherInsi
Source: 288c47bbc1871b439df19ff4df68f076.exe	String found in binary or memory: https://blockchain.infoindex
Source: 288c47bbc1871b439df19ff4df68f076.exe	String found in binary or memory: https://blockstream.info/apiinva
Source: 288c47bbc1871b439df19ff4df68f076.exe	String found in binary or memory: https://cdn.discordapp.com/attachments/1088058556286251082/1111230812579450950/TsgVtmYNoFT.zipMozill
Source: explorer.exe, 00000002.00000000.1399234102.0000000006F96000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT
Source: explorer.exe, 00000002.00000000.1399234102.0000000006F96000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT-dark
Source: explorer.exe, 00000002.00000000.1403829585.000000000D1B6000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.comE
Source: 288c47bbc1871b439df19ff4df68f076.exe	String found in binary or memory: https://github.com/Snawoot/opera-proxy/releases/download/v1.2.2/opera-proxy.windows-386.exeBlackBerr
Source: explorer.exe, 00000002.00000000.1399234102.0000000006F96000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15G9PH.img
Source: explorer.exe, 00000002.00000000.1399234102.0000000006F96000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hJkDs.img
Source: explorer.exe, 00000002.00000000.1399234102.0000000006F96000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBNvr53.img
Source: explorer.exe, 00000002.00000000.1403829585.000000000D1B6000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.comNaP0B
Source: explorer.exe, 00000002.00000000.1403829585.000000000CFF4000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.comcemberZ
Source: 288c47bbc1871b439df19ff4df68f076.exe	String found in binary or memory: https://raw.githubusercontent.com/spesmilo/electrum/master/electrum/servers.jsonsize
Source: 83BC.exe, 00000006.00000003.2792254345.00000000029BD000.00000004.00000020.00020000.00000000.sdmp, 83BC.exe, 00000006.00000003.2777166580.00000000035AD000.00000004.00000020.00020000.00000000.sdmp, 83BC.exe, 00000006.00000003.2777583545.0000000003719000.00000004.00000020.00020000.00000000.sdmp, 83BC.exe, 00000006.00000003.2890107185.00000000029BD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sabotage.net
Source: 288c47bbc1871b439df19ff4df68f076.exe	String found in binary or memory: https://turnitin.com/robot/crawlerinfo.html)cannot
Source: explorer.exe, 00000002.00000000.1399234102.0000000006F96000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000002.00000000.1399234102.0000000006F96000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000002.00000000.1401737978.0000000009724000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/bat
Source: explorer.exe, 00000002.00000000.1403829585.000000000D1B6000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.com576
Source: explorer.exe, 00000002.00000000.1399234102.0000000006F96000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/health/wellness/7-secrets-to-a-happy-old-age-backed-by-science/ss-AA1hwpvW
Source: explorer.exe, 00000002.00000000.1399234102.0000000006F96000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/careersandeducation/student-loan-debt-forgiveness-arrives-for-some-b
Source: explorer.exe, 00000002.00000000.1399234102.0000000006F96000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/companies/legacy-park-auction-canceled-liquidation-proposed-here-s-w
Source: explorer.exe, 00000002.00000000.1399234102.0000000006F96000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/the-no-1-phrase-people-who-are-good-at-small-talk-al
Source: explorer.exe, 00000002.00000000.1399234102.0000000006F96000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/realestate/my-husband-and-i-paid-off-our-mortgage-more-than-15-years
Source: explorer.exe, 00000002.00000000.1399234102.0000000006F96000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/crime/bar-fight-leaves-man-in-critical-condition-suspect-arrested-in-
Source: explorer.exe, 00000002.00000000.1399234102.0000000006F96000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/crime/one-dead-several-wounded-after-drive-by-shootings-in-south-la/a
Source: explorer.exe, 00000002.00000000.1399234102.0000000006F96000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/opinion/decline-of-decorum-21-essential-manners-today-s-parents-fail-
Source: explorer.exe, 00000002.00000000.1399234102.0000000006F96000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/california-workers-will-get-five-sick-days-instead-of-three-
Source: explorer.exe, 00000002.00000000.1399234102.0000000006F96000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/world/pastor-of-atlanta-based-megachurch-faces-backlash-after-controv
Source: explorer.exe, 00000002.00000000.1399234102.0000000006F96000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/world/ukraine-live-briefing-biden-does-worry-house-drama-will-impact-
Source: explorer.exe, 00000002.00000000.1399234102.0000000006F96000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/california-s-reservoirs-runneth-over-in-astounding-reve
Source: explorer.exe, 00000002.00000000.1399234102.0000000006F96000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com:443/en-us/feed

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected SmokeLoader

Source: Yara match	File source: 4.2.gferuhf.470e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.gferuhf.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.gferuhf.580000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.toolspub2.exe.5c15a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.toolspub2.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.file.exe.5e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.5d0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000002.1876773105.0000000001F61000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1863090998.0000000000470000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1346186233.00000000005E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1414909359.00000000020A1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1677531544.00000000020A1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.1614832570.0000000000580000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1414691831.00000000005E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1677390187.0000000000580000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

E-Banking Fraud

Yara detected Glupteba

Source: Yara match	File source: 23.2.288c47bbc1871b439df19ff4df68f076.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.288c47bbc1871b439df19ff4df68f076.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.288c47bbc1871b439df19ff4df68f076.exe.30f0e67.15.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.288c47bbc1871b439df19ff4df68f076.exe.2f10e67.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.288c47bbc1871b439df19ff4df68f076.exe.39e0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.4075648542.0000000000843000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.4084338772.0000000000843000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.4106141741.0000000003353000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4107945303.0000000003533000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.1763762171.0000000003E22000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 26.2.nsuAC75.tmp.exe.2250e67.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 7.0.9561.exe.580000.0.unpack, type: UNPACKEDPE	Matched rule: Detects downloader / injector Author: ditekSHen
Source: 0000000F.00000002.1876773105.0000000001F61000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 0000000F.00000002.1863090998.0000000000470000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 0000001A.00000002.2605092891.0000000002250000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000002.1414909359.00000000020A1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000004.00000002.1677531544.00000000020A1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000004.00000002.1677336992.0000000000498000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000008.00000002.4107945303.00000000030F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000002.1414773059.0000000000609000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.1414691831.00000000005E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000004.00000002.1677390187.0000000000580000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000017.00000002.4106141741.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000002.1414674284.00000000005D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 0000001A.00000002.2604597299.0000000000728000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000008.00000002.4107329248.0000000002CF4000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000004.00000002.1677220887.0000000000470000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000017.00000002.4104489388.0000000002B0C000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 0000000D.00000002.1778201107.000000000084C000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000005.00000002.1708502854.0000000002318000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: C:\Users\user\AppData\Local\Temp\9561.exe, type: DROPPED	Matched rule: Detects downloader / injector Author: ditekSHen

PE file contains section with special chars

Source: C1C2.dll.2.dr	Static PE information: section name: b=W\|
Source: CDAA.exe.2.dr	Static PE information: section name: .AVI;
Source: CDAA.exe.2.dr	Static PE information: section name: .AVI;
Source: 3205.exe.2.dr	Static PE information: section name: .AVI;
Source: 3205.exe.2.dr	Static PE information: section name: .AVI;

PE file has nameless sections

Source: is-01D6N.tmp.37.dr	Static PE information: section name:
Source: is-01D6N.tmp.37.dr	Static PE information: section name:
Source: is-LJEF3.tmp.37.dr	Static PE information: section name:
Source: is-9SQN6.tmp.37.dr	Static PE information: section name:
Source: is-9SQN6.tmp.37.dr	Static PE information: section name:
Source: is-1TTMQ.tmp.37.dr	Static PE information: section name:
Source: is-1TTMQ.tmp.37.dr	Static PE information: section name:
Source: is-7TH98.tmp.37.dr	Static PE information: section name:
Source: is-7QIAL.tmp.37.dr	Static PE information: section name:
Source: is-7QIAL.tmp.37.dr	Static PE information: section name:
Source: is-7QIAL.tmp.37.dr	Static PE information: section name:
Source: is-9JRC1.tmp.37.dr	Static PE information: section name:
Source: is-9JRC1.tmp.37.dr	Static PE information: section name:
Source: is-VT3M5.tmp.37.dr	Static PE information: section name:
Source: is-VT3M5.tmp.37.dr	Static PE information: section name:
Source: is-VT3M5.tmp.37.dr	Static PE information: section name:
Source: is-4CSOT.tmp.37.dr	Static PE information: section name:
Source: is-4CSOT.tmp.37.dr	Static PE information: section name:
Source: is-7RFNU.tmp.37.dr	Static PE information: section name:
Source: is-7RFNU.tmp.37.dr	Static PE information: section name:
Source: is-KS29E.tmp.37.dr	Static PE information: section name:
Source: is-KS29E.tmp.37.dr	Static PE information: section name:
Source: is-KS29E.tmp.37.dr	Static PE information: section name:
Source: is-EJ9G2.tmp.37.dr	Static PE information: section name:
Source: is-EJ9G2.tmp.37.dr	Static PE information: section name:
Source: is-VRA2K.tmp.37.dr	Static PE information: section name:
Source: is-VRA2K.tmp.37.dr	Static PE information: section name:
Source: is-VRA2K.tmp.37.dr	Static PE information: section name:

Source: C:\Windows\explorer.exe	Process Stats: CPU usage > 49%
Source: C:\Users\user\AppData\Local\Temp\83BC.exe	Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00401590 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401590
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004015CB NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_004015CB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00403383 LdrLoadDll,ExpandEnvironmentStringsW,CreateFileW,CreateFileMappingW,MapViewOfFile,NtMapViewOfSection,NtDuplicateObject,NtQuerySystemInformation,NtOpenKey,NtQueryKey,NtEnumerateKey,RtlCreateUserThread,strstr,tolower,towlower,	0_2_00403383
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040159B NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_0040159B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004015B0 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_004015B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004015BC NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_004015BC
Source: C:\Users\user\AppData\Roaming\gferuhf	Code function: 4_2_00401590 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	4_2_00401590
Source: C:\Users\user\AppData\Roaming\gferuhf	Code function: 4_2_004015CB NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	4_2_004015CB
Source: C:\Users\user\AppData\Roaming\gferuhf	Code function: 4_2_00403383 LdrLoadDll,ExpandEnvironmentStringsW,CreateFileW,CreateFileMappingW,MapViewOfFile,NtEnumerateKey,	4_2_00403383
Source: C:\Users\user\AppData\Roaming\gferuhf	Code function: 4_2_0040159B NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	4_2_0040159B
Source: C:\Users\user\AppData\Roaming\gferuhf	Code function: 4_2_004015B0 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	4_2_004015B0
Source: C:\Users\user\AppData\Roaming\gferuhf	Code function: 4_2_004015BC NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	4_2_004015BC
Source: C:\Users\user\AppData\Local\Temp\83BC.exe	Code function: 5_2_024E0110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,ExitProcess,	5_2_024E0110

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00403383	0_2_00403383
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041784F	0_2_0041784F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041844F	0_2_0041844F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0042D803	0_2_0042D803
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00417C23	0_2_00417C23
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041802F	0_2_0041802F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0042E0EE	0_2_0042E0EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0040F903	0_2_0040F903
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0043053F	0_2_0043053F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0042CD94	0_2_0042CD94
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0042DE73	0_2_0042DE73
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0042BECE	0_2_0042BECE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0042D2BF	0_2_0042D2BF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041737A	0_2_0041737A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0042E3F3	0_2_0042E3F3
Source: C:\Users\user\AppData\Roaming\gferuhf	Code function: 4_2_0041784F	4_2_0041784F
Source: C:\Users\user\AppData\Roaming\gferuhf	Code function: 4_2_0041844F	4_2_0041844F
Source: C:\Users\user\AppData\Roaming\gferuhf	Code function: 4_2_0042D803	4_2_0042D803
Source: C:\Users\user\AppData\Roaming\gferuhf	Code function: 4_2_00417C23	4_2_00417C23
Source: C:\Users\user\AppData\Roaming\gferuhf	Code function: 4_2_0041802F	4_2_0041802F
Source: C:\Users\user\AppData\Roaming\gferuhf	Code function: 4_2_0042E0EE	4_2_0042E0EE
Source: C:\Users\user\AppData\Roaming\gferuhf	Code function: 4_2_0040F903	4_2_0040F903
Source: C:\Users\user\AppData\Roaming\gferuhf	Code function: 4_2_0043053F	4_2_0043053F
Source: C:\Users\user\AppData\Roaming\gferuhf	Code function: 4_2_0042CD94	4_2_0042CD94
Source: C:\Users\user\AppData\Roaming\gferuhf	Code function: 4_2_0042DE73	4_2_0042DE73
Source: C:\Users\user\AppData\Roaming\gferuhf	Code function: 4_2_0042BECE	4_2_0042BECE
Source: C:\Users\user\AppData\Roaming\gferuhf	Code function: 4_2_0042D2BF	4_2_0042D2BF
Source: C:\Users\user\AppData\Roaming\gferuhf	Code function: 4_2_0041737A	4_2_0041737A
Source: C:\Users\user\AppData\Roaming\gferuhf	Code function: 4_2_0042E3F3	4_2_0042E3F3
Source: C:\Users\user\AppData\Local\Temp\83BC.exe	Code function: 5_2_005D905B	5_2_005D905B
Source: C:\Users\user\AppData\Local\Temp\83BC.exe	Code function: 5_2_0041787A	5_2_0041787A
Source: C:\Users\user\AppData\Local\Temp\83BC.exe	Code function: 5_2_0041894F	5_2_0041894F
Source: C:\Users\user\AppData\Local\Temp\83BC.exe	Code function: 5_2_00418123	5_2_00418123
Source: C:\Users\user\AppData\Local\Temp\83BC.exe	Code function: 5_2_005D89EB	5_2_005D89EB
Source: C:\Users\user\AppData\Local\Temp\83BC.exe	Code function: 5_2_005D92D6	5_2_005D92D6
Source: C:\Users\user\AppData\Local\Temp\83BC.exe	Code function: 5_2_0040FAF6	5_2_0040FAF6
Source: C:\Users\user\AppData\Local\Temp\83BC.exe	Code function: 5_2_005D6B9B	5_2_005D6B9B
Source: C:\Users\user\AppData\Local\Temp\83BC.exe	Code function: 5_2_0040A3B7	5_2_0040A3B7
Source: C:\Users\user\AppData\Local\Temp\83BC.exe	Code function: 5_2_005D84A7	5_2_005D84A7
Source: C:\Users\user\AppData\Local\Temp\83BC.exe	Code function: 5_2_00417D4F	5_2_00417D4F
Source: C:\Users\user\AppData\Local\Temp\83BC.exe	Code function: 5_2_0040356E	5_2_0040356E
Source: C:\Users\user\AppData\Local\Temp\83BC.exe	Code function: 5_2_0040A50D	5_2_0040A50D
Source: C:\Users\user\AppData\Local\Temp\83BC.exe	Code function: 5_2_0041852F	5_2_0041852F
Source: C:\Users\user\AppData\Local\Temp\83BC.exe	Code function: 5_2_005D95DB	5_2_005D95DB
Source: C:\Users\user\AppData\Local\Temp\83BC.exe	Code function: 5_2_005D9D9F	5_2_005D9D9F
Source: C:\Users\user\AppData\Local\Temp\83BC.exe	Code function: 5_2_00404D8B	5_2_00404D8B
Source: C:\Users\user\AppData\Local\Temp\83BC.exe	Code function: 5_2_005DC65B	5_2_005DC65B
Source: C:\Users\user\AppData\Local\Temp\83BC.exe	Code function: 5_2_005D7F7C	5_2_005D7F7C
Source: C:\Users\user\AppData\Local\Temp\83BC.exe	Code function: 5_2_00414FC8	5_2_00414FC8

Source: C:\Users\user\AppData\Local\Temp\83BC.exe	Code function: String function: 0040789D appears 38 times
Source: C:\Users\user\AppData\Local\Temp\83BC.exe	Code function: String function: 00404B04 appears 51 times

Source: B137.exe.2.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: B137.tmp.24.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: B137.tmp.24.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows
Source: B137.tmp.24.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: B137.tmp.24.dr	Static PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
Source: B137.tmp.32.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: B137.tmp.32.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows
Source: B137.tmp.32.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: B137.tmp.32.dr	Static PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
Source: is-UK3TA.tmp.37.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-UK3TA.tmp.37.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows
Source: is-UK3TA.tmp.37.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: is-UK3TA.tmp.37.dr	Static PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped

Source: BroomSetup.exe.12.dr	Static PE information: Number of sections : 11 > 10
Source: is-AO7D9.tmp.37.dr	Static PE information: Number of sections : 11 > 10
Source: is-F3LHF.tmp.37.dr	Static PE information: Number of sections : 11 > 10
Source: is-93FRL.tmp.37.dr	Static PE information: Number of sections : 11 > 10

Source: C:\Windows\explorer.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: dui70.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: duser.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.ui.fileexplorer.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: uiribbon.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: networkexplorer.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.internal.shell.userer.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: cdprt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\83BC.exe	Section loaded: csunsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\83BC.exe	Section loaded: swift.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\83BC.exe	Section loaded: nfhwcrhk.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\83BC.exe	Section loaded: surewarehook.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\83BC.exe	Section loaded: csunsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\83BC.exe	Section loaded: aep.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\83BC.exe	Section loaded: atasi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\83BC.exe	Section loaded: swift.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\83BC.exe	Section loaded: nfhwcrhk.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\83BC.exe	Section loaded: nuronssl.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\83BC.exe	Section loaded: surewarehook.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\83BC.exe	Section loaded: ubsec.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\83BC.exe	Section loaded: aep.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\83BC.exe	Section loaded: atasi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\83BC.exe	Section loaded: swift.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\83BC.exe	Section loaded: nfhwcrhk.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\83BC.exe	Section loaded: nuronssl.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\83BC.exe	Section loaded: surewarehook.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\83BC.exe	Section loaded: ubsec.dll	Jump to behavior

Source: file.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 26.2.nsuAC75.tmp.exe.2250e67.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 7.0.9561.exe.580000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector04 author = ditekSHen, description = Detects downloader / injector
Source: 0000000F.00000002.1876773105.0000000001F61000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 0000000F.00000002.1863090998.0000000000470000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 0000001A.00000002.2605092891.0000000002250000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000002.1414909359.00000000020A1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000004.00000002.1677531544.00000000020A1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000004.00000002.1677336992.0000000000498000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000008.00000002.4107945303.00000000030F0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000002.1414773059.0000000000609000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.1414691831.00000000005E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000004.00000002.1677390187.0000000000580000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000017.00000002.4106141741.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000002.1414674284.00000000005D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 0000001A.00000002.2604597299.0000000000728000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000008.00000002.4107329248.0000000002CF4000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000004.00000002.1677220887.0000000000470000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000017.00000002.4104489388.0000000002B0C000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 0000000D.00000002.1778201107.000000000084C000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000005.00000002.1708502854.0000000002318000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: C:\Users\user\AppData\Local\Temp\9561.exe, type: DROPPED	Matched rule: MALWARE_Win_DLInjector04 author = ditekSHen, description = Detects downloader / injector

Source: 83BC.exe.2.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C1C2.dll.2.dr	Static PE information: Section: .text IMAGE_SCN_TYPE_NOLOAD, IMAGE_SCN_TYPE_COPY, IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_LNK_INFO, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: E297.exe.2.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: csrss.exe.6.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: cpointasp.exe.37.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: _RegDLL.tmp.37.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: JSCoreService75.exe.40.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C1C2.dll.2.dr	Static PE information: Section: b=W\| ZLIB complexity 0.9988941010974702
Source: is-1TTMQ.tmp.37.dr	Static PE information: Section: ZLIB complexity 0.9976058467741935
Source: is-7QIAL.tmp.37.dr	Static PE information: Section: ZLIB complexity 0.995148689516129
Source: is-9JRC1.tmp.37.dr	Static PE information: Section: ZLIB complexity 0.9908203125
Source: is-7RFNU.tmp.37.dr	Static PE information: Section: ZLIB complexity 0.9903624487704918
Source: is-KS29E.tmp.37.dr	Static PE information: Section: ZLIB complexity 0.9891526442307692

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winEXE@72/197@0/100

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0060CAFF CreateToolhelp32Snapshot,Module32First,

0_2_0060CAFF

Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp

File created: C:\Program Files (x86)\CPointASP

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\gferuhf

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7628:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6808:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2092:120:WilError_03

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Local\Temp\83BC.tmp

Jump to behavior

Source: Yara match	File source: 14.0.BroomSetup.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000E.00000000.1772834822.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\BroomSetup.exe, type: DROPPED

Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe	Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Users\user\AppData\Local\Temp\9561.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a403a0b75e95c07da2caa7f780446a62\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a403a0b75e95c07da2caa7f780446a62\mscorlib.ni.dll

Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name FROM Win32_Processor

Source: C:\Windows\explorer.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Source: C:\Program Files (x86)\CPointASP\cpointasp.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Program Files (x86)\CPointASP\cpointasp.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: unknown

Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Source: file.exe	ReversingLabs: Detection: 37%
Source: file.exe	Virustotal: Detection: 44%

Source: 288c47bbc1871b439df19ff4df68f076.exe	String found in binary or memory: REQUESTED-ADDRESS-FAMILYRequest Entity Too LargeSA Eastern Standard TimeSA Pacific Standard TimeSA Western Standard TimeSafeArrayAllocDescriptorSetConsoleCursorPositionSetDefaultDllDirectoriesSetupDiCreateDeviceInfoWSetupDiGetSelectedDeviceSetupDiSetSelectedDe
Source: 288c47bbc1871b439df19ff4df68f076.exe	String found in binary or memory: yscalltick= work.nproc= work.nwait= %s/rawaddr/%s%s\%s\drivers, gp->status=, not pointer-bind-address-byte block (3814697265625: unknown pc Accept-RangesAuthorizationCLIENT_RANDOMCONNECTION-IDCONNECT_ERRORCache-ControlCertOpenStoreCoTaskMemFreeConnectServerCo
Source: 288c47bbc1871b439df19ff4df68f076.exe	String found in binary or memory: PED-ADDRESSMAX_FRAME_SIZEMB; allocated MakeAbsoluteSDMissing quotesModule32FirstWNetUserGetInfoNot AcceptableNtResumeThreadOSArchitectureOpenSCManagerWOther_ID_StartPROTOCOL_ERRORPattern_SyntaxProcess32NextWProtection DirQuotation_MarkRCodeNameErrorREFUSED_STR
Source: 288c47bbc1871b439df19ff4df68f076.exe	String found in binary or memory: inateProcessTor current modeTor is dowloadedTranslateMessageTrustedInstallerUnregisterClassWUpgrade RequiredUser-Agent: %s VirtualProtectExWinVerifyTrustExWindows DefenderWww-AuthenticateXOR-PEER-ADDRESSZanabazar_Square\windefender.exe runtime stack: address
Source: 288c47bbc1871b439df19ff4df68f076.exe	String found in binary or memory: unknown network unpacking headerworkbuf is emptywrite config: %wwww-authenticate spinningthreads=%%!%c(big.Int=%s)%s/address/%s/txs, p.searchAddr = 0123456789ABCDEFX0123456789abcdefx060102150405Z07001192092895507812559604644775390625: missing method AdjustToke
Source: 288c47bbc1871b439df19ff4df68f076.exe	String found in binary or memory: Temporary RedirectTerminateJobObjectTime.MarshalJSON: Time.MarshalText: UNKNOWN-ATTRIBUTESUNKNOWN_SETTING_%dUnknown value typeVariation_SelectorWeb Downloader/6.9WriteProcessMemoryXOR-MAPPED-ADDRESSadaptivestackstartbad Content-Lengthbad manualFreeListbufio: b
Source: 288c47bbc1871b439df19ff4df68f076.exe	String found in binary or memory: .654WDG_Validator/1.6.2WSALookupServiceEndWaitForSingleObjectWindowsCreateStringWindowsDeleteStringWinmonSystemMonitorXOR-RELAYED-ADDRESSYukon Standard Timeadjusttimers: bad pafter array elementattribute not foundbad ABI descriptionbad file descriptorbad kind

Source: unknown	Process created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\gferuhf C:\Users\user\AppData\Roaming\gferuhf
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\83BC.exe C:\Users\user\AppData\Local\Temp\83BC.exe
Source: C:\Users\user\AppData\Local\Temp\83BC.exe	Process created: C:\Users\user\AppData\Local\Temp\83BC.exe C:\Users\user\AppData\Local\Temp\83BC.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\9561.exe C:\Users\user\AppData\Local\Temp\9561.exe
Source: C:\Users\user\AppData\Local\Temp\9561.exe	Process created: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe "C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"
Source: C:\Users\user\AppData\Local\Temp\9561.exe	Process created: C:\Users\user\AppData\Local\Temp\InstallSetup9.exe "C:\Users\user\AppData\Local\Temp\InstallSetup9.exe"
Source: C:\Users\user\AppData\Local\Temp\9561.exe	Process created: C:\Users\user\AppData\Local\Temp\InstallSetup9.exe "C:\Users\user\AppData\Local\Temp\InstallSetup9.exe"
Source: C:\Users\user\AppData\Local\Temp\9561.exe	Process created: C:\Users\user\AppData\Local\Temp\toolspub2.exe "C:\Users\user\AppData\Local\Temp\toolspub2.exe"
Source: C:\Users\user\AppData\Local\Temp\InstallSetup9.exe	Process created: C:\Users\user\AppData\Local\Temp\BroomSetup.exe C:\Users\user\AppData\Local\Temp\BroomSetup.exe
Source: C:\Users\user\AppData\Local\Temp\toolspub2.exe	Process created: C:\Users\user\AppData\Local\Temp\toolspub2.exe "C:\Users\user\AppData\Local\Temp\toolspub2.exe"
Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\Sysnative\cmd.exe /C fodhelper
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\fodhelper.exe fodhelper
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\fodhelper.exe "C:\Windows\system32\fodhelper.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\fodhelper.exe "C:\Windows\system32\fodhelper.exe"
Source: C:\Windows\System32\fodhelper.exe	Process created: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe "C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\B137.exe C:\Users\user\AppData\Local\Temp\B137.exe
Source: C:\Users\user\AppData\Local\Temp\B137.exe	Process created: C:\Users\user\AppData\Local\Temp\is-3QNR8.tmp\B137.tmp "C:\Users\user\AppData\Local\Temp\is-3QNR8.tmp\B137.tmp" /SL5="$30510,4192226,54272,C:\Users\user\AppData\Local\Temp\B137.exe"
Source: C:\Users\user\AppData\Local\Temp\InstallSetup9.exe	Process created: C:\Users\user\AppData\Local\Temp\nsuAC75.tmp.exe C:\Users\user\AppData\Local\Temp\nsuAC75.tmp.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\regsvr32.exe regsvr32 /s C:\Users\user\AppData\Local\Temp\C1C2.dll
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe /s C:\Users\user\AppData\Local\Temp\C1C2.dll
Source: unknown	Process created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Source: C:\Users\user\AppData\Local\Temp\is-3QNR8.tmp\B137.tmp	Process created: C:\Users\user\AppData\Local\Temp\B137.exe "C:\Users\user\AppData\Local\Temp\B137.exe" /SPAWNWND=$404C0 /NOTIFYWND=$30510
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\CDAA.exe C:\Users\user\AppData\Local\Temp\CDAA.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Users\user\AppData\Local\Temp\B137.exe	Process created: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp "C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp" /SL5="$205C2,4192226,54272,C:\Users\user\AppData\Local\Temp\B137.exe" /SPAWNWND=$404C0 /NOTIFYWND=$30510
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\system32\net.exe" helpmsg 28
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	Process created: C:\Program Files (x86)\CPointASP\cpointasp.exe "C:\Program Files (x86)\CPointASP\cpointasp.exe" -i
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 helpmsg 28
Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	Process created: C:\Program Files (x86)\CPointASP\cpointasp.exe "C:\Program Files (x86)\CPointASP\cpointasp.exe" -s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\83BC.exe C:\Users\user\AppData\Local\Temp\83BC.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\9561.exe C:\Users\user\AppData\Local\Temp\9561.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\B137.exe C:\Users\user\AppData\Local\Temp\B137.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\regsvr32.exe regsvr32 /s C:\Users\user\AppData\Local\Temp\C1C2.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\CDAA.exe C:\Users\user\AppData\Local\Temp\CDAA.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\83BC.exe	Process created: C:\Users\user\AppData\Local\Temp\83BC.exe C:\Users\user\AppData\Local\Temp\83BC.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9561.exe	Process created: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe "C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"
Source: C:\Users\user\AppData\Local\Temp\9561.exe	Process created: C:\Users\user\AppData\Local\Temp\InstallSetup9.exe "C:\Users\user\AppData\Local\Temp\InstallSetup9.exe"
Source: C:\Users\user\AppData\Local\Temp\9561.exe	Process created: C:\Users\user\AppData\Local\Temp\toolspub2.exe "C:\Users\user\AppData\Local\Temp\toolspub2.exe"
Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\Sysnative\cmd.exe /C fodhelper
Source: C:\Users\user\AppData\Local\Temp\InstallSetup9.exe	Process created: C:\Users\user\AppData\Local\Temp\BroomSetup.exe C:\Users\user\AppData\Local\Temp\BroomSetup.exe
Source: C:\Users\user\AppData\Local\Temp\InstallSetup9.exe	Process created: C:\Users\user\AppData\Local\Temp\nsuAC75.tmp.exe C:\Users\user\AppData\Local\Temp\nsuAC75.tmp.exe
Source: C:\Users\user\AppData\Local\Temp\toolspub2.exe	Process created: C:\Users\user\AppData\Local\Temp\toolspub2.exe "C:\Users\user\AppData\Local\Temp\toolspub2.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\fodhelper.exe fodhelper
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\fodhelper.exe "C:\Windows\system32\fodhelper.exe"
Source: C:\Windows\System32\fodhelper.exe	Process created: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe "C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"
Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
Source: C:\Users\user\AppData\Local\Temp\B137.exe	Process created: C:\Users\user\AppData\Local\Temp\is-3QNR8.tmp\B137.tmp "C:\Users\user\AppData\Local\Temp\is-3QNR8.tmp\B137.tmp" /SL5="$30510,4192226,54272,C:\Users\user\AppData\Local\Temp\B137.exe"
Source: C:\Users\user\AppData\Local\Temp\nsuAC75.tmp.exe	Process created: unknown unknown
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe /s C:\Users\user\AppData\Local\Temp\C1C2.dll
Source: C:\Users\user\AppData\Local\Temp\B137.exe	Process created: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp "C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp" /SL5="$205C2,4192226,54272,C:\Users\user\AppData\Local\Temp\B137.exe" /SPAWNWND=$404C0 /NOTIFYWND=$30510
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	Process created: C:\Windows\SysWOW64\net.exe "C:\Windows\system32\net.exe" helpmsg 28
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	Process created: C:\Program Files (x86)\CPointASP\cpointasp.exe "C:\Program Files (x86)\CPointASP\cpointasp.exe" -i
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	Process created: C:\Program Files (x86)\CPointASP\cpointasp.exe "C:\Program Files (x86)\CPointASP\cpointasp.exe" -s
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 helpmsg 28

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner

Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exe

Window found: window name: TButton

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\9561.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: C:\Windows\System32\fodhelper.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\16.0\Access\Capabilities\UrlAssociations

Source: C:\Users\user\Desktop\file.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source:	Binary string: EfiGuardDxe.pdb7 source: 288c47bbc1871b439df19ff4df68f076.exe
Source:	Binary string: symsrv.pdbGCTL source: 288c47bbc1871b439df19ff4df68f076.exe, 00000017.00000002.4106141741.0000000003789000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: symsrv.pdb source: 288c47bbc1871b439df19ff4df68f076.exe, 288c47bbc1871b439df19ff4df68f076.exe, 00000017.00000002.4106141741.0000000003789000.00000040.00001000.00020000.00000000.sdmp

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\file.exe	Unpacked PE file: 0.2.file.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.jiwe:W;.rsrc:R; vs .text:EW;
Source: C:\Users\user\AppData\Roaming\gferuhf	Unpacked PE file: 4.2.gferuhf.400000.0.unpack .text:ER;.rdata:R;.data:W;.jiwe:W;.rsrc:R; vs .text:EW;
Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe	Unpacked PE file: 8.2.288c47bbc1871b439df19ff4df68f076.exe.400000.5.unpack .text:ER;.rdata:R;.data:W;.viji:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.idata:W;.reloc:R;.symtab:R;
Source: C:\Users\user\AppData\Local\Temp\toolspub2.exe	Unpacked PE file: 15.2.toolspub2.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.zona:W;.rsrc:R; vs .text:EW;
Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe	Unpacked PE file: 23.2.288c47bbc1871b439df19ff4df68f076.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.viji:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.idata:W;.reloc:R;.symtab:R;
Source: C:\Users\user\AppData\Local\Temp\nsuAC75.tmp.exe	Unpacked PE file: 26.2.nsuAC75.tmp.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.wasubiy:W;.rsrc:R; vs .text:EW;.rdata:R;.data:W;.reloc:R;
Source: C:\Program Files (x86)\CPointASP\cpointasp.exe	Unpacked PE file: 40.2.cpointasp.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R;_text_9:EW; vs .text:ER;.rdata:R;.data:W;.vmp0:ER;.rsrc:R;
Source: C:\Program Files (x86)\CPointASP\cpointasp.exe	Unpacked PE file: 44.2.cpointasp.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R;_text_9:EW; vs .text:ER;.rdata:R;.data:W;.vmp0:ER;.rsrc:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe	Unpacked PE file: 8.2.288c47bbc1871b439df19ff4df68f076.exe.400000.5.unpack
Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe	Unpacked PE file: 23.2.288c47bbc1871b439df19ff4df68f076.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\nsuAC75.tmp.exe	Unpacked PE file: 26.2.nsuAC75.tmp.exe.400000.0.unpack
Source: C:\Program Files (x86)\CPointASP\cpointasp.exe	Unpacked PE file: 40.2.cpointasp.exe.400000.0.unpack
Source: C:\Program Files (x86)\CPointASP\cpointasp.exe	Unpacked PE file: 44.2.cpointasp.exe.400000.0.unpack

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004127AD __decode_pointer,LoadLibraryA,GetProcAddress,__encode_pointer,InterlockedExchange,FreeLibrary,

0_2_004127AD

Source: initial sample

Static PE information: section where entry point is pointing to: .EXE

Source: is-7QIAL.tmp.37.dr	Static PE information: real checksum: 0x0 should be: 0x5060
Source: is-1V3O7.tmp.37.dr	Static PE information: real checksum: 0x0 should be: 0x4ac84
Source: is-4CSOT.tmp.37.dr	Static PE information: real checksum: 0x0 should be: 0x17d41
Source: C1C2.dll.2.dr	Static PE information: real checksum: 0x0 should be: 0x1fc495
Source: is-9JRC1.tmp.37.dr	Static PE information: real checksum: 0x0 should be: 0x204aa
Source: 9561.exe.2.dr	Static PE information: real checksum: 0x0 should be: 0x6c7363
Source: is-K0GP7.tmp.37.dr	Static PE information: real checksum: 0x0 should be: 0x5dc2c
Source: is-ODNC4.tmp.37.dr	Static PE information: real checksum: 0x0 should be: 0x1f2f4
Source: B137.tmp.24.dr	Static PE information: real checksum: 0x0 should be: 0xb0991
Source: BroomSetup.exe.12.dr	Static PE information: real checksum: 0x0 should be: 0x55278a
Source: is-GR811.tmp.37.dr	Static PE information: real checksum: 0x0 should be: 0x22a56
Source: is-VT3M5.tmp.37.dr	Static PE information: real checksum: 0x0 should be: 0x127ab
Source: _setup64.tmp.37.dr	Static PE information: real checksum: 0x0 should be: 0x8546
Source: is-EJ9G2.tmp.37.dr	Static PE information: real checksum: 0x0 should be: 0xcf45
Source: _RegDLL.tmp.37.dr	Static PE information: real checksum: 0x0 should be: 0xc2b7
Source: InstallSetup9.exe.7.dr	Static PE information: real checksum: 0x0 should be: 0x248f37
Source: is-9SQN6.tmp.37.dr	Static PE information: real checksum: 0x0 should be: 0x7c1a
Source: B137.exe.2.dr	Static PE information: real checksum: 0x0 should be: 0x44470a
Source: 288c47bbc1871b439df19ff4df68f076.exe.7.dr	Static PE information: real checksum: 0x440e75 should be: 0x43c3c8
Source: is-1TTMQ.tmp.37.dr	Static PE information: real checksum: 0x0 should be: 0x10609
Source: _iscrypt.dll.37.dr	Static PE information: real checksum: 0x0 should be: 0x89d2
Source: is-2CL5A.tmp.37.dr	Static PE information: real checksum: 0x0 should be: 0x31782
Source: is-AVN6H.tmp.37.dr	Static PE information: real checksum: 0x0 should be: 0x60b0b
Source: is-RRNMJ.tmp.37.dr	Static PE information: real checksum: 0x0 should be: 0x346e7
Source: is-KS29E.tmp.37.dr	Static PE information: real checksum: 0x0 should be: 0xb5c3
Source: is-01D6N.tmp.37.dr	Static PE information: real checksum: 0x0 should be: 0x6b1f
Source: is-EFHJ3.tmp.37.dr	Static PE information: real checksum: 0x0 should be: 0xf050f
Source: is-UK3TA.tmp.37.dr	Static PE information: real checksum: 0x0 should be: 0xb06ed
Source: is-7RFNU.tmp.37.dr	Static PE information: real checksum: 0x0 should be: 0xc979
Source: INetC.dll.12.dr	Static PE information: real checksum: 0x0 should be: 0x69a0
Source: B137.tmp.32.dr	Static PE information: real checksum: 0x0 should be: 0xb0991
Source: is-VRA2K.tmp.37.dr	Static PE information: real checksum: 0x0 should be: 0xadc6
Source: is-F3LHF.tmp.37.dr	Static PE information: real checksum: 0x0 should be: 0xc1c38

Source: file.exe	Static PE information: section name: .jiwe
Source: 83BC.exe.2.dr	Static PE information: section name: .venowe
Source: C1C2.dll.2.dr	Static PE information: section name: b=W\|
Source: C1C2.dll.2.dr	Static PE information: section name: Lny6jo2
Source: CDAA.exe.2.dr	Static PE information: section name: .AVI;
Source: CDAA.exe.2.dr	Static PE information: section name: .AVI;
Source: CDAA.exe.2.dr	Static PE information: section name: .EXE
Source: CDAA.exe.2.dr	Static PE information: section name: .EXE
Source: CDAA.exe.2.dr	Static PE information: section name: .EXE
Source: E297.exe.2.dr	Static PE information: section name: .corugim
Source: 973D.exe.2.dr	Static PE information: section name: .vmp
Source: 973D.exe.2.dr	Static PE information: section name: .vmp
Source: 973D.exe.2.dr	Static PE information: section name: .vmp
Source: 3205.exe.2.dr	Static PE information: section name: .AVI;
Source: 3205.exe.2.dr	Static PE information: section name: .AVI;
Source: 3205.exe.2.dr	Static PE information: section name: .vmp
Source: 3205.exe.2.dr	Static PE information: section name: .vmp
Source: 3205.exe.2.dr	Static PE information: section name: .vmp
Source: tieruhf.2.dr	Static PE information: section name: .zona
Source: gferuhf.2.dr	Static PE information: section name: .jiwe
Source: csrss.exe.6.dr	Static PE information: section name: .venowe
Source: 288c47bbc1871b439df19ff4df68f076.exe.7.dr	Static PE information: section name: .viji
Source: toolspub2.exe.7.dr	Static PE information: section name: .zona
Source: BroomSetup.exe.12.dr	Static PE information: section name: .didata
Source: syncUpd[1].exe.12.dr	Static PE information: section name: .wasubiy
Source: nsuAC75.tmp.exe.12.dr	Static PE information: section name: .wasubiy
Source: freebl3.dll.26.dr	Static PE information: section name: .00cfg
Source: freebl3[1].dll.26.dr	Static PE information: section name: .00cfg
Source: mozglue.dll.26.dr	Static PE information: section name: .00cfg
Source: mozglue[1].dll.26.dr	Static PE information: section name: .00cfg
Source: msvcp140.dll.26.dr	Static PE information: section name: .didat
Source: msvcp140[1].dll.26.dr	Static PE information: section name: .didat
Source: nss3.dll.26.dr	Static PE information: section name: .00cfg
Source: nss3[1].dll.26.dr	Static PE information: section name: .00cfg
Source: softokn3.dll.26.dr	Static PE information: section name: .00cfg
Source: softokn3[1].dll.26.dr	Static PE information: section name: .00cfg
Source: cpointasp.exe.37.dr	Static PE information: section name: _text_9
Source: is-01D6N.tmp.37.dr	Static PE information: section name:
Source: is-01D6N.tmp.37.dr	Static PE information: section name:
Source: is-01D6N.tmp.37.dr	Static PE information: section name: petite
Source: is-LJEF3.tmp.37.dr	Static PE information: section name:
Source: is-LJEF3.tmp.37.dr	Static PE information: section name: petite
Source: is-9SQN6.tmp.37.dr	Static PE information: section name:
Source: is-9SQN6.tmp.37.dr	Static PE information: section name:
Source: is-9SQN6.tmp.37.dr	Static PE information: section name: petite
Source: is-1TTMQ.tmp.37.dr	Static PE information: section name:
Source: is-1TTMQ.tmp.37.dr	Static PE information: section name:
Source: is-1TTMQ.tmp.37.dr	Static PE information: section name: petite
Source: is-7TH98.tmp.37.dr	Static PE information: section name:
Source: is-7TH98.tmp.37.dr	Static PE information: section name: petite
Source: is-7QIAL.tmp.37.dr	Static PE information: section name:
Source: is-7QIAL.tmp.37.dr	Static PE information: section name:
Source: is-7QIAL.tmp.37.dr	Static PE information: section name:
Source: is-9JRC1.tmp.37.dr	Static PE information: section name:
Source: is-9JRC1.tmp.37.dr	Static PE information: section name:
Source: is-9JRC1.tmp.37.dr	Static PE information: section name: petite
Source: is-VT3M5.tmp.37.dr	Static PE information: section name:
Source: is-VT3M5.tmp.37.dr	Static PE information: section name:
Source: is-VT3M5.tmp.37.dr	Static PE information: section name:
Source: is-4CSOT.tmp.37.dr	Static PE information: section name:
Source: is-4CSOT.tmp.37.dr	Static PE information: section name:
Source: is-4CSOT.tmp.37.dr	Static PE information: section name: petite
Source: is-7RFNU.tmp.37.dr	Static PE information: section name:
Source: is-7RFNU.tmp.37.dr	Static PE information: section name:
Source: is-7RFNU.tmp.37.dr	Static PE information: section name: petite
Source: is-KS29E.tmp.37.dr	Static PE information: section name:
Source: is-KS29E.tmp.37.dr	Static PE information: section name:
Source: is-KS29E.tmp.37.dr	Static PE information: section name:
Source: is-EJ9G2.tmp.37.dr	Static PE information: section name:
Source: is-EJ9G2.tmp.37.dr	Static PE information: section name:
Source: is-EJ9G2.tmp.37.dr	Static PE information: section name: petite
Source: is-0U1TM.tmp.37.dr	Static PE information: section name: /4
Source: is-HRFH2.tmp.37.dr	Static PE information: section name: /4
Source: is-AO7D9.tmp.37.dr	Static PE information: section name: /4
Source: is-VRA2K.tmp.37.dr	Static PE information: section name:
Source: is-VRA2K.tmp.37.dr	Static PE information: section name:
Source: is-VRA2K.tmp.37.dr	Static PE information: section name:
Source: is-2458N.tmp.37.dr	Static PE information: section name: /4
Source: is-040AJ.tmp.37.dr	Static PE information: section name: .eh_fram
Source: is-1V3O7.tmp.37.dr	Static PE information: section name: asmcode
Source: is-AU9HG.tmp.37.dr	Static PE information: section name: .eh_fram
Source: is-KDLQ5.tmp.37.dr	Static PE information: section name: /4
Source: is-GE7OO.tmp.37.dr	Static PE information: section name: /4
Source: is-NEGHU.tmp.37.dr	Static PE information: section name: /4
Source: is-KBFH3.tmp.37.dr	Static PE information: section name: /4
Source: is-EFHJ3.tmp.37.dr	Static PE information: section name: .trace
Source: is-EFHJ3.tmp.37.dr	Static PE information: section name: _RDATA
Source: is-EFHJ3.tmp.37.dr	Static PE information: section name: .debug_o
Source: is-II7SF.tmp.37.dr	Static PE information: section name: /4
Source: is-DER7H.tmp.37.dr	Static PE information: section name: /4
Source: is-B87EH.tmp.37.dr	Static PE information: section name: /4
Source: is-P9QDC.tmp.37.dr	Static PE information: section name: /4
Source: is-93FRL.tmp.37.dr	Static PE information: section name: /4
Source: is-G4UPE.tmp.37.dr	Static PE information: section name: /4
Source: is-HHJJI.tmp.37.dr	Static PE information: section name: /4
Source: is-IOMGH.tmp.37.dr	Static PE information: section name: /4
Source: is-K0GP7.tmp.37.dr	Static PE information: section name: .sxdata
Source: is-F3LHF.tmp.37.dr	Static PE information: section name: .didata
Source: JSCoreService75.exe.40.dr	Static PE information: section name: _text_9

Source: C:\Windows\explorer.exe

Process created: C:\Windows\System32\regsvr32.exe regsvr32 /s C:\Users\user\AppData\Local\Temp\C1C2.dll

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004014A1 push es; iretd	0_2_004014A3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_004022A8 pushfd ; ret	0_2_004022C7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005D1506 push es; iretd	0_2_005D150A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005D230F pushfd ; ret	0_2_005D232E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00614645 push cs; iretd	0_2_00614647
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0060DA02 push es; iretd	0_2_0060DA22
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0060E53D pushfd ; ret	0_2_0060E61C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0060DF18 push 8A1E29FAh; iretd	0_2_0060DF1D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00610DA4 push ss; iretd	0_2_00610DAA
Source: C:\Users\user\AppData\Roaming\gferuhf	Code function: 4_2_004014A1 push es; iretd	4_2_004014A3
Source: C:\Users\user\AppData\Roaming\gferuhf	Code function: 4_2_004022A8 pushfd ; ret	4_2_004022C7
Source: C:\Users\user\AppData\Roaming\gferuhf	Code function: 4_2_00471506 push es; iretd	4_2_0047150A
Source: C:\Users\user\AppData\Roaming\gferuhf	Code function: 4_2_0047230F pushfd ; ret	4_2_0047232E
Source: C:\Users\user\AppData\Roaming\gferuhf	Code function: 4_2_0049C660 push 8A1E29FAh; iretd	4_2_0049C665
Source: C:\Users\user\AppData\Roaming\gferuhf	Code function: 4_2_0049F4EC push ss; iretd	4_2_0049F4F2
Source: C:\Users\user\AppData\Roaming\gferuhf	Code function: 4_2_0049CC85 pushfd ; ret	4_2_0049CD64
Source: C:\Users\user\AppData\Roaming\gferuhf	Code function: 4_2_0049C14A push es; iretd	4_2_0049C16A
Source: C:\Users\user\AppData\Roaming\gferuhf	Code function: 4_2_004A2D8D push cs; iretd	4_2_004A2D8F
Source: C:\Users\user\AppData\Local\Temp\83BC.exe	Code function: 5_2_00404B49 push ecx; ret	5_2_00404B5C
Source: C:\Users\user\AppData\Local\Temp\83BC.exe	Code function: 5_2_023D62EF push ebx; iretd	5_2_023D62F7
Source: C:\Users\user\AppData\Local\Temp\83BC.exe	Code function: 5_2_0249080A push 5A36841Dh; retf	5_2_02490825
Source: C:\Users\user\AppData\Local\Temp\83BC.exe	Code function: 5_2_0242A70A pushad ; ret	5_2_0242A70C
Source: C:\Users\user\AppData\Local\Temp\83BC.exe	Code function: 5_2_024907ED push ebp; retf	5_2_024907EE
Source: C:\Users\user\AppData\Local\Temp\83BC.exe	Code function: 5_2_024C87F8 push edx; retf	5_2_024C87F9
Source: C:\Users\user\AppData\Local\Temp\83BC.exe	Code function: 5_2_024C84BD push cs; ret	5_2_024C84BE
Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe	Code function: 8_2_02CF8C85 pushad ; ret	8_2_02CF8C97
Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe	Code function: 8_2_02CF616B pushfd ; ret	8_2_02CF61B3
Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe	Code function: 8_2_02CF8D61 pushad ; ret	8_2_02CF8D88

Source: initial sample	Static PE information: section name: .text entropy: 7.200967703562425
Source: initial sample	Static PE information: section name: .text entropy: 7.982426855513415
Source: initial sample	Static PE information: section name: .text entropy: 7.789163699932255
Source: initial sample	Static PE information: section name: .text entropy: 7.912544297452692
Source: initial sample	Static PE information: section name: .text entropy: 7.023130271257234
Source: initial sample	Static PE information: section name: .text entropy: 7.200967703562425
Source: initial sample	Static PE information: section name: .text entropy: 7.982426855513415
Source: initial sample	Static PE information: section name: .text entropy: 7.023130271257234
Source: initial sample	Static PE information: section name: .text entropy: 7.220844604499607
Source: initial sample	Static PE information: section name: .text entropy: 7.220844604499607
Source: initial sample	Static PE information: section name: .text entropy: 7.637402635623799
Source: initial sample	Static PE information: section name: _text_9 entropy: 7.647601539054501
Source: initial sample	Static PE information: section name: entropy: 7.953893773659523
Source: initial sample	Static PE information: section name: entropy: 7.921519965168042
Source: initial sample	Static PE information: section name: entropy: 7.966771808365004
Source: initial sample	Static PE information: section name: entropy: 7.950928332152424
Source: initial sample	Static PE information: section name: entropy: 7.491817342209834
Source: initial sample	Static PE information: section name: .text entropy: 7.637402635623799
Source: initial sample	Static PE information: section name: _text_9 entropy: 7.647601539054501

Persistence and Installation Behavior

Drops PE files with benign system names

Source: C:\Users\user\AppData\Local\Temp\83BC.exe

File created: C:\ProgramData\Drivers\csrss.exe

Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\nsuAC75.tmp.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GIBVL2EB\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\InstallSetup9.exe	File created: C:\Users\user\AppData\Local\Temp\BroomSetup.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	File created: C:\Program Files (x86)\CPointASP\bin\x86\bass_fx.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	File created: C:\Program Files (x86)\CPointASP\unins000.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	File created: C:\Program Files (x86)\CPointASP\bin\x86\is-7RFNU.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsuAC75.tmp.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GIBVL2EB\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\9561.exe	File created: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	File created: C:\Program Files (x86)\CPointASP\bin\x86\bass_tta.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	File created: C:\Program Files (x86)\CPointASP\bin\x86\uchardet.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	File created: C:\Program Files (x86)\CPointASP\bin\x86\is-VRA2K.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	File created: C:\Program Files (x86)\CPointASP\bin\x86\plugins\internal\is-IOMGH.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	File created: C:\Program Files (x86)\CPointASP\bin\x86\tak_deco_lib.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsuAC75.tmp.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GIBVL2EB\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\InstallSetup9.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ONMZACOW\syncUpd[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	File created: C:\Program Files (x86)\CPointASP\bin\x86\is-DER7H.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	File created: C:\Program Files (x86)\CPointASP\bin\x86\is-G4UPE.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	File created: C:\Program Files (x86)\CPointASP\bin\x86\libsoxr.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	File created: C:\Program Files (x86)\CPointASP\bin\x86\is-RRNMJ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	File created: C:\Program Files (x86)\CPointASP\bin\x86\is-II7SF.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	File created: C:\Program Files (x86)\CPointASP\bin\x86\plugins\internal\peak_scanner_plugin_c.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsuAC75.tmp.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	File created: C:\Program Files (x86)\CPointASP\bin\x86\bassdsd.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	File created: C:\Users\user\AppData\Local\Temp\is-5KKD2.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	File created: C:\Program Files (x86)\CPointASP\bin\x86\dstt.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\B137.exe	File created: C:\Users\user\AppData\Local\Temp\is-3QNR8.tmp\B137.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	File created: C:\Program Files (x86)\CPointASP\bin\x86\is-GE7OO.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	File created: C:\Program Files (x86)\CPointASP\bin\x86\is-NEGHU.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	File created: C:\Program Files (x86)\CPointASP\bin\x86\plugins\internal\raw_decode_plugin_c.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsuAC75.tmp.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GIBVL2EB\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	File created: C:\Program Files (x86)\CPointASP\bin\x86\ff_helper.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	File created: C:\Program Files (x86)\CPointASP\bin\x86\bassflac.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	File created: C:\Program Files (x86)\CPointASP\bin\x86\is-AU9HG.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	File created: C:\Program Files (x86)\CPointASP\bin\x86\is-ODNC4.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	File created: C:\Program Files (x86)\CPointASP\bin\x86\is-4CSOT.tmp	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\9561.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	File created: C:\Program Files (x86)\CPointASP\bin\x86\is-F3LHF.tmp	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\C1C2.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	File created: C:\Program Files (x86)\CPointASP\bin\x86\bassalac.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	File created: C:\Program Files (x86)\CPointASP\bin\x86\is-KS29E.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	File created: C:\Program Files (x86)\CPointASP\bin\x86\libwinpthread-1.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	File created: C:\Program Files (x86)\CPointASP\bin\x86\basscd.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsuAC75.tmp.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	File created: C:\Program Files (x86)\CPointASP\bin\x86\is-0U1TM.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	File created: C:\Program Files (x86)\CPointASP\bin\x86\is-P9QDC.tmp	Jump to dropped file
Source: C:\Program Files (x86)\CPointASP\cpointasp.exe	File created: C:\ProgramData\JSCoreService75\JSCoreService75.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\InstallSetup9.exe	File created: C:\Users\user\AppData\Local\Temp\nsuAC75.tmp.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	File created: C:\Program Files (x86)\CPointASP\bin\x86\is-GR811.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsuAC75.tmp.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\E297.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	File created: C:\Users\user\AppData\Local\Temp\is-5KKD2.tmp\_isetup\_shfoldr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	File created: C:\Program Files (x86)\CPointASP\bin\x86\OptimFROG.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	File created: C:\Program Files (x86)\CPointASP\bin\x86\is-93FRL.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	File created: C:\Program Files (x86)\CPointASP\is-UK3TA.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	File created: C:\Users\user\AppData\Local\Temp\is-5KKD2.tmp\_isetup\_RegDLL.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	File created: C:\Program Files (x86)\CPointASP\bin\x86\libwebp.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	File created: C:\Program Files (x86)\CPointASP\bin\x86\is-2458N.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	File created: C:\Program Files (x86)\CPointASP\bin\x86\is-7QIAL.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	File created: C:\Program Files (x86)\CPointASP\bin\x86\wavpackdll.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	File created: C:\Program Files (x86)\CPointASP\bin\x86\daiso.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	File created: C:\Program Files (x86)\CPointASP\bin\x86\is-1TTMQ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	File created: C:\Program Files (x86)\CPointASP\bin\x86\is-KBFH3.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	File created: C:\Program Files (x86)\CPointASP\bin\x86\da.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsuAC75.tmp.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	File created: C:\Program Files (x86)\CPointASP\bin\x86\is-040AJ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	File created: C:\Program Files (x86)\CPointASP\bin\x86\is-7TH98.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	File created: C:\Program Files (x86)\CPointASP\bin\x86\is-9SQN6.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	File created: C:\Program Files (x86)\CPointASP\bin\x86\dsd2.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	File created: C:\Program Files (x86)\CPointASP\bin\x86\bassmix.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	File created: C:\Program Files (x86)\CPointASP\bin\x86\bassopus.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	File created: C:\Program Files (x86)\CPointASP\bin\x86\sd.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	File created: C:\Program Files (x86)\CPointASP\cpointasp.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\CDAA.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\B137.exe	File created: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	File created: C:\Program Files (x86)\CPointASP\bin\x86\bassape.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	File created: C:\Users\user\AppData\Local\Temp\is-5KKD2.tmp\_isetup\_iscrypt.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\9561.exe	File created: C:\Users\user\AppData\Local\Temp\InstallSetup9.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsuAC75.tmp.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	File created: C:\Program Files (x86)\CPointASP\bin\x86\is-AVN6H.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	File created: C:\Program Files (x86)\CPointASP\bin\x86\plugins\internal\is-HHJJI.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	File created: C:\Program Files (x86)\CPointASP\bin\x86\libFLAC_dynamic.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	File created: C:\Program Files (x86)\CPointASP\bin\x86\is-AO7D9.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	File created: C:\Program Files (x86)\CPointASP\bin\x86\takdec.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	File created: C:\Program Files (x86)\CPointASP\bin\x86\utils.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	File created: C:\Program Files (x86)\CPointASP\bin\x86\pcm2dsd.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	File created: C:\Program Files (x86)\CPointASP\bin\x86\is-9JRC1.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	File created: C:\Program Files (x86)\CPointASP\bin\x86\is-01D6N.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	File created: C:\Program Files (x86)\CPointASP\bin\x86\7z.exe (copy)	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\83BC.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\973D.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	File created: C:\Program Files (x86)\CPointASP\bin\x86\lame_enc.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsuAC75.tmp.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	File created: C:\Program Files (x86)\CPointASP\bin\x86\gain_analysis.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	File created: C:\Program Files (x86)\CPointASP\bin\x86\mp3gain.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	File created: C:\Program Files (x86)\CPointASP\bin\x86\d_writer.dll (copy)	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\B137.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\83BC.exe	File created: C:\ProgramData\Drivers\csrss.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\InstallSetup9.exe	File created: C:\Users\user\AppData\Local\Temp\nsbA38B.tmp\INetC.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsuAC75.tmp.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GIBVL2EB\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	File created: C:\Program Files (x86)\CPointASP\bin\x86\basswma.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	File created: C:\Program Files (x86)\CPointASP\bin\x86\basswv.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	File created: C:\Program Files (x86)\CPointASP\bin\x86\libdtsdec.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	File created: C:\Program Files (x86)\CPointASP\bin\x86\is-2CL5A.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsuAC75.tmp.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GIBVL2EB\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	File created: C:\Program Files (x86)\CPointASP\bin\x86\is-EFHJ3.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	File created: C:\Program Files (x86)\CPointASP\bin\x86\is-1V3O7.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	File created: C:\Program Files (x86)\CPointASP\bin\x86\is-VT3M5.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	File created: C:\Program Files (x86)\CPointASP\bin\x86\is-HRFH2.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\9561.exe	File created: C:\Users\user\AppData\Local\Temp\toolspub2.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	File created: C:\Program Files (x86)\CPointASP\bin\x86\dsd2pcmt.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	File created: C:\Program Files (x86)\CPointASP\bin\x86\is-KDLQ5.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	File created: C:\Program Files (x86)\CPointASP\bin\x86\rg_ebur128.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	File created: C:\Program Files (x86)\CPointASP\bin\x86\is-LJEF3.tmp	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\3205.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Roaming\tieruhf	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	File created: C:\Program Files (x86)\CPointASP\bin\x86\bassmidi.dll (copy)	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Roaming\gferuhf	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	File created: C:\Program Files (x86)\CPointASP\bin\x86\is-B87EH.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	File created: C:\Program Files (x86)\CPointASP\bin\x86\bass_ofr.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	File created: C:\Program Files (x86)\CPointASP\bin\x86\is-K0GP7.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	File created: C:\Program Files (x86)\CPointASP\bin\x86\is-EJ9G2.tmp	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\nsuAC75.tmp.exe	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsuAC75.tmp.exe	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsuAC75.tmp.exe	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsuAC75.tmp.exe	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Program Files (x86)\CPointASP\cpointasp.exe	File created: C:\ProgramData\JSCoreService75\JSCoreService75.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\83BC.exe	File created: C:\ProgramData\Drivers\csrss.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsuAC75.tmp.exe	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsuAC75.tmp.exe	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Roaming\tieruhf			Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Roaming\gferuhf			Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\83BC.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run CSRSS			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\83BC.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run CSRSS			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Deletes itself after installation

Source: C:\Windows\explorer.exe

File deleted: c:\users\user\desktop\file.exe

Jump to behavior

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Roaming\gferuhf:Zone.Identifier read attributes \| delete			Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Roaming\tieruhf:Zone.Identifier read attributes \| delete			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-3QNR8.tmp\B137.tmp

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\83BC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\83BC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\83BC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\83BC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9561.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\9561.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\9561.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\9561.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\9561.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\9561.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\9561.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\9561.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\9561.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\9561.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\9561.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\9561.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\9561.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\9561.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\9561.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\9561.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallSetup9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallSetup9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallSetup9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallSetup9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallSetup9.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\B137.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-3QNR8.tmp\B137.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-3QNR8.tmp\B137.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-3QNR8.tmp\B137.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nsuAC75.tmp.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\B137.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX

Malware Analysis System Evasion

Checks if the current machine is a virtual machine (disk enumeration)

Source: C:\Users\user\Desktop\file.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gferuhf	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gferuhf	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gferuhf	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gferuhf	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gferuhf	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gferuhf	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\toolspub2.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Local\Temp\toolspub2.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Local\Temp\toolspub2.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Local\Temp\toolspub2.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Local\Temp\toolspub2.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Local\Temp\toolspub2.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\AppData\Local\Temp\CDAA.exe

System information queried: FirmwareTableInformation

Tries to detect sandboxes / dynamic malware analysis system (file name check)

Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\MyApp.Exe
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: \KnownDlls32\SelF.exe

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: file.exe, 00000000.00000002.1414710575.00000000005FE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ASWHOOK
Source: 288c47bbc1871b439df19ff4df68f076.exe	Binary or memory string: RTP.EXESYSTEMROOT=SETFILETIMESIGNWRITINGSOFT_DOTTEDSYSTEMDRIVETTL EXPIREDUNINSTALLERVBOXSERVICEVMUSRVC.EXEVARIANTINITVIRTUALFREEVIRTUALLOCKWSARECVFROMWARANG_CITIWHITE_SPACEWINDEFENDER[:^XDIGIT:]\DSEFIX.EXEADDITIONALSALARM CLOCKAPPLICATIONASSISTQUEUEAUTHORITIES

Source: C:\Users\user\AppData\Local\Temp\9561.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 434	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 1709	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 705	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 715	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 727	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 675	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\83BC.exe	Window / User API: threadDelayed 4065	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4975
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1125
Source: C:\Program Files (x86)\CPointASP\cpointasp.exe	Window / User API: threadDelayed 2748

Source: C:\Users\user\AppData\Local\Temp\nsuAC75.tmp.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GIBVL2EB\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CPointASP\bin\x86\bass_fx.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CPointASP\unins000.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CPointASP\bin\x86\is-7RFNU.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsuAC75.tmp.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GIBVL2EB\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CPointASP\bin\x86\uchardet.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CPointASP\bin\x86\bass_tta.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CPointASP\bin\x86\is-VRA2K.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CPointASP\bin\x86\plugins\internal\is-IOMGH.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CPointASP\bin\x86\tak_deco_lib.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsuAC75.tmp.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GIBVL2EB\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CPointASP\bin\x86\is-G4UPE.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CPointASP\bin\x86\is-DER7H.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CPointASP\bin\x86\libsoxr.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CPointASP\bin\x86\is-RRNMJ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CPointASP\bin\x86\is-II7SF.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CPointASP\bin\x86\plugins\internal\peak_scanner_plugin_c.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CPointASP\bin\x86\bassdsd.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-5KKD2.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CPointASP\bin\x86\dstt.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CPointASP\bin\x86\is-GE7OO.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CPointASP\bin\x86\is-NEGHU.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CPointASP\bin\x86\plugins\internal\raw_decode_plugin_c.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsuAC75.tmp.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GIBVL2EB\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CPointASP\bin\x86\ff_helper.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CPointASP\bin\x86\bassflac.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CPointASP\bin\x86\is-AU9HG.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CPointASP\bin\x86\is-ODNC4.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CPointASP\bin\x86\is-4CSOT.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CPointASP\bin\x86\is-F3LHF.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CPointASP\bin\x86\bassalac.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CPointASP\bin\x86\libwinpthread-1.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CPointASP\bin\x86\is-KS29E.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CPointASP\bin\x86\basscd.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CPointASP\bin\x86\is-0U1TM.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CPointASP\bin\x86\is-P9QDC.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CPointASP\bin\x86\is-GR811.tmp	Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\E297.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-5KKD2.tmp\_isetup\_shfoldr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CPointASP\bin\x86\OptimFROG.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CPointASP\bin\x86\is-93FRL.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CPointASP\is-UK3TA.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-5KKD2.tmp\_isetup\_RegDLL.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CPointASP\bin\x86\libwebp.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CPointASP\bin\x86\is-2458N.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CPointASP\bin\x86\is-7QIAL.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CPointASP\bin\x86\daiso.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CPointASP\bin\x86\wavpackdll.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CPointASP\bin\x86\is-1TTMQ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CPointASP\bin\x86\is-KBFH3.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CPointASP\bin\x86\da.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CPointASP\bin\x86\is-040AJ.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CPointASP\bin\x86\is-7TH98.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CPointASP\bin\x86\is-9SQN6.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CPointASP\bin\x86\dsd2.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CPointASP\bin\x86\bassmix.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CPointASP\bin\x86\bassopus.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CPointASP\bin\x86\sd.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CPointASP\bin\x86\bassape.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsuAC75.tmp.exe	Dropped PE file which has not been started: C:\ProgramData\softokn3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CPointASP\bin\x86\is-AVN6H.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CPointASP\bin\x86\libFLAC_dynamic.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CPointASP\bin\x86\plugins\internal\is-HHJJI.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CPointASP\bin\x86\is-AO7D9.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CPointASP\bin\x86\takdec.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CPointASP\bin\x86\utils.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CPointASP\bin\x86\pcm2dsd.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CPointASP\bin\x86\is-9JRC1.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CPointASP\bin\x86\is-01D6N.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CPointASP\bin\x86\7z.exe (copy)	Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\973D.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CPointASP\bin\x86\lame_enc.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsuAC75.tmp.exe	Dropped PE file which has not been started: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CPointASP\bin\x86\gain_analysis.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CPointASP\bin\x86\mp3gain.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CPointASP\bin\x86\d_writer.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsuAC75.tmp.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GIBVL2EB\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CPointASP\bin\x86\basswma.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CPointASP\bin\x86\libdtsdec.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CPointASP\bin\x86\basswv.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CPointASP\bin\x86\is-2CL5A.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CPointASP\bin\x86\is-EFHJ3.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsuAC75.tmp.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GIBVL2EB\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CPointASP\bin\x86\is-1V3O7.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CPointASP\bin\x86\is-VT3M5.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CPointASP\bin\x86\is-HRFH2.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CPointASP\bin\x86\dsd2pcmt.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CPointASP\bin\x86\is-KDLQ5.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CPointASP\bin\x86\rg_ebur128.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CPointASP\bin\x86\is-LJEF3.tmp	Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\3205.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CPointASP\bin\x86\bassmidi.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CPointASP\bin\x86\is-B87EH.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CPointASP\bin\x86\bass_ofr.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CPointASP\bin\x86\is-K0GP7.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp	Dropped PE file which has not been started: C:\Program Files (x86)\CPointASP\bin\x86\is-EJ9G2.tmp	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\83BC.exe

Evaded block: after key decision

graph_5-16415

Source: C:\Users\user\AppData\Local\Temp\83BC.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep	graph_5-15998
Source: C:\Users\user\AppData\Local\Temp\83BC.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess	graph_5-16249
Source: C:\Users\user\Desktop\file.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep	graph_0-14197
Source: C:\Users\user\AppData\Roaming\gferuhf	Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep	graph_4-14186

Source: C:\Windows\explorer.exe TID: 8072	Thread sleep time: -170900s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 8068	Thread sleep time: -70500s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 8072	Thread sleep time: -71500s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\83BC.exe TID: 1468	Thread sleep time: -406500s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\83BC.exe TID: 4140	Thread sleep time: -75000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9561.exe TID: 2600	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\CDAA.exe TID: 4844	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\CDAA.exe TID: 6732	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\SysWOW64\explorer.exe TID: 3504	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6488	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6176	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\CPointASP\cpointasp.exe TID: 7656	Thread sleep count: 2748 > 30
Source: C:\Program Files (x86)\CPointASP\cpointasp.exe TID: 7656	Thread sleep time: -5496000s >= -30000s
Source: C:\Program Files (x86)\CPointASP\cpointasp.exe TID: 4684	Thread sleep count: 74 > 30
Source: C:\Program Files (x86)\CPointASP\cpointasp.exe TID: 4684	Thread sleep time: -4440000s >= -30000s

Source: C:\Program Files (x86)\CPointASP\cpointasp.exe

File opened: PhysicalDrive0

Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Last function: Thread delayed
Source: C:\Program Files (x86)\CPointASP\cpointasp.exe	Last function: Thread delayed
Source: C:\Program Files (x86)\CPointASP\cpointasp.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\9561.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\CPointASP\cpointasp.exe	Thread delayed: delay time: 60000

Source: C:\Users\user\AppData\Local\Temp\nsuAC75.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\
Source: C:\Users\user\AppData\Local\Temp\nsuAC75.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\
Source: C:\Users\user\AppData\Local\Temp\nsuAC75.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\
Source: C:\Users\user\AppData\Local\Temp\nsuAC75.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\
Source: C:\Users\user\AppData\Local\Temp\nsuAC75.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\
Source: C:\Users\user\AppData\Local\Temp\nsuAC75.tmp.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\

Source: 288c47bbc1871b439df19ff4df68f076.exe	Binary or memory string: sbvmx86write B -> Value addr= alloc base code= ctxt: curg= free goid jobs= list= m->p= max= min= next= p->m= prev= span=% util%s.exe%s.sys%s: %s(...) , i = , not , val -BEFV--DYOR--FMLD--FZTA--IRXC--JFQI--JQGP--JSKV--JZUF--KGQJ--KSFO--MKND--MOHU--NSFS--P
Source: 288c47bbc1871b439df19ff4df68f076.exe	Binary or memory string: psapi.dllquestionsreboot inrecover: reflect: rwxrwxrwxscavtracestackpoolsucceededtask %+v tracebackunderflowunhandleduninstallunzip Torunzip: %wurn:uuid:w3m/0.5.1wbufSpanswebsocketxenevtchn} stack=[ netGo = MB goal, flushGen for type gfreecnt= heapGoal= p
Source: explorer.exe, 00000002.00000000.1401737978.00000000095B9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: 1efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000002.00000000.1401121668.00000000094DC000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWp
Source: 288c47bbc1871b439df19ff4df68f076.exe	Binary or memory string: STAWSTAhomAtoiCDN=CESTChamDATADashDataDateEESTEULAEtagFromGOGCGoneHostJulyJuneLEAFLisuMiaoModiNZDTNZSTNameNewaPINGPOSTPathQEMUROOTSASTSTARSendStatTempThaiTypeUUID"%s"\rss\smb\u00 %+v m=] = ] n=allgallparchasn1avx2basebindbitsbmi1bmi2boolcallcap cas1cas2cas3ca
Source: 288c47bbc1871b439df19ff4df68f076.exe	Binary or memory string: uint64unuseduptimevmhgfsvmxnetvpc-s3wup_hsxennetxensvcxenvdb %v=%v, (conn) (scan (scan) MB in Value> allocs dying= flags= len=%d locks= m->g0= nmsys= pad1= pad2= s=nil text= zombie$WINDIR% CPU (%03d %s%v: %#x, goid=, j0 = -nologo/delete19531252.5.4.32.5.
Source: explorer.exe, 00000002.00000000.1401737978.00000000095B9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}?
Source: explorer.exe, 00000002.00000000.1401121668.000000000952D000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: 288c47bbc1871b439df19ff4df68f076.exe	Binary or memory string: ersexpiresfloat32float64forcegcgctracehead = http://invalidlog.txtlookup messageminpc= nil keynop -> number pacer: panic: readdirrefererrefreshrequestrunningserial:server=signal svc_versyscalltor.exetraileruintptrunknownupgradeversionvmmousevpcuhubwaitingwindo
Source: 83BC.exe, 00000006.00000003.3002366055.00000000035A4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: MIGJAoGBAJtcCCBEuPXqEMu2rREZdSYB+1TY6HE/BWrbN1/ZfMwxUulfEocqfD/3
Source: 288c47bbc1871b439df19ff4df68f076.exe	Binary or memory string: popcntrdtscpreadatreasonremoverenamereturnrun-v3rune1 secondselectsendtoserversocketsocks socks5statusstringstructsweep sysmontelnettimersuint16uint32uint64unuseduptimevmhgfsvmxnetvpc-s3wup_hsxennetxensvcxenvdb %v=%v, (conn) (scan (scan) MB in Value> allocs
Source: explorer.exe, 00000002.00000000.1401121668.00000000093B4000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: 83BC.exe, 00000006.00000003.3002366055.00000000035A4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: MIGJAoGBAMZvmci/v9lu2mS+O/M3cUaAMvMrIOsTCKVWdgTHvKYn6UHCdNCgnztj
Source: 83BC.exe, 00000006.00000003.2953201125.00000000035AB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: id ed25519 5uD7nVmCI5DppHHtx2H+7AzbTP39/UvAQinqkc/a/lg
Source: 288c47bbc1871b439df19ff4df68f076.exe	Binary or memory string: pclmulqdqpreemptedprintableprofBlockprotocol proxy.exepsapi.dllquestionsreboot inrecover: reflect: rwxrwxrwxscavtracestackpoolsucceededtask %+v tracebackunderflowunhandleduninstallunzip Torunzip: %wurn:uuid:w3m/0.5.1wbufSpanswebsocketxenevtchn} stack=[ netGo
Source: explorer.exe, 00000002.00000000.1399234102.0000000006F96000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
Source: 288c47bbc1871b439df19ff4df68f076.exe	Binary or memory string: sse41sse42ssse3sudogsweeptext/tls: torrctotaltraceuint8unameusageuser=utf-8valuevmusbvmx86write B -> Value addr= alloc base code= ctxt: curg= free goid jobs= list= m->p= max= min= next= p->m= prev= span=% util%s.exe%s.sys%s: %s(...) , i = , not , val -BE
Source: 288c47bbc1871b439df19ff4df68f076.exe	Binary or memory string: LycianLydianMondayPADDEDPcaSvcPragmaRejangSCHED STREETServerStringSundaySyriacTai_LeTangutTeluguThaanaTypeMXTypeNSUTC+12UTC+13UTC-02UTC-08UTC-09UTC-11VBoxSFWINDIRWanchoWinMonWinmonX25519Yezidi[]byte\??\%s\csrss\ufffd acceptactivechan<-closedcookiedirectdo
Source: explorer.exe, 00000002.00000000.1397371484.00000000008DE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000o;
Source: explorer.exe, 00000002.00000000.1401737978.00000000095B9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTbrVMWare
Source: 288c47bbc1871b439df19ff4df68f076.exe	Binary or memory string: 4cas5cas6chandatedeaddialdoneermsetagethmfailfileflagfromftpsfuncgziphosthourhttpicmpidleigmpint8itabjsonkindlinkmdnsnullopenpathpipepop3quitreadrootsbrkseeksid=sizesmtpsse3tag:tcp4texttruetypeudp4uintunixuuidvaryvmcixn-- -%s (at ... MB, \" and got= max
Source: 288c47bbc1871b439df19ff4df68f076.exe	Binary or memory string: rSetEndOfFileSetErrorModeSetStdHandleSora_SompengSyloti_NagriSysStringLenThread32NextTor mode setTransmitFileUnauthorizedUnlockFileExVBoxTray.exeVariantClearVirtualAllocVirtualQueryWinmon32.sysWinmon64.sysWintrust.dllX-ImforwardsX-Powered-By[[:^ascii:]]\/(\d+)
Source: explorer.exe, 00000002.00000000.1401121668.00000000094DC000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: %SystemRoot%\system32\mswsock.dlldRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: 83BC.exe, 00000006.00000003.3013323672.00000000035AC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ntor-onion-key xagLdjTNZ7neGETsosZMKDpjlmHhhQLIVmCieMsBKW0
Source: explorer.exe, 00000002.00000000.1401737978.00000000095B9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: 288c47bbc1871b439df19ff4df68f076.exe	Binary or memory string: 3-512SOFTWARESaturdaySetEventSystem32TagbanwaTai_ThamTai_VietThursdayTifinaghTypeAAAATypeAXFRUSERHASHUSERNAMEUgariticVBoxWddmWSAIoctlWinmonFSWmiPrvSE[::1]:53[:word:][signal \\.\HGFS\\.\vmcistack=[_NewEnum_gatewayacceptexaddress bad instcgocheckcontinuecs
Source: explorer.exe, 00000002.00000000.1398152644.0000000002FA0000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: 288c47bbc1871b439df19ff4df68f076.exe	Binary or memory string: ermsetagethmfailfileflagfromftpsfuncgziphosthourhttpicmpidleigmpint8itabjsonkindlinkmdnsnullopenpathpipepop3quitreadrootsbrkseeksid=sizesmtpsse3tag:tcp4texttruetypeudp4uintunixuuidvaryvmcixn-- -%s (at ... MB, \" and got= max= ms, ptr tab= top=%s %q%s
Source: 288c47bbc1871b439df19ff4df68f076.exe	Binary or memory string: yreleasep: m=remote errorremoving appruntime: gp=runtime: sp=s ap traffics hs trafficself-preemptsetupapi.dllshort bufferspanSetSpinesweepWaiterstraceStringstraffic/readtransmitfileulrichard.chunexpected )unknown portunknown typevmacthlp.exevmtoolsd.exewatchdo
Source: 288c47bbc1871b439df19ff4df68f076.exe	Binary or memory string: sse3tag:tcp4texttruetypeudp4uintunixuuidvaryvmcixn-- -%s (at ... MB, \" and got= max= ms, ptr tab= top=%s %q%s %s%s*%d%s/%s%s:%d%s=%s"'&+0330+0430+0530+0545+0630+0845+1030+1245+1345, fp:-0930.avif.html.jpeg.json.wasm.webp1.4.2156253.2.2500
Source: 288c47bbc1871b439df19ff4df68f076.exe	Binary or memory string: RTP.exeSYSTEMROOT=SetFileTimeSignWritingSoft_DottedSystemDriveTTL expiredUninstallerVBoxServiceVMUSrvc.exeVariantInitVirtualFreeVirtualLockWSARecvFromWarang_CitiWhite_SpaceWinDefender[:^xdigit:]\dsefix.exeadditionalsalarm clockapplicationassistQueueauthorities
Source: 288c47bbc1871b439df19ff4df68f076.exe	Binary or memory string: vmusbmousevmware: %wws2_32.dll of size (targetpc= , plugin: ErrCode=%v KiB work, bytes ... exp.) for freeindex= gcwaiting= idleprocs= in status mallocing= ms clock, nBSSRoots= p->status= s.nelems= schedtick= span.list= timerslen=$WINDIR\rss%!(BADPREC
Source: 288c47bbc1871b439df19ff4df68f076.exe	Binary or memory string: sse42ssse3sudogsweeptext/tls: torrctotaltraceuint8unameusageuser=utf-8valuevmusbvmx86write B -> Value addr= alloc base code= ctxt: curg= free goid jobs= list= m->p= max= min= next= p->m= prev= span=% util%s.exe%s.sys%s: %s(...) , i = , not , val -BEFV--D
Source: 288c47bbc1871b439df19ff4df68f076.exe	Binary or memory string: eUnprocessable EntityWinmonProcessMonitor\\.\pipe\VBoxTrayIPC^.*\._Ctype_uint8_t$asn1: syntax error: assigned stream ID 0bad font file formatbad system page sizebad use of bucket.bpbad use of bucket.mpcertificate requiredchan send (nil chan)close of nil channe
Source: 83BC.exe, 00000006.00000003.2922332755.00000000035AD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ntor-onion-key zeABkSC5U36c9jPkbqVUzrjd6qt+/Rti3yHGfsRtYhY
Source: 288c47bbc1871b439df19ff4df68f076.exe	Binary or memory string: rdtscpreadatreasonremoverenamereturnrun-v3rune1 secondselectsendtoserversocketsocks socks5statusstringstructsweep sysmontelnettimersuint16uint32uint64unuseduptimevmhgfsvmxnetvpc-s3wup_hsxennetxensvcxenvdb %v=%v, (conn) (scan (scan) MB in Value> allocs dying=
Source: 288c47bbc1871b439df19ff4df68f076.exe	Binary or memory string: potency-Key\System32\drivers\\.\VBoxMiniRdrDN os/exec.Command(^.*\._Ctype_char$bad TinySizeClasscouldn't dial: %wcouldn't find pidcouldn't get UUIDcouldn't get pidscouldn't hide PIDcpu name is emptycreate window: %wdecode server: %wdecryption faileddownload fi
Source: explorer.exe, 00000002.00000000.1401121668.00000000093B4000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: 2VMware Virtual USB MouseJC:\Windows\System32\DDORes.dll,-2212
Source: 288c47bbc1871b439df19ff4df68f076.exe	Binary or memory string: releasep: m=remote errorremoving appruntime: gp=runtime: sp=s ap traffics hs trafficself-preemptsetupapi.dllshort bufferspanSetSpinesweepWaiterstraceStringstraffic/readtransmitfileulrichard.chunexpected )unknown portunknown typevmacthlp.exevmtoolsd.exewatchdog
Source: 288c47bbc1871b439df19ff4df68f076.exe	Binary or memory string: lUnlockWINDOW_UPDATEWTSFreeMemoryWriteConsoleW[FrameHeader \\.\VBoxGuestaccept-rangesaccess deniedadvapi32.dll
Source: 83BC.exe, 00000006.00000003.2953201125.00000000035AB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: MIGJAoGBALTKLm+Dn2//Wdsm4wVkqC6KdyxM64ihWRVmcinNdv7gngpzrQ45dqJm
Source: 288c47bbc1871b439df19ff4df68f076.exe	Binary or memory string: MathPOSTALCODEParseAddr(ParseFloatPhoenicianProcessingPulseEventRIPEMD-160RST_STREAMResetEventSHA256-RSASHA384-RSASHA512-RSASYSTEMROOTSaurashtraSecureBootSet-CookieShowWindowTor uptimeUser-AgentVMSrvc.exeWSACleanupWSASocketWWSAStartupWget/1.9.1Windows 10Window
Source: explorer.exe, 00000002.00000000.1399234102.0000000006F96000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: )d2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000002.00000000.1397371484.00000000008DE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000/;
Source: explorer.exe, 00000002.00000000.1401737978.00000000095B9000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: 288c47bbc1871b439df19ff4df68f076.exe	Binary or memory string: PalmyreneParseUintPatchTimePublisherReleaseDCRemoveAllSTUN addrSamaritanSee OtherSeptemberSundaneseSysnativeToo EarlyTrailer: TypeCNAMETypeHINFOTypeMINFOUse ProxyVBoxGuestVBoxMouseVBoxVideoWSASendToWednesdayWindows 7WriteFileZ07:00:00[%v = %d][:^word:][:alnum:
Source: 288c47bbc1871b439df19ff4df68f076.exe	Binary or memory string: ssse3sudogsweeptext/tls: torrctotaltraceuint8unameusageuser=utf-8valuevmusbvmx86write B -> Value addr= alloc base code= ctxt: curg= free goid jobs= list= m->p= max= min= next= p->m= prev= span=% util%s.exe%s.sys%s: %s(...) , i = , not , val -BEFV--DYOR--
Source: 288c47bbc1871b439df19ff4df68f076.exe	Binary or memory string: bmi1bmi2boolcallcap cas1cas2cas3cas4cas5cas6chandatedeaddialdoneermsetagethmfailfileflagfromftpsfuncgziphosthourhttpicmpidleigmpint8itabjsonkindlinkmdnsnullopenpathpipepop3quitreadrootsbrkseeksid=sizesmtpsse3tag:tcp4texttruetypeudp4uintunixuuidvaryvmcixn-- -%
Source: 288c47bbc1871b439df19ff4df68f076.exe	Binary or memory string: ultX-Forwarded-For\\.\VBoxTrayIPC] morebuf={pc:accept-encodingaccept-languageadvertise erroragent is closedapplication/pdfasyncpreemptoffbad certificatebad trailer keybefore EfiGuardclass registredclient finishedcouldn't set AVcouldn't set sbdecode hash: %wdo
Source: 288c47bbc1871b439df19ff4df68f076.exe	Binary or memory string: bmi2boolcallcap cas1cas2cas3cas4cas5cas6chandatedeaddialdoneermsetagethmfailfileflagfromftpsfuncgziphosthourhttpicmpidleigmpint8itabjsonkindlinkmdnsnullopenpathpipepop3quitreadrootsbrkseeksid=sizesmtpsse3tag:tcp4texttruetypeudp4uintunixuuidvaryvmcixn-- -%s (a
Source: 288c47bbc1871b439df19ff4df68f076.exe	Binary or memory string: swsarecvwsasendwup_verxen: %wxennet6 bytes, data=%q etypes incr=%v is not maxpc= mcount= minLC= minutes nalloc= newval= nfreed= ping=%q pointer stack=[ status %!Month(%02d%02d%s %s:%d%s: 0x%x-cleanup2.5.4.102.5.4.112.5.4.1748828125?4#?'1#0AcceptExAccepted
Source: 288c47bbc1871b439df19ff4df68f076.exe	Binary or memory string: too many linkstoo many userstorrc filenameunexpected EOFunknown code: unknown error unknown methodunknown mode: unreachable: unsafe.PointeruserArenaStatevirtualbox: %wvmwaretray.exevmwareuser.exewii libnup/1.0winapi error #window createdwork.full != 0xenservi
Source: 288c47bbc1871b439df19ff4df68f076.exe	Binary or memory string: ddrmountvolmsvmmoufno anodeno-cacheno_proxypollDescreadfromrecvfromreflect.runnableruntime.rwmutexRrwmutexWscavengeshutdownstrconv.taskkilltor_modetraceBuftrigger=unixgramunknown(usernamevmmemctlvmx_svgawalk: %wwsaioctlwuauservx509sha1yuio.top (forced) B exp.)
Source: 288c47bbc1871b439df19ff4df68f076.exe	Binary or memory string: rayCreateSafeArrayGetDimSafeArrayGetIIDSafeArrayUnlockScheduledUpdateSetCommTimeoutsSetSecurityInfoSetVolumeLabelWShellExecuteExWStringFromCLSIDStringFromGUID2TerminateThreadUnescaped quoteUninstallStringUnmapViewOfFileVBoxService.exeVPS.hsmiths.comWinsta0\Def

Source: C:\Users\user\AppData\Local\Temp\83BC.exe

API call chain: ExitProcess graph end node

graph_5-16251

Source: C:\Users\user\Desktop\file.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Source: C:\Users\user\Desktop\file.exe	System information queried: CodeIntegrityInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gferuhf	System information queried: CodeIntegrityInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\toolspub2.exe	System information queried: CodeIntegrityInformation

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gferuhf	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\83BC.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\InstallSetup9.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\toolspub2.exe	Process queried: DebugPort

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004029BA LdrLoadDll,

0_2_004029BA

Source: C:\Users\user\AppData\Local\Temp\83BC.exe

Code function: 5_2_0040114A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

5_2_0040114A

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_004127AD __decode_pointer,LoadLibraryA,GetProcAddress,__encode_pointer,InterlockedExchange,FreeLibrary,

0_2_004127AD

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005D092B mov eax, dword ptr fs:[00000030h]	0_2_005D092B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005D0D90 mov eax, dword ptr fs:[00000030h]	0_2_005D0D90
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0060C3DC push dword ptr fs:[00000030h]	0_2_0060C3DC
Source: C:\Users\user\AppData\Roaming\gferuhf	Code function: 4_2_0047092B mov eax, dword ptr fs:[00000030h]	4_2_0047092B
Source: C:\Users\user\AppData\Roaming\gferuhf	Code function: 4_2_00470D90 mov eax, dword ptr fs:[00000030h]	4_2_00470D90
Source: C:\Users\user\AppData\Roaming\gferuhf	Code function: 4_2_0049AB24 push dword ptr fs:[00000030h]	4_2_0049AB24
Source: C:\Users\user\AppData\Local\Temp\83BC.exe	Code function: 5_2_023180A3 push dword ptr fs:[00000030h]	5_2_023180A3
Source: C:\Users\user\AppData\Local\Temp\83BC.exe	Code function: 5_2_024E0042 push dword ptr fs:[00000030h]	5_2_024E0042
Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe	Code function: 8_2_02CF40A3 push dword ptr fs:[00000030h]	8_2_02CF40A3

Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0041A562 _raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0041A562
Source: C:\Users\user\AppData\Roaming\gferuhf	Code function: 4_2_0041A562 _raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	4_2_0041A562
Source: C:\Users\user\AppData\Local\Temp\83BC.exe	Code function: 5_2_0040B80F SetUnhandledExceptionFilter,	5_2_0040B80F
Source: C:\Users\user\AppData\Local\Temp\83BC.exe	Code function: 5_2_0040114A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_2_0040114A
Source: C:\Users\user\AppData\Local\Temp\83BC.exe	Code function: 5_2_0041A2F3 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	5_2_0041A2F3
Source: C:\Users\user\AppData\Local\Temp\83BC.exe	Code function: 5_2_00402DD0 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_2_00402DD0

Source: C:\Users\user\AppData\Local\Temp\9561.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion

Benign windows process drops PE files

Source: C:\Windows\explorer.exe

File created: 9561.exe.2.dr

Jump to dropped file

Contains functionality to inject code into remote processes

Source: C:\Users\user\AppData\Local\Temp\83BC.exe

Code function: 5_2_024E0110 VirtualAlloc,GetModuleFileNameA,CreateProcessA,VirtualFree,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,ExitProcess,

5_2_024E0110

Creates a thread in another existing process (thread injection)

Source: C:\Users\user\Desktop\file.exe	Thread created: C:\Windows\explorer.exe EIP: A61AD0	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gferuhf	Thread created: unknown EIP: B41AD0	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\toolspub2.exe	Thread created: unknown EIP: 8951930

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\83BC.exe	Memory written: C:\Users\user\AppData\Local\Temp\83BC.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\toolspub2.exe	Memory written: C:\Users\user\AppData\Local\Temp\toolspub2.exe base: 400000 value starts with: 4D5A

Injects code into the Windows Explorer (explorer.exe)

Source: C:\Windows\explorer.exe	Memory written: PID: 8184 base: 4A79C0 value: 90			Jump to behavior
Source: C:\Windows\explorer.exe	Memory written: PID: 3644 base: 7FF60A072D10 value: 90			Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\file.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gferuhf	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\gferuhf	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\toolspub2.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write
Source: C:\Users\user\AppData\Local\Temp\toolspub2.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read

Writes to foreign memory regions

Source: C:\Windows\explorer.exe

Memory written: C:\Windows\SysWOW64\explorer.exe base: 4A79C0

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\83BC.exe	Process created: C:\Users\user\AppData\Local\Temp\83BC.exe C:\Users\user\AppData\Local\Temp\83BC.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9561.exe	Process created: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe "C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"
Source: C:\Users\user\AppData\Local\Temp\9561.exe	Process created: C:\Users\user\AppData\Local\Temp\InstallSetup9.exe "C:\Users\user\AppData\Local\Temp\InstallSetup9.exe"
Source: C:\Users\user\AppData\Local\Temp\9561.exe	Process created: C:\Users\user\AppData\Local\Temp\toolspub2.exe "C:\Users\user\AppData\Local\Temp\toolspub2.exe"
Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\Sysnative\cmd.exe /C fodhelper
Source: C:\Users\user\AppData\Local\Temp\toolspub2.exe	Process created: C:\Users\user\AppData\Local\Temp\toolspub2.exe "C:\Users\user\AppData\Local\Temp\toolspub2.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\fodhelper.exe fodhelper
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\fodhelper.exe "C:\Windows\system32\fodhelper.exe"
Source: C:\Windows\System32\fodhelper.exe	Process created: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe "C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"
Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -nologo -noprofile
Source: C:\Users\user\AppData\Local\Temp\nsuAC75.tmp.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 helpmsg 28

Source: explorer.exe, 00000002.00000000.1401737978.00000000095B9000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1397696887.0000000001081000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.1399061715.0000000004460000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000002.00000000.1397696887.0000000001081000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000002.00000000.1397696887.0000000001081000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: EProgram Manager
Source: explorer.exe, 00000002.00000000.1397371484.0000000000889000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1Progman
Source: explorer.exe, 00000002.00000000.1397696887.0000000001081000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\file.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,_strcpy_s,__itoa_s,	0_2_00415C13
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen,	0_2_0041583D
Source: C:\Users\user\Desktop\file.exe	Code function: __crtGetLocaleInfoA_stat,	0_2_0041A8C9
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoA,	0_2_0041A906
Source: C:\Users\user\Desktop\file.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	0_2_00415A83
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoA,GetLocaleInfoA,GetACP,	0_2_0041568E
Source: C:\Users\user\Desktop\file.exe	Code function: _strlen,EnumSystemLocalesA,	0_2_00415B47
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,	0_2_0041A756
Source: C:\Users\user\Desktop\file.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	0_2_00415B70
Source: C:\Users\user\Desktop\file.exe	Code function: GetLocaleInfoW,	0_2_0041A73D
Source: C:\Users\user\Desktop\file.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	0_2_00415BD7
Source: C:\Users\user\Desktop\file.exe	Code function: GetLastError,_malloc,WideCharToMultiByte,__freea,GetLocaleInfoA,	0_2_0041A78A
Source: C:\Users\user\Desktop\file.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	0_2_004157A5
Source: C:\Users\user\AppData\Roaming\gferuhf	Code function: __getptd,_GetLcidFromLangCountry,_GetLcidFromLanguage,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,_strcpy_s,__itoa_s,	4_2_00415C13
Source: C:\Users\user\AppData\Roaming\gferuhf	Code function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen,	4_2_0041583D
Source: C:\Users\user\AppData\Roaming\gferuhf	Code function: __crtGetLocaleInfoA_stat,	4_2_0041A8C9
Source: C:\Users\user\AppData\Roaming\gferuhf	Code function: GetLocaleInfoA,	4_2_0041A906
Source: C:\Users\user\AppData\Roaming\gferuhf	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	4_2_00415A83
Source: C:\Users\user\AppData\Roaming\gferuhf	Code function: GetLocaleInfoA,GetLocaleInfoA,GetACP,	4_2_0041568E
Source: C:\Users\user\AppData\Roaming\gferuhf	Code function: _strlen,EnumSystemLocalesA,	4_2_00415B47
Source: C:\Users\user\AppData\Roaming\gferuhf	Code function: GetLocaleInfoW,	4_2_0041A756
Source: C:\Users\user\AppData\Roaming\gferuhf	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	4_2_00415B70
Source: C:\Users\user\AppData\Roaming\gferuhf	Code function: GetLocaleInfoW,	4_2_0041A73D
Source: C:\Users\user\AppData\Roaming\gferuhf	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	4_2_00415BD7
Source: C:\Users\user\AppData\Roaming\gferuhf	Code function: GetLastError,_malloc,WideCharToMultiByte,__freea,GetLocaleInfoA,	4_2_0041A78A
Source: C:\Users\user\AppData\Roaming\gferuhf	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	4_2_004157A5
Source: C:\Users\user\AppData\Local\Temp\83BC.exe	Code function: _strlen,EnumSystemLocalesA,	5_2_00416047
Source: C:\Users\user\AppData\Local\Temp\83BC.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	5_2_00416070
Source: C:\Users\user\AppData\Local\Temp\83BC.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	5_2_004160D7
Source: C:\Users\user\AppData\Local\Temp\83BC.exe	Code function: GetLocaleInfoA,	5_2_0041A943
Source: C:\Users\user\AppData\Local\Temp\83BC.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itoa_s,	5_2_00416113
Source: C:\Users\user\AppData\Local\Temp\83BC.exe	Code function: GetLocaleInfoA,GetLocaleInfoA,GetACP,	5_2_00415B8E
Source: C:\Users\user\AppData\Local\Temp\83BC.exe	Code function: _LocaleUpdate::_LocaleUpdate,GetLocaleInfoW,	5_2_0041A444
Source: C:\Users\user\AppData\Local\Temp\83BC.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,GetLocaleInfoA,	5_2_0041A478
Source: C:\Users\user\AppData\Local\Temp\83BC.exe	Code function: GetLocaleInfoW,	5_2_0041A42B
Source: C:\Users\user\AppData\Local\Temp\83BC.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	5_2_00415CA5
Source: C:\Users\user\AppData\Local\Temp\83BC.exe	Code function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen,	5_2_00415D3D
Source: C:\Users\user\AppData\Local\Temp\83BC.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	5_2_00415DB1
Source: C:\Users\user\AppData\Local\Temp\83BC.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	5_2_0041A5B7
Source: C:\Users\user\AppData\Local\Temp\83BC.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	5_2_00415F83
Source: C:\Users\user\AppData\Local\Temp\83BC.exe	Code function: GetLocaleInfoA,	5_2_0041B793

Source: C:\Users\user\AppData\Local\Temp\nsuAC75.tmp.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\nsuAC75.tmp.exe	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Source: C:\Users\user\AppData\Local\Temp\83BC.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\9561.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\9561.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\nsuAC75.tmp.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\nsuAC75.tmp.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\CDAA.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\CDAA.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\CDAA.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\CDAA.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\CDAA.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\CDAA.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\CDAA.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\CDAA.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\CDAA.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\CDAA.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\CDAA.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\CDAA.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\CDAA.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\CDAA.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\CDAA.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\CDAA.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\CDAA.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\83BC.exe

Code function: 5_2_005D49C0 LocalHandle,ReadConsoleOutputW,FreeEnvironmentStringsW,CreateNamedPipeW,SetEndOfFile,GlobalDeleteAtom,

5_2_005D49C0

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0040BF7C GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

0_2_0040BF7C

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_0041ACD6 __get_daylight,__get_daylight,__getenv_helper_nolock,_strlen,__malloc_crt,_strlen,_strcpy_s,GetTimeZoneInformation,

0_2_0041ACD6

Source: C:\Users\user\AppData\Local\Temp\83BC.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected Glupteba

Source: Yara match	File source: 23.2.288c47bbc1871b439df19ff4df68f076.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.288c47bbc1871b439df19ff4df68f076.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.288c47bbc1871b439df19ff4df68f076.exe.30f0e67.15.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.288c47bbc1871b439df19ff4df68f076.exe.2f10e67.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.288c47bbc1871b439df19ff4df68f076.exe.39e0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.4075648542.0000000000843000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.4084338772.0000000000843000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.4106141741.0000000003353000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4107945303.0000000003533000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.1763762171.0000000003E22000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected Petite Virus

Source: Yara match	File source: C:\Program Files (x86)\CPointASP\bin\x86\is-9SQN6.tmp, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\CPointASP\bin\x86\is-9JRC1.tmp, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\CPointASP\bin\x86\is-1TTMQ.tmp, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\CPointASP\bin\x86\is-01D6N.tmp, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\CPointASP\bin\x86\is-EJ9G2.tmp, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\CPointASP\bin\x86\is-4CSOT.tmp, type: DROPPED

Yara detected SmokeLoader

Source: Yara match	File source: 4.2.gferuhf.470e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.gferuhf.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.gferuhf.580000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.toolspub2.exe.5c15a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.toolspub2.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.file.exe.5e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.5d0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000002.1876773105.0000000001F61000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1863090998.0000000000470000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1346186233.00000000005E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1414909359.00000000020A1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1677531544.00000000020A1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.1614832570.0000000000580000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1414691831.00000000005E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1677390187.0000000000580000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected Socks5Systemz

Source: Yara match	File source: 0000002C.00000002.4100878154.0000000002A54000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000002.4101862181.0000000002B01000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected Stealc

Source: Yara match	File source: 26.2.nsuAC75.tmp.exe.2250e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.nsuAC75.tmp.exe.2250e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.3.nsuAC75.tmp.exe.2270000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.nsuAC75.tmp.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.nsuAC75.tmp.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001A.00000002.2605092891.0000000002250000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.2604104518.0000000000400000.00000040.00000001.01000000.00000011.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000003.1852497320.0000000002270000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.2605183067.00000000022D5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\SysWOW64\explorer.exe

Key opened: HKEY_CURRENT_USER\Software\Martin Prikryl

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\CDAA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd
Source: C:\Users\user\AppData\Local\Temp\CDAA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp
Source: C:\Users\user\AppData\Local\Temp\CDAA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla
Source: C:\Users\user\AppData\Local\Temp\CDAA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi
Source: C:\Users\user\AppData\Local\Temp\CDAA.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\CDAA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac
Source: C:\Users\user\AppData\Local\Temp\CDAA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm
Source: C:\Users\user\AppData\Local\Temp\CDAA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb
Source: C:\Users\user\AppData\Local\Temp\CDAA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe
Source: C:\Users\user\AppData\Local\Temp\CDAA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge
Source: C:\Users\user\AppData\Local\Temp\CDAA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao
Source: C:\Users\user\AppData\Local\Temp\nsuAC75.tmp.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\places.sqlite
Source: C:\Users\user\AppData\Local\Temp\CDAA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Users\user\AppData\Local\Temp\CDAA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp
Source: C:\Users\user\AppData\Local\Temp\CDAA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj
Source: C:\Users\user\AppData\Local\Temp\CDAA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
Source: C:\Users\user\AppData\Local\Temp\CDAA.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\\formhistory.sqlite
Source: C:\Users\user\AppData\Local\Temp\CDAA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne
Source: C:\Users\user\AppData\Local\Temp\CDAA.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles
Source: C:\Users\user\AppData\Local\Temp\CDAA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk
Source: C:\Users\user\AppData\Local\Temp\CDAA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo
Source: C:\Users\user\AppData\Local\Temp\CDAA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn
Source: C:\Users\user\AppData\Local\Temp\CDAA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid
Source: C:\Users\user\AppData\Local\Temp\nsuAC75.tmp.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\places.sqlite-shm
Source: C:\Users\user\AppData\Local\Temp\CDAA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik
Source: C:\Users\user\AppData\Local\Temp\CDAA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd
Source: C:\Users\user\AppData\Local\Temp\CDAA.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\\logins.json
Source: C:\Users\user\AppData\Local\Temp\CDAA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\CDAA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
Source: C:\Users\user\AppData\Local\Temp\CDAA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\cookies.sqlite-wal
Source: C:\Users\user\AppData\Local\Temp\CDAA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb
Source: C:\Users\user\AppData\Local\Temp\CDAA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp
Source: C:\Users\user\AppData\Local\Temp\CDAA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm
Source: C:\Users\user\AppData\Local\Temp\CDAA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\cookies.sqlite-shm
Source: C:\Users\user\AppData\Local\Temp\CDAA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil
Source: C:\Users\user\AppData\Local\Temp\CDAA.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\\cookies.sqlite
Source: C:\Users\user\AppData\Local\Temp\CDAA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma
Source: C:\Users\user\AppData\Local\Temp\CDAA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno
Source: C:\Users\user\AppData\Local\Temp\CDAA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf
Source: C:\Users\user\AppData\Local\Temp\CDAA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Local\Temp\CDAA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae
Source: C:\Users\user\AppData\Local\Temp\CDAA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln
Source: C:\Users\user\AppData\Local\Temp\CDAA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm
Source: C:\Users\user\AppData\Local\Temp\CDAA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log
Source: C:\Users\user\AppData\Local\Temp\CDAA.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\\places.sqlite
Source: C:\Users\user\AppData\Local\Temp\CDAA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad
Source: C:\Users\user\AppData\Local\Temp\CDAA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\cookies.sqlite
Source: C:\Users\user\AppData\Local\Temp\CDAA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
Source: C:\Users\user\AppData\Local\Temp\CDAA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc
Source: C:\Users\user\AppData\Local\Temp\CDAA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\CDAA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba
Source: C:\Users\user\AppData\Local\Temp\CDAA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\MANIFEST-000001
Source: C:\Windows\SysWOW64\explorer.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\CDAA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh
Source: C:\Users\user\AppData\Local\Temp\CDAA.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\\cert9.db
Source: C:\Users\user\AppData\Local\Temp\nsuAC75.tmp.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History-journal
Source: C:\Users\user\AppData\Local\Temp\CDAA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch
Source: C:\Users\user\AppData\Local\Temp\nsuAC75.tmp.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\places.sqlite-wal
Source: C:\Users\user\AppData\Local\Temp\CDAA.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\dtbqpus9.default\key4.db
Source: C:\Users\user\AppData\Local\Temp\CDAA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\CURRENT
Source: C:\Users\user\AppData\Local\Temp\CDAA.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\\key4.db
Source: C:\Users\user\AppData\Local\Temp\CDAA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo
Source: C:\Users\user\AppData\Local\Temp\CDAA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG
Source: C:\Users\user\AppData\Local\Temp\CDAA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk
Source: C:\Users\user\AppData\Local\Temp\CDAA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld
Source: C:\Users\user\AppData\Local\Temp\CDAA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig
Source: C:\Users\user\AppData\Local\Temp\CDAA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh
Source: C:\Users\user\AppData\Local\Temp\CDAA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci
Source: C:\Users\user\AppData\Local\Temp\CDAA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\CDAA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj
Source: C:\Users\user\AppData\Local\Temp\CDAA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm
Source: C:\Users\user\AppData\Local\Temp\CDAA.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\key4.db
Source: C:\Users\user\AppData\Local\Temp\CDAA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk
Source: C:\Users\user\AppData\Local\Temp\CDAA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap
Source: C:\Users\user\AppData\Local\Temp\CDAA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec
Source: C:\Users\user\AppData\Local\Temp\CDAA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf
Source: C:\Users\user\AppData\Local\Temp\CDAA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc
Source: C:\Users\user\AppData\Local\Temp\CDAA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb
Source: C:\Users\user\AppData\Local\Temp\CDAA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj
Source: C:\Users\user\AppData\Local\Temp\CDAA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm
Source: C:\Users\user\AppData\Local\Temp\CDAA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno
Source: C:\Users\user\AppData\Local\Temp\CDAA.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account
Source: C:\Users\user\AppData\Local\Temp\CDAA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd
Source: C:\Users\user\AppData\Local\Temp\CDAA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\CDAA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad
Source: C:\Users\user\AppData\Local\Temp\CDAA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph
Source: C:\Users\user\AppData\Local\Temp\CDAA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb
Source: C:\Users\user\AppData\Local\Temp\CDAA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG.old
Source: C:\Users\user\AppData\Local\Temp\CDAA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg
Source: C:\Users\user\AppData\Local\Temp\CDAA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn
Source: C:\Users\user\AppData\Local\Temp\CDAA.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Local\Temp\nsuAC75.tmp.exe

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\AppData\Local\Temp\CDAA.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Users\user\AppData\Local\Temp\CDAA.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\CDAA.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Users\user\AppData\Local\Temp\CDAA.exe	File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Users\user\AppData\Local\Temp\CDAA.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\AppData\Local\Temp\nsuAC75.tmp.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001
Source: C:\Users\user\AppData\Local\Temp\nsuAC75.tmp.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002
Source: C:\Users\user\AppData\Local\Temp\nsuAC75.tmp.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
Source: C:\Users\user\AppData\Local\Temp\nsuAC75.tmp.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004
Source: C:\Windows\SysWOW64\explorer.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Source: C:\Windows\explorer.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\explorer.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\explorer.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\CDAA.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\CDAA.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\CDAA.exe	Directory queried: C:\Users\user\Documents\EFOYFBOLXA
Source: C:\Users\user\AppData\Local\Temp\CDAA.exe	Directory queried: C:\Users\user\Documents\EIVQSAOTAQ
Source: C:\Users\user\AppData\Local\Temp\CDAA.exe	Directory queried: C:\Users\user\Documents\GRXZDKKVDB
Source: C:\Users\user\AppData\Local\Temp\CDAA.exe	Directory queried: C:\Users\user\Documents\LIJDSFKJZG
Source: C:\Users\user\AppData\Local\Temp\CDAA.exe	Directory queried: C:\Users\user\Documents\PALRGUCVEH
Source: C:\Users\user\AppData\Local\Temp\CDAA.exe	Directory queried: C:\Users\user\Documents\QCOILOQIKC
Source: C:\Users\user\AppData\Local\Temp\CDAA.exe	Directory queried: C:\Users\user\Documents\VWDFPKGDUF
Source: C:\Users\user\AppData\Local\Temp\CDAA.exe	Directory queried: C:\Users\user\Documents\ZGGKNSUKOP
Source: C:\Users\user\AppData\Local\Temp\CDAA.exe	Directory queried: C:\Users\user\Documents\ZIPXYXWIOY
Source: C:\Users\user\AppData\Local\Temp\CDAA.exe	Directory queried: C:\Users\user\Documents\LIJDSFKJZG
Source: C:\Users\user\AppData\Local\Temp\CDAA.exe	Directory queried: C:\Users\user\Documents\QCOILOQIKC
Source: C:\Users\user\AppData\Local\Temp\CDAA.exe	Directory queried: C:\Users\user\Documents\EIVQSAOTAQ
Source: C:\Users\user\AppData\Local\Temp\CDAA.exe	Directory queried: C:\Users\user\Documents\ZIPXYXWIOY

Source: Yara match	File source: 26.2.nsuAC75.tmp.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000022.00000003.2128321951.000000000137A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000003.2077254246.000000000137A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000003.2096984534.000000000137A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000003.2137389333.000000000137A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000003.2120331383.000000000137A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000003.2112222291.000000000137A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000022.00000003.2087024904.000000000137A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected Glupteba

Source: Yara match	File source: 23.2.288c47bbc1871b439df19ff4df68f076.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.288c47bbc1871b439df19ff4df68f076.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.288c47bbc1871b439df19ff4df68f076.exe.30f0e67.15.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.288c47bbc1871b439df19ff4df68f076.exe.2f10e67.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.288c47bbc1871b439df19ff4df68f076.exe.39e0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.4075648542.0000000000843000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.4084338772.0000000000843000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.4106141741.0000000003353000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4107945303.0000000003533000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.1763762171.0000000003E22000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected Petite Virus

Source: Yara match	File source: C:\Program Files (x86)\CPointASP\bin\x86\is-9SQN6.tmp, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\CPointASP\bin\x86\is-9JRC1.tmp, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\CPointASP\bin\x86\is-1TTMQ.tmp, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\CPointASP\bin\x86\is-01D6N.tmp, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\CPointASP\bin\x86\is-EJ9G2.tmp, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\CPointASP\bin\x86\is-4CSOT.tmp, type: DROPPED

Yara detected SmokeLoader

Source: Yara match	File source: 4.2.gferuhf.470e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.gferuhf.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.3.gferuhf.580000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.toolspub2.exe.5c15a0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.toolspub2.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.3.file.exe.5e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.5d0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000002.1876773105.0000000001F61000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.1863090998.0000000000470000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1346186233.00000000005E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1414909359.00000000020A1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1677531544.00000000020A1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.1614832570.0000000000580000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1414691831.00000000005E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1677390187.0000000000580000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected Socks5Systemz

Source: Yara match	File source: 0000002C.00000002.4100878154.0000000002A54000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000002.4101862181.0000000002B01000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Yara detected Stealc

Source: Yara match	File source: 26.2.nsuAC75.tmp.exe.2250e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.nsuAC75.tmp.exe.2250e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.3.nsuAC75.tmp.exe.2270000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.nsuAC75.tmp.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.2.nsuAC75.tmp.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001A.00000002.2605092891.0000000002250000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.2604104518.0000000000400000.00000040.00000001.01000000.00000011.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000003.1852497320.0000000002270000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.2605183067.00000000022D5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact	Resource Development	Reconnaissance
Valid Accounts	21 Windows Management Instrumentation	1 DLL Side-Loading	1 Abuse Elevation Control Mechanism	1 Disable or Modify Tools	2 OS Credential Dumping	2 System Time Discovery	Remote Services	11 Archive Collected Data	Exfiltration Over Other Network Medium	1 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Abuse Accessibility Features	Acquire Infrastructure	Gather Victim Identity Information
Default Accounts	3 Native API	1 Registry Run Keys / Startup Folder	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	1 Credentials in Registry	12 File and Directory Discovery	Remote Desktop Protocol	31 Data from Local System	Exfiltration Over Bluetooth	1 Application Layer Protocol	SIM Card Swap	Obtain Device Cloud Backups	Network Denial of Service	Domains	Credentials
Domain Accounts	1 Exploitation for Client Execution	Logon Script (Windows)	613 Process Injection	1 Abuse Elevation Control Mechanism	Security Account Manager	46 System Information Discovery	SMB/Windows Admin Shares	1 Email Collection	Automated Exfiltration	1 Proxy			Data Encrypted for Impact	DNS Server	Email Addresses
Local Accounts	2 Command and Scripting Interpreter	Login Hook	1 Registry Run Keys / Startup Folder	3 Obfuscated Files or Information	NTDS	1 Query Registry	Distributed Component Object Model	Input Capture	Traffic Duplication	Protocol Impersonation			Data Destruction	Virtual Private Server	Employee Names
Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	23 Software Packing	LSA Secrets	651 Security Software Discovery	SSH	Keylogging	Scheduled Transfer	Fallback Channels			Data Encrypted for Impact	Server	Gather Victim Network Information
Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	351 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Data Transfer Size Limits	Multiband Communication			Service Stop	Botnet	Domain Properties
External Remote Services	Systemd Timers	Startup Items	Startup Items	1 File Deletion	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over C2 Channel	Commonly Used Port			Inhibit System Recovery	Web Services	DNS
Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	112 Masquerading	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Exfiltration Over Alternative Protocol	Application Layer Protocol			Defacement	Serverless	Network Trust Dependencies
Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	351 Virtualization/Sandbox Evasion	/etc/passwd and /etc/shadow	2 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Web Protocols			Internal Defacement	Malvertising	Network Topology
Supply Chain Compromise	PowerShell	Cron	Cron	613 Process Injection	Network Sniffing	1 Remote System Discovery	Shared Webroot	Local Data Staging	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	File Transfer Protocols			External Defacement	Compromise Infrastructure	IP Addresses
Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	1 Hidden Files and Directories	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Exfiltration Over Unencrypted Non-C2 Protocol	Mail Protocols			Firmware Corruption	Domains	Network Security Appliances
Compromise Software Supply Chain	Windows Command Shell	Scheduled Task	Scheduled Task	1 Regsvr32	Keylogging	Process Discovery	Taint Shared Content	Screen Capture	Exfiltration Over Physical Medium	DNS			Resource Hijacking	DNS Server	Gather Victim Org Information
Compromise Hardware Supply Chain	Unix Shell	Systemd Timers	Systemd Timers	1 Rundll32	GUI Input Capture	Permission Groups Discovery	Replication Through Removable Media	Email Collection	Exfiltration over USB	Proxy			Network Denial of Service	Virtual Private Server	Determine Physical Locations

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Link
file.exe	38%	ReversingLabs
file.exe	44%	Virustotal	Browse
file.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Program Files (x86)\CPointASP\bin\x86\7z.exe (copy)	0%	ReversingLabs
C:\Program Files (x86)\CPointASP\bin\x86\OptimFROG.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\CPointASP\bin\x86\bass_fx.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\CPointASP\bin\x86\bass_ofr.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\CPointASP\bin\x86\bass_tta.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\CPointASP\bin\x86\bassalac.dll (copy)	3%	ReversingLabs
C:\Program Files (x86)\CPointASP\bin\x86\bassape.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\CPointASP\bin\x86\basscd.dll (copy)	3%	ReversingLabs
C:\Program Files (x86)\CPointASP\bin\x86\bassdsd.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\CPointASP\bin\x86\bassflac.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\CPointASP\bin\x86\bassmidi.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\CPointASP\bin\x86\bassmix.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\CPointASP\bin\x86\bassopus.dll (copy)	3%	ReversingLabs
C:\Program Files (x86)\CPointASP\bin\x86\basswma.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\CPointASP\bin\x86\basswv.dll (copy)	3%	ReversingLabs
C:\Program Files (x86)\CPointASP\bin\x86\d_writer.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\CPointASP\bin\x86\da.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\CPointASP\bin\x86\daiso.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\CPointASP\bin\x86\dsd2.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\CPointASP\bin\x86\dsd2pcmt.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\CPointASP\bin\x86\dstt.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\CPointASP\bin\x86\ff_helper.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\CPointASP\bin\x86\gain_analysis.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\CPointASP\bin\x86\is-01D6N.tmp	3%	ReversingLabs
C:\Program Files (x86)\CPointASP\bin\x86\is-040AJ.tmp	0%	ReversingLabs
C:\Program Files (x86)\CPointASP\bin\x86\is-0U1TM.tmp	0%	ReversingLabs
C:\Program Files (x86)\CPointASP\bin\x86\is-1TTMQ.tmp	3%	ReversingLabs
C:\Program Files (x86)\CPointASP\bin\x86\is-1V3O7.tmp	0%	ReversingLabs
C:\Program Files (x86)\CPointASP\bin\x86\is-2458N.tmp	0%	ReversingLabs
C:\Program Files (x86)\CPointASP\bin\x86\is-2CL5A.tmp	0%	ReversingLabs
C:\Program Files (x86)\CPointASP\bin\x86\is-4CSOT.tmp	3%	ReversingLabs
C:\Program Files (x86)\CPointASP\bin\x86\is-7QIAL.tmp	0%	ReversingLabs
C:\Program Files (x86)\CPointASP\bin\x86\is-7RFNU.tmp	0%	ReversingLabs
C:\Program Files (x86)\CPointASP\bin\x86\is-7TH98.tmp	0%	ReversingLabs
C:\Program Files (x86)\CPointASP\bin\x86\is-93FRL.tmp	0%	ReversingLabs
C:\Program Files (x86)\CPointASP\bin\x86\is-9JRC1.tmp	3%	ReversingLabs
C:\Program Files (x86)\CPointASP\bin\x86\is-9SQN6.tmp	0%	ReversingLabs
C:\Program Files (x86)\CPointASP\bin\x86\is-AO7D9.tmp	0%	ReversingLabs
C:\Program Files (x86)\CPointASP\bin\x86\is-AU9HG.tmp	0%	ReversingLabs
C:\Program Files (x86)\CPointASP\bin\x86\is-AVN6H.tmp	0%	ReversingLabs
C:\Program Files (x86)\CPointASP\bin\x86\is-B87EH.tmp	0%	ReversingLabs
C:\Program Files (x86)\CPointASP\bin\x86\is-DER7H.tmp	0%	ReversingLabs
C:\Program Files (x86)\CPointASP\bin\x86\is-EFHJ3.tmp	0%	ReversingLabs
C:\Program Files (x86)\CPointASP\bin\x86\is-EJ9G2.tmp	0%	ReversingLabs
C:\Program Files (x86)\CPointASP\bin\x86\is-F3LHF.tmp	0%	ReversingLabs
C:\Program Files (x86)\CPointASP\bin\x86\is-G4UPE.tmp	0%	ReversingLabs
C:\Program Files (x86)\CPointASP\bin\x86\is-GE7OO.tmp	0%	ReversingLabs
C:\Program Files (x86)\CPointASP\bin\x86\is-GR811.tmp	0%	ReversingLabs
C:\Program Files (x86)\CPointASP\bin\x86\is-HRFH2.tmp	0%	ReversingLabs
C:\Program Files (x86)\CPointASP\bin\x86\is-II7SF.tmp	0%	ReversingLabs
C:\Program Files (x86)\CPointASP\bin\x86\is-K0GP7.tmp	0%	ReversingLabs
C:\Program Files (x86)\CPointASP\bin\x86\is-KBFH3.tmp	0%	ReversingLabs
C:\Program Files (x86)\CPointASP\bin\x86\is-KDLQ5.tmp	0%	ReversingLabs
C:\Program Files (x86)\CPointASP\bin\x86\is-KS29E.tmp	0%	ReversingLabs
C:\Program Files (x86)\CPointASP\bin\x86\is-LJEF3.tmp	0%	ReversingLabs
C:\Program Files (x86)\CPointASP\bin\x86\is-NEGHU.tmp	0%	ReversingLabs
C:\Program Files (x86)\CPointASP\bin\x86\is-ODNC4.tmp	0%	ReversingLabs
C:\Program Files (x86)\CPointASP\bin\x86\is-P9QDC.tmp	0%	ReversingLabs
C:\Program Files (x86)\CPointASP\bin\x86\is-RRNMJ.tmp	0%	ReversingLabs
C:\Program Files (x86)\CPointASP\bin\x86\is-VRA2K.tmp	0%	ReversingLabs
C:\Program Files (x86)\CPointASP\bin\x86\is-VT3M5.tmp	0%	ReversingLabs
C:\Program Files (x86)\CPointASP\bin\x86\lame_enc.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\CPointASP\bin\x86\libFLAC_dynamic.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\CPointASP\bin\x86\libdtsdec.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\CPointASP\bin\x86\libsoxr.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\CPointASP\bin\x86\libwebp.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\CPointASP\bin\x86\libwinpthread-1.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\CPointASP\bin\x86\mp3gain.exe (copy)	0%	ReversingLabs
C:\Program Files (x86)\CPointASP\bin\x86\pcm2dsd.exe (copy)	0%	ReversingLabs
C:\Program Files (x86)\CPointASP\bin\x86\plugins\internal\is-HHJJI.tmp	0%	ReversingLabs
C:\Program Files (x86)\CPointASP\bin\x86\plugins\internal\is-IOMGH.tmp	0%	ReversingLabs
C:\Program Files (x86)\CPointASP\bin\x86\plugins\internal\peak_scanner_plugin_c.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\CPointASP\bin\x86\plugins\internal\raw_decode_plugin_c.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\CPointASP\bin\x86\rg_ebur128.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\CPointASP\bin\x86\sd.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\CPointASP\bin\x86\tak_deco_lib.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\CPointASP\bin\x86\takdec.exe (copy)	0%	ReversingLabs
C:\Program Files (x86)\CPointASP\bin\x86\uchardet.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\CPointASP\bin\x86\utils.dll (copy)	0%	ReversingLabs
C:\Program Files (x86)\CPointASP\bin\x86\wavpackdll.dll (copy)	0%	ReversingLabs
C:\ProgramData\Drivers\csrss.exe	74%	ReversingLabs	Win32.Trojan.SmokeLoader
C:\ProgramData\freebl3.dll	0%	ReversingLabs
C:\ProgramData\mozglue.dll	0%	ReversingLabs
C:\ProgramData\msvcp140.dll	0%	ReversingLabs
C:\ProgramData\nss3.dll	0%	ReversingLabs
C:\ProgramData\softokn3.dll	0%	ReversingLabs
C:\ProgramData\vcruntime140.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GIBVL2EB\freebl3[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GIBVL2EB\mozglue[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GIBVL2EB\msvcp140[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GIBVL2EB\nss3[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GIBVL2EB\softokn3[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GIBVL2EB\vcruntime140[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe	91%	ReversingLabs	Win32.Trojan.SmokeLoader
C:\Users\user\AppData\Local\Temp\3205.exe	57%	ReversingLabs	Win32.Trojan.Smokeloader
C:\Users\user\AppData\Local\Temp\83BC.exe	74%	ReversingLabs	Win32.Trojan.SmokeLoader
C:\Users\user\AppData\Local\Temp\9561.exe	91%	ReversingLabs	ByteCode-MSIL.Trojan.Smokeloader
C:\Users\user\AppData\Local\Temp\973D.exe	51%	ReversingLabs	Win32.Trojan.Smokeloader
C:\Users\user\AppData\Local\Temp\BroomSetup.exe	30%	ReversingLabs	Win32.Trojan.Malgent
C:\Users\user\AppData\Local\Temp\C1C2.dll	30%	ReversingLabs	Win32.Trojan.Generic

Unpacked PE Files

⊘No Antivirus matches

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://invalidlog.txtlookup	0%	URL Reputation	safe
http://invalidlog.txtlookup	0%	URL Reputation	safe
http://schemas.micro	0%	URL Reputation	safe
http://host-host-file8.com/	100%	URL Reputation	malware
http://devlog.gregarius.net/docs/ua)Links	0%	URL Reputation	safe
http://www.exabot.com/go/robot)Opera/9.80	0%	URL Reputation	safe
http://www.exabot.com/go/robot)Opera/9.80	0%	URL Reputation	safe
http://www.googlebot.com/bot.html)Links	0%	URL Reputation	safe
http://www.alltheweb.com/help/webmaster/crawler)Mozilla/5.0	0%	URL Reputation	safe
https://blockstream.info/apiinva	0%	URL Reputation	safe
http://misc.yahoo.com.cn/help.html)QueryPerformanceFrequency	0%	URL Reputation	safe
http://host-file-host6.com/	100%	URL Reputation	malware
http://www.google.c	0%	URL Reputation	safe
https://blockchain.infoindex	0%	URL Reputation	safe
http://www.bloglines.com)Frame	0%	Avira URL Cloud	safe
http://www.avantbrowser.com)MOT-V9mm/	0%	Avira URL Cloud	safe
http://grub.org)Mozilla/5.0	0%	Avira URL Cloud	safe
https://raw.githubusercontent.com/spesmilo/electrum/master/electrum/servers.jsonsize	0%	Avira URL Cloud	safe
http://vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.oniontls:	0%	Avira URL Cloud	safe
http://5.42.66.58/3886d2276f6914c4.php	0%	Avira URL Cloud	safe
http://www.spidersoft.com)	0%	Avira URL Cloud	safe
https://outlook.comNaP0B	0%	Avira URL Cloud	safe
https://powerpoint.office.comcemberZ	0%	Avira URL Cloud	safe
https://excel.office.comE	0%	Avira URL Cloud	safe
https://word.office.com576	0%	Avira URL Cloud	safe
http://localhost:3433/https://duniadekho.baridna:	0%	Avira URL Cloud	safe
https://sabotage.net	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

⊘No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://host-host-file8.com/	true	URL Reputation: malware	unknown
http://5.42.66.58/3886d2276f6914c4.php	true	Avira URL Cloud: safe	unknown
http://host-file-host6.com/	true	URL Reputation: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://api.msn.com/v1/news/Feed/Windows?	explorer.exe, 00000002.00000000.1401121668.00000000093B4000.00000004.00000001.00020000.00000000.sdmp	false		high
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT	explorer.exe, 00000002.00000000.1399234102.0000000006F96000.00000004.00000001.00020000.00000000.sdmp	false		high
https://wns.windows.com/bat	explorer.exe, 00000002.00000000.1401737978.0000000009724000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/health/wellness/7-secrets-to-a-happy-old-age-backed-by-science/ss-AA1hwpvW	explorer.exe, 00000002.00000000.1399234102.0000000006F96000.00000004.00000001.00020000.00000000.sdmp	false		high
http://invalidlog.txtlookup	288c47bbc1871b439df19ff4df68f076.exe	false	URL Reputation: safe URL Reputation: safe	unknown
https://api.msn.com:443/v1/news/Feed/Windows?	explorer.exe, 00000002.00000000.1399234102.0000000006F96000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1398152644.0000000002FA0000.00000004.00000001.00020000.00000000.sdmp	false		high
http://yandex.com/bots)Opera	288c47bbc1871b439df19ff4df68f076.exe	false		high
https://www.msn.com/en-us/news/politics/california-workers-will-get-five-sick-days-instead-of-three-	explorer.exe, 00000002.00000000.1399234102.0000000006F96000.00000004.00000001.00020000.00000000.sdmp	false		high
https://github.com/Snawoot/opera-proxy/releases/download/v1.2.2/opera-proxy.windows-386.exeBlackBerr	288c47bbc1871b439df19ff4df68f076.exe	false		high
https://www.msn.com/en-us/money/careersandeducation/student-loan-debt-forgiveness-arrives-for-some-b	explorer.exe, 00000002.00000000.1399234102.0000000006F96000.00000004.00000001.00020000.00000000.sdmp	false		high
http://schemas.micro	explorer.exe, 00000002.00000000.1400138185.0000000007AF0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.1397922890.0000000002C00000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.1400153686.0000000007B10000.00000002.00000001.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/recordhigh.svg	explorer.exe, 00000002.00000000.1399234102.0000000006F96000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/news/crime/bar-fight-leaves-man-in-critical-condition-suspect-arrested-in-	explorer.exe, 00000002.00000000.1399234102.0000000006F96000.00000004.00000001.00020000.00000000.sdmp	false		high
https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppin	explorer.exe, 00000002.00000000.1403829585.000000000D1B6000.00000004.00000001.00020000.00000000.sdmp	false		high
http://devlog.gregarius.net/docs/ua)Links	288c47bbc1871b439df19ff4df68f076.exe	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/money/companies/legacy-park-auction-canceled-liquidation-proposed-here-s-w	explorer.exe, 00000002.00000000.1399234102.0000000006F96000.00000004.00000001.00020000.00000000.sdmp	false		high
https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew	explorer.exe, 00000002.00000000.1399234102.0000000006F96000.00000004.00000001.00020000.00000000.sdmp	false		high
http://grub.org)Mozilla/5.0	288c47bbc1871b439df19ff4df68f076.exe	false	Avira URL Cloud: safe	low
https://raw.githubusercontent.com/spesmilo/electrum/master/electrum/servers.jsonsize	288c47bbc1871b439df19ff4df68f076.exe	false	Avira URL Cloud: safe	unknown
http://www.avantbrowser.com)MOT-V9mm/	288c47bbc1871b439df19ff4df68f076.exe	false	Avira URL Cloud: safe	low
https://cdn.discordapp.com/attachments/1088058556286251082/1111230812579450950/TsgVtmYNoFT.zipMozill	288c47bbc1871b439df19ff4df68f076.exe	false		high
https://powerpoint.office.comcemberZ	explorer.exe, 00000002.00000000.1403829585.000000000CFF4000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.msn.com/X	explorer.exe, 00000002.00000000.1401121668.00000000093B4000.00000004.00000001.00020000.00000000.sdmp	false		high
https://turnitin.com/robot/crawlerinfo.html)cannot	288c47bbc1871b439df19ff4df68f076.exe	false		high
https://www.msn.com/en-us/news/world/pastor-of-atlanta-based-megachurch-faces-backlash-after-controv	explorer.exe, 00000002.00000000.1399234102.0000000006F96000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.exabot.com/go/robot)Opera/9.80	288c47bbc1871b439df19ff4df68f076.exe	false	URL Reputation: safe URL Reputation: safe	unknown
http://www.bloglines.com)Frame	288c47bbc1871b439df19ff4df68f076.exe	false	Avira URL Cloud: safe	low
http://www.googlebot.com/bot.html)Links	288c47bbc1871b439df19ff4df68f076.exe	false	URL Reputation: safe	unknown
https://assets.msn.com/weathermapdata/1/static/weather/taskbar/animation/WeatherInsights/WeatherInsi	explorer.exe, 00000002.00000000.1399234102.0000000006F96000.00000004.00000001.00020000.00000000.sdmp	false		high
https://outlook.comNaP0B	explorer.exe, 00000002.00000000.1403829585.000000000D1B6000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.autoitscript.com/autoit3/J	explorer.exe, 00000002.00000000.1399234102.00000000070CE000.00000004.00000001.00020000.00000000.sdmp	false		high
http://search.msn.com/msnbot.htm)net/http:	288c47bbc1871b439df19ff4df68f076.exe	false		high
https://www.msn.com/en-us/money/personalfinance/the-no-1-phrase-people-who-are-good-at-small-talk-al	explorer.exe, 00000002.00000000.1399234102.0000000006F96000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.alltheweb.com/help/webmaster/crawler)Mozilla/5.0	288c47bbc1871b439df19ff4df68f076.exe	false	URL Reputation: safe	unknown
https://www.msn.com/en-us/news/world/ukraine-live-briefing-biden-does-worry-house-drama-will-impact-	explorer.exe, 00000002.00000000.1399234102.0000000006F96000.00000004.00000001.00020000.00000000.sdmp	false		high
http://www.google.com/bot.html)crypto/ecdh:	288c47bbc1871b439df19ff4df68f076.exe	false		high
https://www.msn.com/en-us/money/realestate/my-husband-and-i-paid-off-our-mortgage-more-than-15-years	explorer.exe, 00000002.00000000.1399234102.0000000006F96000.00000004.00000001.00020000.00000000.sdmp	false		high
http://vcr4vuv4sf5233btfy7xboezl7umjw7rljdmaeztmmf4s6k2ivinj3yd.oniontls:	288c47bbc1871b439df19ff4df68f076.exe	true	Avira URL Cloud: safe	unknown
https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings	explorer.exe, 00000002.00000000.1399234102.0000000006F96000.00000004.00000001.00020000.00000000.sdmp	false		high
http://search.msn.com/msnbot.htm)msnbot/1.1	288c47bbc1871b439df19ff4df68f076.exe	false		high
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT-dark	explorer.exe, 00000002.00000000.1399234102.0000000006F96000.00000004.00000001.00020000.00000000.sdmp	false		high
https://blockstream.info/apiinva	288c47bbc1871b439df19ff4df68f076.exe	false	URL Reputation: safe	unknown
http://www.archive.org/details/archive.org_bot)Opera/9.80	288c47bbc1871b439df19ff4df68f076.exe	false		high
http://www.baidu.com/search/spider.htm)MobileSafari/600.1.4	288c47bbc1871b439df19ff4df68f076.exe	false		high
http://yandex.com/bots)Opera/9.51	288c47bbc1871b439df19ff4df68f076.exe	false		high
http://www.spidersoft.com)	288c47bbc1871b439df19ff4df68f076.exe	false	Avira URL Cloud: safe	low
http://www.google.com/bot.html)Mozilla/5.0	288c47bbc1871b439df19ff4df68f076.exe	false		high
https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew	explorer.exe, 00000002.00000000.1399234102.0000000006F96000.00000004.00000001.00020000.00000000.sdmp	false		high
https://api.msn.com/v1/news/Feed/Windows?activityId=C2BB6DDCE8D847D6B779FE8AEC27D161&timeOut=5000&oc	explorer.exe, 00000002.00000000.1399234102.0000000006F96000.00000004.00000001.00020000.00000000.sdmp	false		high
https://word.office.com576	explorer.exe, 00000002.00000000.1403829585.000000000D1B6000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/news/opinion/decline-of-decorum-21-essential-manners-today-s-parents-fail-	explorer.exe, 00000002.00000000.1399234102.0000000006F96000.00000004.00000001.00020000.00000000.sdmp	false		high
http://archive.org/details/archive.org_bot)Mozilla/5.0	288c47bbc1871b439df19ff4df68f076.exe	false		high
https://www.msn.com/en-us/weather/topstories/california-s-reservoirs-runneth-over-in-astounding-reve	explorer.exe, 00000002.00000000.1399234102.0000000006F96000.00000004.00000001.00020000.00000000.sdmp	false		high
http://misc.yahoo.com.cn/help.html)QueryPerformanceFrequency	288c47bbc1871b439df19ff4df68f076.exe	false	URL Reputation: safe	unknown
http://help.yahoo.com/help/us/ysearch/slurp)SonyEricssonK550i/R1JD	288c47bbc1871b439df19ff4df68f076.exe	false		high
https://excel.office.comE	explorer.exe, 00000002.00000000.1403829585.000000000D1B6000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.google.c	288c47bbc1871b439df19ff4df68f076.exe	false	URL Reputation: safe	unknown
http://www.google.com/feedfetcher.html)HKLM	288c47bbc1871b439df19ff4df68f076.exe	false		high
https://sabotage.net	83BC.exe, 00000006.00000003.2792254345.00000000029BD000.00000004.00000020.00020000.00000000.sdmp, 83BC.exe, 00000006.00000003.2777166580.00000000035AD000.00000004.00000020.00020000.00000000.sdmp, 83BC.exe, 00000006.00000003.2777583545.0000000003719000.00000004.00000020.00020000.00000000.sdmp, 83BC.exe, 00000006.00000003.2890107185.00000000029BD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://android.notify.windows.com/iOS	explorer.exe, 00000002.00000000.1403829585.000000000D1B6000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/news/crime/one-dead-several-wounded-after-drive-by-shootings-in-south-la/a	explorer.exe, 00000002.00000000.1399234102.0000000006F96000.00000004.00000001.00020000.00000000.sdmp	false		high
https://blockchain.infoindex	288c47bbc1871b439df19ff4df68f076.exe	false	URL Reputation: safe	unknown
https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/MostlyClearNight.svg	explorer.exe, 00000002.00000000.1399234102.0000000006F96000.00000004.00000001.00020000.00000000.sdmp	false		high
http://localhost:3433/https://duniadekho.baridna:	288c47bbc1871b439df19ff4df68f076.exe	true	Avira URL Cloud: safe	low
http://search.msn.com/msnbot.htm)pkcs7:	288c47bbc1871b439df19ff4df68f076.exe	false		high
http://www.alexa.com/help/webmasters;	288c47bbc1871b439df19ff4df68f076.exe	false		high
https://api.msn.com/$	explorer.exe, 00000002.00000000.1401121668.00000000093B4000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com:443/en-us/feed	explorer.exe, 00000002.00000000.1399234102.0000000006F96000.00000004.00000001.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
34.226.159.77	unknown	United States	14618	AMAZON-AESUS	false
216.220.163.42	unknown	United States	11753	NETREPID1US	false
172.98.192.36	unknown	United States	31863	DACEN-2US	false
185.37.70.29	unknown	Netherlands	48635	ASTRALUSNL	false
34.94.245.237	unknown	United States	15169	GOOGLEUS	false
52.101.73.30	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
52.101.8.36	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
172.67.202.60	unknown	United States	13335	CLOUDFLARENETUS	false
13.36.107.63	unknown	United States	7018	ATT-INTERNET4US	false
172.67.142.68	unknown	United States	13335	CLOUDFLARENETUS	false
78.94.253.253	unknown	Germany	6830	LIBERTYGLOBALLibertyGlobalformerlyUPCBroadbandHolding	false
172.67.187.94	unknown	United States	13335	CLOUDFLARENETUS	false
41.185.8.154	unknown	South Africa	36943	GridhostZA	false
216.21.239.197	unknown	United States	19871	NETWORK-SOLUTIONS-HOSTINGUS	false
135.148.130.76	unknown	United States	18676	AVAYAUS	false
192.254.186.217	unknown	United States	46606	UNIFIEDLAYER-AS-1US	false
135.148.130.75	unknown	United States	18676	AVAYAUS	false
204.44.192.16	unknown	Canada	8100	ASN-QUADRANET-GLOBALUS	false
77.88.21.249	unknown	Russian Federation	13238	YANDEXRU	false
128.31.0.39	unknown	United States	3	MIT-GATEWAYSUS	false
172.67.182.184	unknown	United States	13335	CLOUDFLARENETUS	false
91.215.85.17	unknown	Russian Federation	34665	PINDC-ASRU	false
198.54.122.240	unknown	United States	22612	NAMECHEAP-NETUS	false
185.199.110.153	unknown	Netherlands	54113	FASTLYUS	false
172.67.129.24	unknown	United States	13335	CLOUDFLARENETUS	false
62.149.128.40	unknown	Italy	31034	ARUBA-ASNIT	false
86.105.245.69	unknown	Netherlands	20857	TRANSIP-ASAmsterdamtheNetherlandsNL	false
217.70.184.38	unknown	France	29169	GANDI-ASDomainnameregistrar-httpwwwgandinetFR	false
173.194.219.26	unknown	United States	15169	GOOGLEUS	false
104.21.26.87	unknown	United States	13335	CLOUDFLARENETUS	false
104.21.81.206	unknown	United States	13335	CLOUDFLARENETUS	false
203.170.190.241	unknown	Thailand	9891	CSLOX-IDC-AS-APCSLOXINFOPublicCompanyLimitedTH	false
23.20.196.100	unknown	United States	14618	AMAZON-AESUS	false
96.125.164.207	unknown	United States	46606	UNIFIEDLAYER-AS-1US	false
172.253.113.26	unknown	United States	15169	GOOGLEUS	false
45.195.84.214	unknown	Seychelles	134548	DXTL-HKDXTLTseungKwanOServiceHK	false
205.196.223.4	unknown	United States	26347	DREAMHOST-ASUS	false
185.196.8.22	unknown	Switzerland	34888	SIMPLECARRER2IT	false
104.47.75.164	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
104.47.55.138	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
104.21.40.166	unknown	United States	13335	CLOUDFLARENETUS	false
84.46.239.163	unknown	Lithuania	15419	LRTC-ASLT	false
31.127.34.9	unknown	United Kingdom	12576	EELtdGB	false
104.21.22.36	unknown	United States	13335	CLOUDFLARENETUS	false
104.247.81.53	unknown	Canada	206834	TEAMINTERNET-CA-ASCA	false
172.67.193.120	unknown	United States	13335	CLOUDFLARENETUS	false
15.197.142.173	unknown	United States	7430	TANDEMUS	false
82.165.215.61	unknown	Germany	8560	ONEANDONE-ASBrauerstrasse48DE	false
46.30.215.208	unknown	Denmark	51468	ONECOMDK	false
185.230.63.171	unknown	Israel	58182	WIX_COMIL	false
208.91.198.110	unknown	United States	394695	PUBLIC-DOMAIN-REGISTRYUS	false
185.151.30.174	unknown	United Kingdom	48254	TWENTYIGB	false
148.72.124.79	unknown	United States	26496	AS-26496-GO-DADDY-COM-LLCUS	false
163.44.174.129	unknown	Japan	7506	INTERQGMOInternetIncJP	false
62.210.16.61	unknown	France	12876	OnlineSASFR	false
172.67.168.30	unknown	United States	13335	CLOUDFLARENETUS	false
148.163.129.50	unknown	United States	13916	PROOFPOINT-UT7US	false
172.65.182.103	unknown	United States	13335	CLOUDFLARENETUS	false
130.211.171.61	unknown	United States	15169	GOOGLEUS	false
44.206.9.87	unknown	United States	14618	AMAZON-AESUS	false
91.92.254.7	unknown	Bulgaria	34368	THEZONEBG	false
44.236.177.54	unknown	United States	16509	AMAZON-02US	false
4.59.181.140	unknown	United States	3356	LEVEL3US	false
119.18.54.100	unknown	India	394695	PUBLIC-DOMAIN-REGISTRYUS	false
104.47.66.10	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
216.239.32.21	unknown	United States	15169	GOOGLEUS	false
206.188.192.59	unknown	United States	55002	DEFENSE-NETUS	false
104.21.73.244	unknown	United States	13335	CLOUDFLARENETUS	false
216.55.149.43	unknown	United States	30447	INFB2-ASUS	false
185.230.63.186	unknown	Israel	58182	WIX_COMIL	false
216.55.149.44	unknown	United States	30447	INFB2-ASUS	false
162.255.119.152	unknown	United States	22612	NAMECHEAP-NETUS	false
216.194.163.213	unknown	United States	22611	IMH-WESTUS	false
23.227.38.65	unknown	Canada	13335	CLOUDFLARENETUS	false
104.47.75.228	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
51.15.246.170	unknown	France	12876	OnlineSASFR	false
68.178.211.42	unknown	United States	26496	AS-26496-GO-DADDY-COM-LLCUS	false
172.67.140.205	unknown	United States	13335	CLOUDFLARENETUS	false
178.17.170.13	unknown	Moldova Republic of	43289	TRABIAMD	false
116.202.169.30	unknown	Germany	24940	HETZNER-ASDE	false
172.67.190.234	unknown	United States	13335	CLOUDFLARENETUS	false
5.42.66.58	unknown	Russian Federation	39493	RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU	true
216.243.143.113	unknown	United States	54155	GREENCLOUDUS	false
92.205.49.77	unknown	Germany	8972	GD-EMEA-DC-SXB1DE	false
5.42.64.35	unknown	Russian Federation	39493	RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU	false
173.249.63.227	unknown	Germany	51167	CONTABODE	false
198.185.165.105	unknown	United States	15299	CFS-AS01US	false
216.239.133.242	unknown	United States	19237	OMNISUS	false
104.198.2.251	unknown	United States	15169	GOOGLEUS	false
45.66.33.45	unknown	Netherlands	47482	SPECTRENL	false
185.164.14.6	unknown	Denmark	51468	ONECOMDK	false
5.42.65.125	unknown	Russian Federation	39493	RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU	false
103.168.172.216	unknown	unknown	7575	AARNET-AS-APAustralianAcademicandResearchNetworkAARNe	false
104.90.21.73	unknown	United States	2914	NTT-COMMUNICATIONS-2914US	false
154.49.142.34	unknown	United States	174	COGENT-174US	false
185.230.63.107	unknown	Israel	58182	WIX_COMIL	false
103.168.172.221	unknown	unknown	7575	AARNET-AS-APAustralianAcademicandResearchNetworkAARNe	false
142.250.128.26	unknown	United States	15169	GOOGLEUS	false
65.109.162.19	unknown	United States	11022	ALABANZA-BALTUS	false
151.101.194.159	unknown	United States	54113	FASTLYUS	false

General Information

Joe Sandbox version:	38.0.0 Ammolite
Analysis ID:	1367739
Start date and time:	2023-12-28 17:31:09 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 14m 51s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	47
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	2
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winEXE@72/197@0/100
EGA Information:	Successful, ratio: 66.7%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, Conhost.exe, dllhost.exe, consent.exe, SIHClient.exe, conhost.exe, svchost.exe
Execution Graph export aborted for target 9561.exe, PID 3488 because it is empty
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryDirectoryFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Skipping network analysis since amount of network traffic is too extensive

Simulations

Behavior and APIs

Time	Type	Description
17:32:26	API Interceptor	169001x Sleep call for process: explorer.exe modified
17:32:33	Task Scheduler	Run new task: Firefox Default Browser Agent 94BE8FDACA4FA1EA path: C:\Users\user\AppData\Roaming\gferuhf
17:32:48	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run CSRSS "C:\ProgramData\Drivers\csrss.exe"
17:32:49	API Interceptor	7x Sleep call for process: 288c47bbc1871b439df19ff4df68f076.exe modified
17:32:58	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run CSRSS "C:\ProgramData\Drivers\csrss.exe"
17:33:06	API Interceptor	18x Sleep call for process: CDAA.exe modified
17:33:06	API Interceptor	19x Sleep call for process: powershell.exe modified
17:33:19	Task Scheduler	Run new task: Firefox Default Browser Agent 2925DADCB3EA6511 path: C:\Users\user\AppData\Roaming\tieruhf
17:33:24	API Interceptor	4474x Sleep call for process: 83BC.exe modified
17:33:35	Task Scheduler	Run new task: Time Trigger Task path: C:\Users\user\AppData\Local\af869434-f4e2-4e9f-8773-97268c55c07f\E297.exe s>--Task
17:33:36	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run SysHelper "C:\Users\user\AppData\Local\af869434-f4e2-4e9f-8773-97268c55c07f\E297.exe" --AutoStart
17:33:39	API Interceptor	4669x Sleep call for process: cpointasp.exe modified
17:33:45	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run SysHelper "C:\Users\user\AppData\Local\af869434-f4e2-4e9f-8773-97268c55c07f\E297.exe" --AutoStart

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
34.226.159.77	SSmamWOS7L.exe	Get hash	malicious	Glupteba, SmokeLoader, Stealc	Browse
172.67.142.68	https://redhouseseafood.site/Trasmus.damsgaard@gerflor.com	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse
78.94.253.253	SSmamWOS7L.exe	Get hash	malicious	Glupteba, SmokeLoader, Stealc	Browse
	zzfenRCj9M.exe	Get hash	malicious	Glupteba, SmokeLoader	Browse
	SaLY22oLht.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	Unknown	Browse
172.98.192.36	wHtiaQ7bcs.exe	Get hash	malicious	Unknown	Browse	dl.xetapp.us/downloads/software/system/components/sandboxie.exe
	NCkAC6yIng.exe	Get hash	malicious	Unknown	Browse	dl.xetapp.us/downloads/software/system/development/autoit.setup.exe
	MMmchy1Kjl.exe	Get hash	malicious	Unknown	Browse	dl.xetapp.us/downloads/software/multimedia/media-players/splayer.setup.exe
52.101.8.36	3yPvcmrbqS.exe	Get hash	malicious	Glupteba, LummaC Stealer, Petite Virus, RedLine, SmokeLoader, Socks5Systemz	Browse
	SaLY22oLht.exe	Get hash	malicious	Unknown	Browse
	file.exe	Get hash	malicious	RedLine, SmokeLoader	Browse
172.67.202.60	http://js.gazo.space/naked%20preteen%20girls%209%20-%2011%20y.o.%20small%20little%20naked/pic1.html	Get hash	malicious	Unknown	Browse
	MrC62tC6VB.exe	Get hash	malicious	RedLine	Browse
	setup_x86_x64_install.exe	Get hash	malicious	RedLine SmokeLoader Socelars Vidar	Browse
	zuyrzhibfm.exe	Get hash	malicious	RedLine	Browse
	SetupPro_D1.exe	Get hash	malicious	RedLine	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AMAZON-AESUS	https://trk-mkt.tason.com/CheckNew.html?TV9JRD0xNDk4OTAyMjM5OQ==&U1RZUEU9TUFTUw==&RU1BSUxfSUQ9c2toOTk5QGtvbmt1ay5hYy5rcg==&TElTVF9UQUJMRT1FQkFEMTI2MA==&UE9TVF9JRD0yMDIzMTIwODEwMDAxNTg4OTIzOQ==&VEM9MjAyMzEyMjQ=&S0lORD1D&Q0lEPTAyNg==&URL=https://r20.rs6.net/tn.jsp?f=0014gmgutaDGx_5ODQDZ2TqleQ7SBHYKBVCEIgHFvoNN9ImThxUV8-E3ClURqVEGnwR6Kzy1XNyhilR0QDo7aMKzUwooHLMV942xNnxEzzeqirBuDEvDCp73JSCRogDRktWVgI8Y7CbLpv9srKtgkkjoF-Y0P32q6jDv6uc25QDPTs=&c=IPkHLSa3e-6lRbIa2BF8y9b_zy_gitLCOT0XJXn7oWZXiOrCW4tsNw==&ch===&__=/qwer/Y29tbWVyY2lhbGJ1eWluZy1hbGxAYXNvcy5jb20=	Get hash	malicious	Unknown	Browse	3.227.151.68
	KFP.311.152.2023.pdf.lnk	Get hash	malicious	Unknown	Browse	3.226.103.37
	http://classicshell.mediafire.com/file/d5llbbm8wu92jg8/ClassicShellSetup_4_3_1.exe	Get hash	malicious	Unknown	Browse	3.93.251.5
	b3astmode.x86.elf	Get hash	malicious	Mirai	Browse	54.167.33.178
	https://tr.cloudmagic.com/h/v6/link-track/1.0/1701086400472463-764fdcc1-5636-8ec0-9921-657fc389a58d/1701086400/25428e3be41a7969afc74069558c4f24/5761fb4ca59273cc02eaba39cd4d5172/fd34dd696e1174d4892f1b03d96c6261?redirect_uri=//payy80%E3%80%82my.id/cgi/ZGFuaWVsYS5jb2Npb3JiYUBub3ZvYmFuY28ucHQ=	Get hash	malicious	Unknown	Browse	54.198.166.210
	C7e8AncaYu.exe	Get hash	malicious	Glupteba, LummaC Stealer, Petite Virus, RedLine, SmokeLoader, Stealc, zgRAT	Browse	3.5.29.74
	4odP2y5EjF.elf	Get hash	malicious	Mirai	Browse	107.22.157.130
	https://pub-af1ca2628047462d82e8cad6b44984b9.r2.dev/index.htm	Get hash	malicious	HTMLPhisher	Browse	3.210.144.234
	CekUIgRRBh.elf	Get hash	malicious	Mirai	Browse	34.199.141.148
	arm.elf	Get hash	malicious	Mirai	Browse	100.25.19.87
	https://www.driect.smbc.apxuanzhi.com/ibg/client/home.php	Get hash	malicious	Unknown	Browse	3.227.190.204
	https://www.resoma.biocaffevero.com/resona/client/index.php	Get hash	malicious	Unknown	Browse	44.219.122.15
	https://www.snbc.ncxyktxqx.com/ibg/client/home.php	Get hash	malicious	Unknown	Browse	35.172.245.152
	https://www.resonn.gamesnanime.com/resona/client/index.php	Get hash	malicious	Unknown	Browse	44.219.122.15
	https://user-app.sentieo.com/alert/alert_click/?tp=eyJlbWFpbCI6ICJoYXJ2ZXlAY3Jhd2ZvcmRsYWtlY2FwaXRhbC5jb20iLCAidGlja2VyIjogInNlIiwgIm1ldGFfdHlwZSI6ICJkb2N1bWVudCIsICJhbGVydF90eXBlIjogImRzX2FsZXJ0X3NtYXJ0X3N1bW1hcnkiLCAibGlua190eXBlIjogImFsZXJ0X3R5cGVfdW5zdWIifQ==&url=//pub-944700c5e5ad4296a27eef5f68f85126.r2.dev/attachment-link%20(9).html	Get hash	malicious	Unknown	Browse	23.23.190.254
	https://user-app.sentieo.com/alert/alert_click/?tp=eyJlbWFpbCI6ICJoYXJ2ZXlAY3Jhd2ZvcmRsYWtlY2FwaXRhbC5jb20iLCAidGlja2VyIjogInNlIiwgIm1ldGFfdHlwZSI6ICJkb2N1bWVudCIsICJhbGVydF90eXBlIjogImRzX2FsZXJ0X3NtYXJ0X3N1bW1hcnkiLCAibGlua190eXBlIjogImFsZXJ0X3R5cGVfdW5zdWIifQ==&url=//pub-944700c5e5ad4296a27eef5f68f85126.r2.dev/attachment-link%20(9).html	Get hash	malicious	Unknown	Browse	3.226.50.163
	https://pub-e9f67c007e204b22aad1896415d421a1.r2.dev/index2.html?data=wilkinsinternational%40zurn.com&subf=Transport-Label.pdf&file=Waybill.pdf	Get hash	malicious	HTMLPhisher	Browse	18.210.74.15
	https://2fa.com-token-auth.com/XUWt4dVMzUjJiV3Q1ZGxkaFMyRmpjbU4yTHpNMkwxUTFSMEZ0YzJ4UWF6WXZRVlZXUW1KQ2FYZzBhalZFWTBVNGFGaEJjR3R0Y1ZCSEsySkViVzk0TUZsWE9IZE1UR1pOTUhST2NTOHJSM0V2VWpOVVNWUnlVRmcxTUZsa1NXcFpOVlZLUWxkVVdrUnRhbk5tVldOYWJtUnhkbXBvUjJoamVtdHdTVTR2Wm1ndlR6TlhNVmR6ZFRBdlRrVnJRV0V4UldsM04yRXlkRFpaV25sbFRFOHJRVTFsZFdsRFFYWTRNMWRuTmtSSVRtVjVNamh2UkdwRFZ6ZG1NbU5aUlNzckxTMTNjVFUxYzI5NWJtNUROa3BUTHpWMVQwTnBiVWxCUFQwPS0tNDMyMGM0Nzc0MmFjMDdlNmJjZTY4NGM4YzcyZTJhYzY4MmEyMWFmNg==?cid=1855985826	Get hash	malicious	Unknown	Browse	50.19.12.94
	http://www.m9c.net	Get hash	malicious	Unknown	Browse	3.217.69.99
	1RS8d3yXB1.exe	Get hash	malicious	Glupteba, Petite Virus, SmokeLoader, Stealc	Browse	44.193.58.35
DACEN-2US	xqz8sQ4mZB.exe	Get hash	malicious	Glupteba, SmokeLoader	Browse	172.98.192.36
	F0sgNHIqn8.exe	Get hash	malicious	FormBook	Browse	104.171.114.131
	SecuriteInfo.com.Trojan.Siggen4.13379.3459.984.exe	Get hash	malicious	Unknown	Browse	172.98.192.35
	Request_for_Quotation_-_Order_Listings.pif.exe	Get hash	malicious	Unknown	Browse	104.152.189.140
	INVOICES_+_PACKINGLIST+DEBIT_NOTE+DELIVERY_NOTE.scr.exe	Get hash	malicious	Unknown	Browse	104.152.189.140
	http://yotube.com	Get hash	malicious	Unknown	Browse	172.98.192.36
	Purchase_order_PO-0630.pif.exe	Get hash	malicious	Unknown	Browse	104.152.189.140
	RByVquC7Cs.exe	Get hash	malicious	Unknown	Browse	172.98.192.35
	https://apiservices.krxd.net/click_tracker/track?kxconfid=whjxbtb0h&kxcampaignid=P.C.C-Class.W206.L.MI&kxplacementid=module2findmycar&kxbrand=MB&clk=https%3A%2F%2Fcivicsqa.com%2Fnew%2Fauth%2FxZHQkG%2F%2F%2F%2FYWxhbmFoLmJlY2tAYXJjYWRpYZNvbHV0aW9ucy5jb20=	Get hash	malicious	HTMLPhisher	Browse	23.92.208.115
	mirai.arm.elf	Get hash	malicious	Mirai	Browse	142.202.227.195
	Past Due Invoice # 7239 (SO 5331).htm	Get hash	malicious	HTMLPhisher	Browse	192.198.82.59
	STATEMENT for Steam Solutions.HTML	Get hash	malicious	HTMLPhisher	Browse	192.198.82.59
	STATEMENT for H&E Equipment Services, Inc..HTML	Get hash	malicious	HTMLPhisher	Browse	192.198.82.59
	http://yotube.com	Get hash	malicious	Unknown	Browse	172.98.192.36
	https://ellefsen.be/wp-admin/SG/MicrosoftExcel/source/?email=fi-cindy.ly@falconincorporation.com	Get hash	malicious	HTMLPhisher	Browse	192.111.159.131
	EFT-Payment 02-16-2023.Htm	Get hash	malicious	Captcha Phish	Browse	192.111.146.185
	VM Mon, February 6, 2023 #12971.html	Get hash	malicious	Captcha Phish, HTMLPhisher	Browse	192.198.82.62
	sample.dll.dll	Get hash	malicious	BumbleBee	Browse	192.111.146.189
	https://h-kd0.shop/?e=bnJjZGNAaG9tZW9mZmljZS5nb3YudWs	Get hash	malicious	Unknown	Browse	192.198.82.62
	https://h-kd0.shop/?e=bnJjZGNAaG9tZW9mZmljZS5nb3YudWs	Get hash	malicious	Unknown	Browse	192.198.82.62

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Program Files (x86)\CPointASP\bin\x86\7z.exe (copy)	C7e8AncaYu.exe	Get hash	malicious	Glupteba, LummaC Stealer, Petite Virus, RedLine, SmokeLoader, Stealc, zgRAT	Browse
	aiJQkLaTCf.exe	Get hash	malicious	LummaC, Glupteba, LummaC Stealer, Petite Virus, RedLine, SmokeLoader, Stealc	Browse
	uVQLD8YVk6.exe	Get hash	malicious	LummaC, Glupteba, LummaC Stealer, Petite Virus, RHADAMANTHYS, RedLine, SmokeLoader	Browse
	W73PCbSH71.exe	Get hash	malicious	LummaC, Glupteba, LummaC Stealer, Petite Virus, RHADAMANTHYS, RedLine, SmokeLoader	Browse
	1RS8d3yXB1.exe	Get hash	malicious	Glupteba, Petite Virus, SmokeLoader, Stealc	Browse
	7uu2Bn48.exe	Get hash	malicious	Glupteba, LummaC Stealer, Petite Virus, RedLine, SmokeLoader, Stealc, zgRAT	Browse
	xksYucKYRR.exe	Get hash	malicious	Glupteba, Petite Virus, SmokeLoader, Stealc, Vidar	Browse
	7pm0Cc79.exe	Get hash	malicious	Glupteba, Petite Virus, RedLine, SmokeLoader, Stealc, zgRAT	Browse
	o9B7y2ZGmy.exe	Get hash	malicious	Glupteba, LummaC Stealer, Petite Virus, RedLine, SmokeLoader, Stealc, Vidar	Browse
	i56vxb6Y1c.exe	Get hash	malicious	Petite Virus, Socks5Systemz	Browse
	i56vxb6Y1c.exe	Get hash	malicious	Petite Virus, Socks5Systemz	Browse
	file.exe	Get hash	malicious	Petite Virus, Socks5Systemz	Browse
	file.exe	Get hash	malicious	Glupteba, Petite Virus, SmokeLoader, Socks5Systemz	Browse
	SecuriteInfo.com.Trojan-Dropper.Win32.Agent.18387.20921.exe	Get hash	malicious	Petite Virus, Socks5Systemz	Browse
	SecuriteInfo.com.Trojan-Dropper.Win32.Agent.7943.2954.exe	Get hash	malicious	Petite Virus, Socks5Systemz	Browse
	SecuriteInfo.com.Trojan.Siggen22.47379.18495.1619.exe	Get hash	malicious	Petite Virus, Socks5Systemz	Browse
	SecuriteInfo.com.Trojan.Siggen22.47379.31552.27212.exe	Get hash	malicious	Petite Virus, Socks5Systemz	Browse
	SecuriteInfo.com.Trojan.Siggen22.47379.16280.19347.exe	Get hash	malicious	Petite Virus, Socks5Systemz	Browse
	SecuriteInfo.com.Trojan.Siggen22.47379.12813.7531.exe	Get hash	malicious	Petite Virus, Socks5Systemz	Browse
	adobe.exe	Get hash	malicious	Petite Virus, Socks5Systemz	Browse

Created / dropped Files

C:\Program Files (x86)\CPointASP\bin\x86\7z.exe (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	337408
Entropy (8bit):	6.515131904432587
Encrypted:	false
SSDEEP:	6144:3nzsyDn7PDS+FDflUjvJUkbEOyF1rOpsuCOuOff5k4F/lTRHA:3377SKfgvqkbFyFJCRRzH
MD5:	62D2156E3CA8387964F7AA13DD1CCD5B
SHA1:	A5067E046ED9EA5512C94D1D17C394D6CF89CCCA
SHA-256:	59CBFBA941D3AC0238219DAA11C93969489B40F1E8B38FABDB5805AC3DD72BFA
SHA-512:	006F7C46021F339B6CBF9F0B80CFFA74ABB8D48E12986266D069738C4E6BDB799BFBA4B8EE4565A01E90DBE679A96A2399D795A6EAD6EACBB4818A155858BF60
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: C7e8AncaYu.exe, Detection: malicious, Browse Filename: aiJQkLaTCf.exe, Detection: malicious, Browse Filename: uVQLD8YVk6.exe, Detection: malicious, Browse Filename: W73PCbSH71.exe, Detection: malicious, Browse Filename: 1RS8d3yXB1.exe, Detection: malicious, Browse Filename: 7uu2Bn48.exe, Detection: malicious, Browse Filename: xksYucKYRR.exe, Detection: malicious, Browse Filename: 7pm0Cc79.exe, Detection: malicious, Browse Filename: o9B7y2ZGmy.exe, Detection: malicious, Browse Filename: i56vxb6Y1c.exe, Detection: malicious, Browse Filename: i56vxb6Y1c.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Trojan-Dropper.Win32.Agent.18387.20921.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Trojan-Dropper.Win32.Agent.7943.2954.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Trojan.Siggen22.47379.18495.1619.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Trojan.Siggen22.47379.31552.27212.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Trojan.Siggen22.47379.16280.19347.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Trojan.Siggen22.47379.12813.7531.exe, Detection: malicious, Browse Filename: adobe.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........@..\|...\|...\|...p...\|...w...\|.d.r...\|...v...\|...x...\|.i.#...\|...}.\|.\|.d.!...\|...w...\|..V....\|...v...\|.......\|. .z...\|.Rich..\|.........PE..L....r.b.....................>......\........ ....@.......................................@.....................................x....0.......................@...3................................................... ..(............................text............................... ..`.rdata..r.... ......................@..@.data....'..........................@....sxdata...... ......................@....rsrc........0......................@..@.reloc...<...@...>..................@..B........................................................................................................................................................................................................................................................

C:\Program Files (x86)\CPointASP\bin\x86\COPYING.LGPLv2.1 (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp
File Type:	ASCII text
Category:	dropped
Size (bytes):	26526
Entropy (8bit):	4.600837395607617
Encrypted:	false
SSDEEP:	384:Lc56OuAbnn0UReX6wFDVxnFw7xqsvzt+z/k8E9HinIhFkspcM9bc7ups0CZuQG:Lc5trLeDnFMz1ReScmc7GshZuQG
MD5:	BD7A443320AF8C812E4C18D1B79DF004
SHA1:	37D2F1D62FEC4DA0CAF06E5DA21AFC3521B597AA
SHA-256:	B634AB5640E258563C536E658CAD87080553DF6F34F62269A21D554844E58BFE
SHA-512:	21AEF7129B5B70E3F9255B1EA4DC994BF48B8A7F42CD90748D71465738D934891BBEC6C6FC6A1CCFAF7D3F35496677D62E2AF346D5E8266F6A51AE21A65C4460
Malicious:	false
Preview:	GNU LESSER GENERAL PUBLIC LICENSE. Version 2.1, February 1999.. Copyright (C) 1991, 1999 Free Software Foundation, Inc.. 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. Everyone is permitted to copy and distribute verbatim copies. of this license document, but changing it is not allowed...[This is the first released version of the Lesser GPL. It also counts. as the successor of the GNU Library Public License, version 2, hence. the version number 2.1.].. Preamble.. The licenses for most software are designed to take away your.freedom to share and change it. By contrast, the GNU General Public.Licenses are intended to guarantee your freedom to share and change.free software--to make sure the software is free for all its users... This license, the Lesser General Public License, applies to some.specially designated software packages--typically libraries--of the.Free Software Foundation and other authors who

C:\Program Files (x86)\CPointASP\bin\x86\OptimFROG.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	214016
Entropy (8bit):	6.676457645865373
Encrypted:	false
SSDEEP:	3072:v3UEEkp2yVTcc295GSSazZq0/OlxAOxN5jZ2Ti30ezAg0Fu9RBhk1Xion:cEEpYcc2G/adqLtxLZ2+vAO9Hhkzn
MD5:	2C747F19BF1295EBBDAB9FB14BB19EE2
SHA1:	6F3B71826C51C739D6BB75085E634B2B2EF538BC
SHA-256:	D2074B91A63219CFD3313C850B2833CD579CC869EF751B1F5AD7EDFB77BD1EDD
SHA-512:	C100C0A5AF52D951F3905884E9B9D0EC1A0D0AEBE70550A646BA6E5D33583247F67CA19E1D045170A286D92EE84E1676A6C1B0527E017A35B6242DD9DEE05AF4
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......}6,.9WB.9WB.9WB...9.:WB.9WC.hWB....;WB."..&WB."..WB."...WB.9WB.?WB."..8WB."..8WB."..8WB.Rich9WB.........PE..L......W...........!.....N...........n.......`............................................@.........................`...h.......(....`..X....................p.......................................................`...............................text...?L.......N.................. ..`.rdata......`.......R..............@..@.data....W.......2..................@....rsrc...X....`......................@..@.reloc..f&...p...(..................@..B........................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\CPointASP\bin\x86\bass_fx.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	34392
Entropy (8bit):	7.81689943223162
Encrypted:	false
SSDEEP:	768:mYBs3O9YL558R6R8P8W2rjQZQtfTIxRYsetoPNvPWIl+syr:vsUY15mqzW2u8rIxisFcJr
MD5:	EA245B00B9D27EF2BD96548A50A9CC2C
SHA1:	8463FDCDD5CED10C519EE0B406408AE55368E094
SHA-256:	4824A06B819CBE49C485D68A9802D9DAE3E3C54D4C2D8B706C8A87B56CEEFBF3
SHA-512:	EF1E107571402925AB5B1D9B096D7CEFF39C1245A23692A3976164D0DE0314F726CCA0CB10246FE58A13618FD5629A92025628373B3264153FC1D79B0415D9A7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ph..4...4...4.......0...[...0...[...6...4.......V...0...`*..........5....)......Rich4...........................PE..L.....T...........!................6 .......................................0......................................D#..y....!..d.......X............................................................................................................................z..................`....rsrc...........X...................@..@....................................`...petite....... ......................`...................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\CPointASP\bin\x86\bass_ofr.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5960
Entropy (8bit):	5.956401374574174
Encrypted:	false
SSDEEP:	96:dj78cqhzbWKlECE7WbjDFf6IhaYYUOAoDf4+XCVhovG9AkM7Ui10:CjlEJ7WbjDFf6waYvdc4gYAkM10
MD5:	B3CC560AC7A5D1D266CB54E9A5A4767E
SHA1:	E169E924405C2114022674256AFC28FE493FBFDF
SHA-256:	EDDE733A8D2CA65C8B4865525290E55B703530C954F001E68D1B76B2A54EDCB5
SHA-512:	A836DECACB42CC3F7D42E2BF7A482AE066F5D1DF08CCCC466880391028059516847E1BF71E4C6A90D2D34016519D16981DDEEACFB94E166E4A9A720D9CC5D699
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...................................D.... ..PE..L......I...........!.....4...T......6`....... ...............................p......................................lc.......a.......@..H....................................................................................................................0..........................`....rsrc........@..H...................@..@.............P......................@................`......................`.......................................X....E......j...f.!.PRj.....j..S.ERROR!.Corrupt Data!...`..f.`P....h....j..P..C.h.....<$.3f....t...;S.^......Vj.PWj.j.Vj.PW....Y.Yf..X........X....................Z...t..$.4..l$..m..J...R...z.....XXXXZt.D$....P(......P...s.j.h`...h`.....j.h....h....j.3.3.0_.K~..[...s.3..^......s...$A."...L$..<.........;D$....;D$......$. ............u...........V+.48.^...u.........A............r..I.e...h....P..0................0..............h.... ..0...........6...........k...........

C:\Program Files (x86)\CPointASP\bin\x86\bass_tta.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	7910
Entropy (8bit):	6.931925007191986
Encrypted:	false
SSDEEP:	192:piDl1jKrGer007ia6abHX0d/aeHeN+VPHIJQxNiJCl9AK0f:IDJ9aDb30dCe+4PHIJrJCl9AK0f
MD5:	1268DEA570A7511FDC8E70C1149F6743
SHA1:	1D646FC69145EC6A4C0C9CAD80626AD40F22E8CD
SHA-256:	F266DBA7B23321BF963C8D8B1257A50E1467FAAAB9952EF7FFED1B6844616649
SHA-512:	E19F0EA39FF7AA11830AF5AAD53343288C742BE22299C815C84D24251FA2643B1E0401AF04E5F9B25CAB29601EA56783522DDB06C4195C6A609804880BAE9E9B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...................................D.... ..PE..L.....V...........!.................p.......0............................................@.........................Pr.......q..d....P.......................%.......................................................q..8....................................@..........................@..@.rsrc........P......................@..@.............`.........................@petite.......p......................`..`.........................................\|7{M..... ........r B`.Zr..P.........T}.e..YJ...=.X..q.}......b.I...G.....^.d...R..-R.....d_.......K.q.H.A=.-S..,_.....L...........2.............u.u.%...:.q....c.[.....`...\.X..8..B.@L..3.7.q.....)!.- ...D.....p...J...RU..Q.A..[.#&..R.....".+4...px/7..\....4...., ..8...5.hV.>] ....3.-.<..I+.<r..T..H,Q..!..i--..+.Zq.[...H... ...N.8..#...a.x.iU.G..-_..R....Z(cT%.....S.P.U:g?...;....&....@..KI.X.Q..PQ..v..*....{..~..}..f....c..`....Q...q..%......,j.4.Y..)....Cf7..

C:\Program Files (x86)\CPointASP\bin\x86\bassalac.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	11532
Entropy (8bit):	7.219753259626605
Encrypted:	false
SSDEEP:	192:Dqv1jf+0vAe7Dl+JTGxuK5Rbfh70Il9MWbzq6UWkE0FGemexbiJi8TK0Q2:m9KIAeNgTGxu2Jfh1DMSzqKkvFGLJi85
MD5:	073F34B193F0831B3DD86313D74F1D2A
SHA1:	3DF5592532619C5D9B93B04AC8DBCEC062C6DD09
SHA-256:	C5EEC9CD18A344227374F2BC1A0D2CE2F1797CFFD404A0A28CF85439D15941E9
SHA-512:	EEFD583D1F213E5A5607C2CFBAED39E07AEC270B184E61A1BA0B5EF67ED7AC5518B5C77345CA9BD4F39D2C86FCD261021568ED14945E7A7541ADF78E18E64B0C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...................................D.... ..PE..L.....V...........!.........(...............P............................................@.........................P...........d....p..8...................82.........................................................8....................................`.......$..................@..@.rsrc........p.......&..............@..@.......................................@petite.............................`..`....................................#..L....y......"......O/..M...C.A.&:.e.i..l....CP...g.AK..S;.lf.?.g....].k.U.G.Y.J.",......%....:ge.D x.P }}..Tih.g......%G.Iy.j...\...S...s..$..........o..y..........,.........-..X.....v.M1..'...5R.4..8k!..q.=BVST<..M.E.._T.p...K.r....C.HEO....\..%%,I....>'.L.ct..{..I..l.Y#f Tk...:bH?.....G..Y.p..Q.....z/R.h>8....]S.....p.c/.m..6tc.d..(..{...=w4.w.^..d.....^..Tp.....Z..).Z."...&.-...o...xD+0.L+!...X.%?)+.P..Z.......P..F..P.".._.%9.^T;(..Y.>.. .....re

C:\Program Files (x86)\CPointASP\bin\x86\bassape.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	39304
Entropy (8bit):	7.819409739152795
Encrypted:	false
SSDEEP:	768:i5GGx+OZPWuGdoiwUpPLH7IN3x1eW0kIAJbfT13MMnahRlmftuohQf:i5DxDPWMApPLsNhkVkI6R3TnalauoQ
MD5:	C7A50ACE28DDE05B897E000FA398BBCE
SHA1:	33DA507B06614F890D8C8239E71D3D1372E61DAA
SHA-256:	F02979610F9BE2F267AA3260BB3DF0F79EEEB6F491A77EBBE719A44814602BCC
SHA-512:	4CD7F851C7778C99AFED492A040597356F1596BD81548C803C45565975CA6F075D61BC497FCE68C6B4FEDC1D0B5FD0D84FEAA187DC5E149F4E8E44492D999358
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....."b...........!.........x.......P.......................................`.......Z....@.........................PR.......Q..d....0..0............}......D........................................................Q..8.................................... .......t..................@..@.rsrc.... ...0.......v..............@..@petite.......P.......z..............`..`......................p..k..K..i{..\.H..'.\|w.t...\..dkB%..i.cX...`B...m.X..A.NU.i.I. J.I....x-.e2n.IA.2.:..2G5Z/.+(8w.S<...`ML........!..%+.r.s.1.~.D...]......U..q3.....9..?y.>j.E.T...Y..D..>..aJ......P^Y..w?.9w.,...+C^.[....\|..'.....7..F%..A.....)..b.)8.2Q`.v.F=.."S..{z...z-H=....L_....RM..s......H2P1a....[..i. 2..~.?...+R... .m(.I..X...H.g.Z..i..G.?.(......e.:.B......fh......gl.x.Z......I>..#....Hgv.;g.@ l.$(...0.........l.>.p..z;A.@...*4v..x.U.gU..Bqqb..6.x...D.....cIE(5m.g}J..

C:\Program Files (x86)\CPointASP\bin\x86\basscd.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18966
Entropy (8bit):	7.620111275837424
Encrypted:	false
SSDEEP:	384:gOKwxnw6OVDU839fgRgFMkucNauTT80CyTIz2bGjqXOK0Jo:gOHwBDUOe2McQkI0Cyo2Q/o
MD5:	F0F973781B6A66ADF354B04A36C5E944
SHA1:	8E8EE3A18D4CEC163AF8756E1644DF41C747EDC7
SHA-256:	04AB613C895B35044AF8A9A98A372A5769C80245CC9D6BF710A94C5BC42FA1B3
SHA-512:	118D5DACC2379913B725BD338F8445016F5A0D1987283B082D37C1D1C76200240E8C79660E980F05E13E4EB79BDA02256EAC52385DAA557C6E0C5D326D43A835
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...................................D.... ..PE..L...9#.]...........!.........B...............p............................................@.....................................x.......@....................M..........................................................@............................................>..................@..@.rsrc................@..............@..@.......................................@petite...............D..............`..`....................................g5 ....S%,_ .]/.0$R.yB..."@...N.AGG.^.?...1.........&?....v....6.0.. ME..(..gh\jv#.l..#$.Z&...._\`.@.......D.;.C~..m}3..\>.h..@.;.f Tho...(xVs..m.c..F..SS.C...z[....z...... .X.&....HY,...o.d..jP.nr..@.)..W.1#...b..Q.*E8.B..N5.....].........7..A..2c.M.q.O0(.Gi..B.....CT.(..+....>@T j.#!..."..P.u.3..5.Q0K..p....ERvG..._'...ir%m...NT.v:.....g.....8.+....m....8..Z.=.B.......D_..ln...C.......p8...e."...U...+.f..E.=X.j.DeD.X_.Y..n.r.!xWu..\.VB.......`.F.A....dx...

C:\Program Files (x86)\CPointASP\bin\x86\bassdsd.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	8456
Entropy (8bit):	6.767152008521429
Encrypted:	false
SSDEEP:	192:yxPHUtfhriUVoSoGtyo2xmJ8GbarAtT7/lxjFZnPK0cl:KPehriU3t2IiGbHTxZnPK0cl
MD5:	19E08B7F7B379A9D1F370E2B5CC622BD
SHA1:	3E2D2767459A92B557380C5796190DB15EC8A6EA
SHA-256:	AC97E5492A3CE1689A2B3C25D588FAC68DFF5C2B79FCF4067F2D781F092BA2A1
SHA-512:	564101A9428A053AA5B08E84586BCBB73874131154010A601FCE8A6FC8C4850C614B4B0A07ACF2A38FD2D4924D835584DB0A8B49EF369E2E450E458AC32CF256
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...................................D.... ..PE..L...#.MZ...........!.................p.......0............................................@.........................Pr.......q..d....P..8....................%.......................................................q..8....................................@..........................@..@.rsrc........P......................@..@.............`.........................@petite.......p......................`..`..................................................l..a.......1...3W..Z.....H...5.(...$.. .>X9..Fn... ..."j1..........%.7.d...".m...n.ePY......`....I.gYo..UC....Rq(...F......s..8`.I.....i..F.....'......@..-;.........J...Oq...b@...........$.D4E..($.....8':;.q....[-..{..w....@M....J$..0d..9Q.I^.^y.E..L_-.x!s.......W.H.R..@.6....MQ.Q8.s.."...!."IX.vM...!e.$%......U.....F.CoI..X.dA...0.Y..r.8.*p...<..M y...8..s....N5<.J....&..`...w..'..\s..%..A.`....s..j.H...X#..R.\..)R3@..X.P.5...G..t.f/..C.b.d...\|.

C:\Program Files (x86)\CPointASP\bin\x86\bassflac.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	36752
Entropy (8bit):	7.780431937344781
Encrypted:	false
SSDEEP:	768:E7epCl6I8YbTvEKXQ2vm+iocmmMt7KjuDnlVahRlmftuY5B:EepUv8aZvmd+7nDDalauy
MD5:	9FF783BB73F8868FA6599CDE65ED21D7
SHA1:	F515F91D62D36DC64ADAA06FA0EF6CF769376BDF
SHA-256:	E0234AF5F71592C472439536E710BA8105D62DFA68722965DF87FED50BAB1816
SHA-512:	C9D3C3502601026B6D55A91C583E0BB607BFC695409B984C0561D0CBE7D4F8BD231BC614E0EC1621C287BF0F207017D3E041694320E692FF00BC2220BFA26C26
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......b...........!.........n.......................................................B....@.........................P...........d.......@............s.......x..........................................................8............................................j..................@..@.rsrc.... ...........l..............@..@petite...............p..............`..`..................8..u...I.x\|}...g{...@..ffe.c4.-.Bj..........U.J.`..s.N:`..I@;..B.kbmj..E%2. `....".]&.&.).BB...E..4u'.....Q.......%....V.............5...y....E..q<w.....j...B..O...p.....X...m...= .X..........4........~~.8.F@.V...6....;?.5..)S.m.9U......^.zO!1o.F.E. ...H=`2...9.(...4).E.!G..;R.1.#.h0..(..t8..O...Td.d..~...l.a..U...b<../..W....M6...U*G..II.x........>..I[...v.N/.V..3..Y.c...Zh.i..i.....n....M..D....5o."....(.9.+..z...._$t.T...X#\...N....Q%...>U..\|....J

C:\Program Files (x86)\CPointASP\bin\x86\bassmidi.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	36416
Entropy (8bit):	7.842278356440954
Encrypted:	false
SSDEEP:	768:lshkyPXvH6bPACtmb8boNQdVfCXewki/OvXEApOqmFfSq1oIQMW:lsh3n5Pb8boOdVCuwNEXEAonfSq1JQb
MD5:	BEBA64522AA8265751187E38D1FC0653
SHA1:	63FFB566AA7B2242FCC91A67E0EDA940C4596E8E
SHA-256:	8C58BC6C89772D0CD72C61E6CF982A3F51DEE9AAC946E076A0273CD3AAF3BE9D
SHA-512:	13214E191C6D94DB914835577C048ADF2240C7335C0A2C2274C096114B7B75CD2CE13A76316963CCD55EE371631998FAC678FCF82AE2AE178B7813B2C35C6651
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...................................D.... ..PE..L....}.Q...........!................6 ............`..........................0......................................d#.......!..........@...................t...........................................................................................................................`....rsrc...........@...................@..@....................................@................ ......................`.......................................X...{.......j...f.!.PRj.....j..S.ERROR!.Corrupt Data!... c.f.`P....h.p..j..P..C.h..`..<$.3f....t...;S.^......Vj.PWj.j.Vj.PW....Y.Yf..X........X....................Z...t..$.4..l$..m..J...R...z.....XXXXZt.D$....P(......P...s.j.h`...h`.....j.h....h....j.3.3.0_.K~..[...s.3..^......s...$A."...L$..<.........;D$....;D$......$. ............u...........V+.48.^...u.........A............r..I.....................]...............'..................................A...%...........

C:\Program Files (x86)\CPointASP\bin\x86\bassmix.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19008
Entropy (8bit):	7.672481244971812
Encrypted:	false
SSDEEP:	384:dz7otnjFa4ECX3yeGjA+tSXGnUav92hca+XWRlsuG+is:po7GU+szS3W7sQ7
MD5:	8EE91149989D50DFCF9DAD00DF87C9B0
SHA1:	E5581E6C1334A78E493539F8EA1CE585C9FFAF89
SHA-256:	3030E22F4A854E11A8AA2128991E4867CA1DF33BC7B9AFF76A5E6DEEF56927F6
SHA-512:	FA04E8524DA444DD91E4BD682CC9ADEE445259E0C6190A7DEF82B8C4478A78AAA8049337079AD01F7984DBA28316D72445A0F0D876F268A062AD9B8FF2A6E58D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...................................D.... ..PE..L....+vS...........!....6...6.......6........p......................................................................0..........P.......@...................tM.......................................................................................................>..................`....rsrc...........@....H..............@..@....................................@...........6...........................`.......................................D...n'......j...f.!.PRj.....j..S.ERROR!.Corrupt Data!......f.`P....h.5..j..P..C.h.....<$.3f....t...;S.^......Vj.PWj.j.Vj.PW....Y.Yf..X........X............f.......Z...t..$.4..l$..m..J...R...z.....XXXXZt.D$....P(......P...s.j.h`...h`.....j.h....h....j.3.3.0_.K~..[...s.3..^......s...$A."...L$..<.........;D$....;D$......$. ............u...........V+.48.^...u.........A............r..I..K..........(...\|...}K...................E..K....p..j...g........Q..........y...........

C:\Program Files (x86)\CPointASP\bin\x86\bassopus.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	68876
Entropy (8bit):	7.922125376804506
Encrypted:	false
SSDEEP:	1536:q0Z4sz1ZMjCjDIhoLffiedENahBzzxO/JfgmYFGKEvi8TxCI+vHVl:v4MzMjGkhoLfsahS/JYN2vUl
MD5:	4E35BA785CD3B37A3702E577510F39E3
SHA1:	A2FD74A68BEFF732E5F3CB0835713AEA8D639902
SHA-256:	0AFE688B6FCA94C69780F454BE65E12D616C6E6376E80C5B3835E3FA6DE3EB8A
SHA-512:	1B839AF5B4049A20D9B8A0779FE943A4238C8FBFBF306BC6D3A27AF45C76F6C56B57B2EC8F087F7034D89B5B139E53A626A8D7316BE1374EAC28B06D23E7995D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...................................D.... ..PE..L.....U]...........!......................... ............................................@.........................P...........d.......@...............................................................................8...............................................................@..@.rsrc...............................@..@.......................................@petite..............................`..`...........................................&MK#H..OEJ..}??...:..$ayf.r7.w(/.d`...A(7.%p.f.>\..d."..W......[4.0..ZY..... .....~...T....9a+..'.......g!.....l...<..?Y.(..[k.I=....D.....c..=.?.8...D>0...#.ZdO..Z...%......X.P..bS..s..=$...m.N........A......A4..J>Wa.N..K.>....2n8.ii.#....y#.J ....i!...a7..Pbl@B.%h0..8RSr.........]..z.\...x..e..5.3.$h. <G.3....-......Q....O0..,......Y}......@...<...t.H).T..! .....ap......Tj.o...0b...`..yX.. g...hzA...b.7.s$M.... ..'....\$...H.\.l.C g..4..(.6@.Q....B(..

C:\Program Files (x86)\CPointASP\bin\x86\basswma.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	17472
Entropy (8bit):	7.524548435291935
Encrypted:	false
SSDEEP:	384:IwwsQD13cT5HhSVeEQNW5kbbcGEh/qTio+lyTnGy:QRD13ySVeEOW5kbSSTHNTnr
MD5:	7B52BE6D702AA590DB57A0E135F81C45
SHA1:	518FB84C77E547DD73C335D2090A35537111F837
SHA-256:	9B5A8B323D2D1209A5696EAF521669886F028CE1ECDBB49D1610C09A22746330
SHA-512:	79C1959A689BDC29B63CA771F7E1AB6FF960552CADF0644A7C25C31775FE3458884821A0130B1BAB425C3B41F1C680D4776DD5311CE3939775A39143C873A6FE
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...................................D.... ..PE..L....^.L...........!....%v..%.......6........`......................................................................h..................@....................F...............................................................................................p.......8..................`....rsrc...........@....B..............@..@....................................@...........%...........................`.......................................X...x..0....j...f.!.PRj.....j..S.ERROR!.Corrupt Data!......f.`P....h.,..j..P..C.h.....<$.3f....t...;S.^......Vj.PWj.j.Vj.PW....Y.Yf..X........X....................Z...t..$.4..l$..m..J...R...z.....XXXXZt.D$....P(......P...s.j.h`...h`.....j.h....h....j.3.3.0_.K~..[...s.3..^......s...$A."...L$..<.........;D$....;D$......$. ............u...........V+.48.^...u.........A............r..I..D..%...........\|...CC.......p......n....<.......`..............lH......)...............

C:\Program Files (x86)\CPointASP\bin\x86\basswv.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	35588
Entropy (8bit):	7.817557274117395
Encrypted:	false
SSDEEP:	768:dCrMZHv56WRldhmLjQDrbfc8cznHvc6modHQ:sAR0LzHvc6m2HQ
MD5:	58521D1AC2C588B85642354F6C0C7812
SHA1:	5912D2507F78C18D5DC567B2FA8D5AE305345972
SHA-256:	452EEE1E4EF2FE2E00060113CCE206E90986E2807BB966019AC4E9DEB303A9BD
SHA-512:	3988B61F6B633718DE36C0669101E438E70A17E3962A5C3A519BDECC3942201BA9C3B3F94515898BB2F8354338BA202A801B22129FC6D56598103B13364748C1
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...................................D.... ..PE..L.....yX...........!.................@.......................................P............@.........................PB.......A..d.... ..@...................P........................................................A..8...............................................................@..@.rsrc........ ......................@..@.............0.........................@petite.......@......................`..`...................................._3.....g.ge..7t...R-_.R.@c.S.\..J?L.EZ.,....=H8..;.QJ.....P-)eFs93:.^...f......}..?...e...SD.......-.u.......q2...P...6..z5.T.S..P..Q....@..Mq.>....8" F...,..FE...S.[U..c......jr....b...-%...`......w..+W.C......]..#......LS....W.Y....o.8...i.[)..%(.2.t...YY .bL.....b.@&J,?l.........$..F..&...a#.\[".^...&]co....K.>...xQzw..XW.uT..+dm.o.b...@c....3..r....@]...P........{C/.....A!.&..........'....._..."S..&..F.......:.dxtK.6...7.I...Q..Nm2.....NX..fG..L..7.?..".(

C:\Program Files (x86)\CPointASP\bin\x86\copying (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp
File Type:	Unicode text, UTF-8 text
Category:	dropped
Size (bytes):	1059
Entropy (8bit):	5.1208137218866945
Encrypted:	false
SSDEEP:	24:LLDrmJHHH0yN3gtsHw1hj9QHOsUv4eOk4/+/m3oqLF5n:LLDaJHlxE35QHOs5exm3ogF5n
MD5:	B7EDCC6CB01ACE25EBD2555CF15473DC
SHA1:	2627FF03833F74ED51A7F43C55D30B249B6A0707
SHA-256:	D6B4754BB67BDD08B97D5D11B2D7434997A371585A78FE77007149DF3AF8D09C
SHA-512:	962BD5C9FB510D57FAC0C3B189B7ADEB29E00BED60F0BB9D7E899601C06C2263EDA976E64C352E4B7C0AAEFB70D2FCB0ABEF45E43882089477881A303EB88C09
Malicious:	false
Preview:	Copyright (c) 2011 Jan Kokem.ller..Permission is hereby granted, free of charge, to any person obtaining a copy.of this software and associated documentation files (the "Software"), to deal.in the Software without restriction, including without limitation the rights.to use, copy, modify, merge, publish, distribute, sublicense, and/or sell.copies of the Software, and to permit persons to whom the Software is.furnished to do so, subject to the following conditions:..The above copyright notice and this permission notice shall be included in.all copies or substantial portions of the Software...THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR.IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,.FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE.AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER.LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,.OUT OF OR IN CONNECTION WITH

C:\Program Files (x86)\CPointASP\bin\x86\d_writer.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	16910
Entropy (8bit):	5.289608933932413
Encrypted:	false
SSDEEP:	384:ohtyjknGC7hipL+9mLYFOozxkdlDNUwS5Qq:UGknGC74l+MUFI7C
MD5:	2F040608E68E679DD42B7D8D3FCA563E
SHA1:	4B2C3A6B8902E32CDA33A241B24A79BE380C55FC
SHA-256:	6B980CADC3E7047CC51AD1234CB7E76FF520149A746CB64E5631AF1EA1939962
SHA-512:	718AF5BE259973732179ABA45B672637FCA21AE575B4115A62139A751C04F267F355B8F7F7432B56719D91390DABA774B39283CBCFE18F09CA033389FB31A4FC
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........B.........#.........>...f...........0.....h......................... ................ .........................{.......\|...............................$...........................pA.......................................................text...4...........................`.P`.data...<....0......."..............@.0..rdata.......@.......$..............@.`@/4...........P.......(..............@.0@.bss.....d...`........................`..edata..{............2..............@.0@.idata..\|............4..............@.0..CRT....,............:..............@.0..tls.................<..............@.0..reloc..$............>..............@.0B................................................................................................................................................................................................................................

C:\Program Files (x86)\CPointASP\bin\x86\da.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	15374
Entropy (8bit):	5.192037544202194
Encrypted:	false
SSDEEP:	384:lhgkOI7BGi9gKV6uq+u6JewsNhNXUwSCgQ:DT7BGVKPKbXF
MD5:	BEFD36FE8383549246E1FD49DB270C07
SHA1:	1EF12B568599F31292879A8581F6CD0279F3E92A
SHA-256:	B5942E8096C95118C425B30CEC8838904897CDEF78297C7BBB96D7E2D45EE288
SHA-512:	FD9AA6A4134858A715BE846841827196382D0D86F2B1AA5C7A249B770408815B0FE30C4D1E634E8D6D3C8FEDBCE4654CD5DC240F91D54FC8A7EFE7CAE2E569F4
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........<.........#.........8...............0.....f................................b......... ......................p..E.......h...........................................................P@......................................................text...............................`.P`.data...,....0....... ..............@.0..rdata.......@......."..............@.0@/4...........P.......$..............@.0@.bss.........`........................`..edata..E....p......................@.0@.idata..h............0..............@.0..CRT....,............6..............@.0..tls.................8..............@.0..reloc...............:..............@.0B................................................................................................................................................................................................................................

C:\Program Files (x86)\CPointASP\bin\x86\daiso.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	197646
Entropy (8bit):	6.1570532273946625
Encrypted:	false
SSDEEP:	3072:brPGp0y4SP+iBGgySYm+dE3sYrJqkAzhU88vsAGSW+:brPGaTEsHSYmbbOU8osAGG
MD5:	2C8EC61630F8AA6AAC674E4C63F4C973
SHA1:	64E3BB9AA505C66E87FE912D4EA3054ADF6CEF76
SHA-256:	DFD55D0DDD1A7D081FCE8E552DC29706A84DC6CA2FDD2F82D63F33D74E882849
SHA-512:	488378012FB5F477ED4636C37D7A883B1DAD0FBC671D238B577A9374EFE40AB781F5E483AE921F1909A9B7C1C2A3E78E29B533D3B6FFE15AAEE840CAD2DCF5D0
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#...............................m................................]_........ ...................... ..A....0...............................`..............................p0.......................1..D............................text...............................`.P`.data...............................@.0..rdata..L0.......2..................@.`@/4...........P......................@.0@.bss..................................`..edata..A.... ......................@.0@.idata.......0......................@.0..CRT....,....@......................@.0..tls.........P......................@.0..reloc.......`......................@.0B................................................................................................................................................................................................................................

C:\Program Files (x86)\CPointASP\bin\x86\dsd2.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	31936
Entropy (8bit):	6.6461204214578
Encrypted:	false
SSDEEP:	768:SEEn30ilOAb++HynTDbc3fwaVCPxWE/MM:SEa0YOU1HgU3fwaVCPxqM
MD5:	72E3BDD0CE0AF6A3A3C82F3AE6426814
SHA1:	A2FB64D5B9F5F3181D1A622D918262CE2F9A7AA3
SHA-256:	7AC8A8D5679C96D14C15E6DBC6C72C260AAEFB002D0A4B5D28B3A5C2B15DF0AB
SHA-512:	A876D0872BFBF099101F7F042AEAF1FD44208A354E64FC18BAB496BEEC6FDABCA432A852795CFC0A220013F619F13281B93ECC46160763AC7018AD97E8CC7971
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........P.........#.....&...L...............@.....d................................8......... .........................b............................P...,...................................R......................x................................text....%.......&..................`.P`.data........@.......*..............@.`..rdata.......P.......,..............@.0@/4...........`.......2..............@.0@.bss.........p........................`..edata..b............>..............@.0@.idata...............@..............@.0..CRT....,............H..............@.0..tls.................J..............@.0..reloc...............L..............@.0B................................................................................................................................................................................................................................

C:\Program Files (x86)\CPointASP\bin\x86\dsd2pcmt.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	197120
Entropy (8bit):	6.423554884287906
Encrypted:	false
SSDEEP:	6144:X+dMKihenEUunaA+mVMISPCG5vHglwiaJVZkRyAHeOdrQpCklkHy+axeY0R2JdXs:MagxOOZWP2dC28d+y2e
MD5:	67247C0ACA089BDE943F802BFBA8752C
SHA1:	508DA6E0CF31A245D27772C70FFA9A2AE54930A3
SHA-256:	BAB8D388EA3AF1AABB61B8884CFAA7276A2BFD77789856DD610480C55E4D0A60
SHA-512:	C4A690A53581D3E4304188FD772C6F1DA1C72ED2237A13951ACE8879D1986423813A6F7534FF506790CB81633CEB7FF6A6239C1F852725FBACA4B40D9AE3F2DB
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......d,.. M.. M.. M..4&..-M..4&...M..4&..3M..r8...M..r8../M..r8..1M..4&..#M.. M.._M..v8..$M..v8..!M..v8..!M..v8..!M..Rich M..........PE..L... ..a...........!.........................................................@............@.........................@...p.......(............................ ..(...P...8...............................@...............H............................text...>........................... ..`.rdata..d...........................@..@.data...H...........................@....rsrc...............................@..@.reloc..(.... ......................@..B........................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\CPointASP\bin\x86\dstt.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	115712
Entropy (8bit):	6.401537154757194
Encrypted:	false
SSDEEP:	3072:rY4gILp0Vt7BMkvfHutO+eP0ZjflQf5xqkYXeo21sb2rqG70:rY4gILp0Vt77nLBCtQfjqv8qG70
MD5:	840D631DA54C308B23590AD6366EBA77
SHA1:	5ED0928667451239E62E6A0A744DA47C74E1CF89
SHA-256:	6BAD60DF9A560FB7D6F8647B75C367FDA232BDFCA2291273A21179495DAC3DB9
SHA-512:	1394A48240BA4EF386215942465BDE418C5C6ED73FC935FE7D207D2A1370155C94CDC15431985ED4E656CA6B777BA79FFC88E78FA3D99DB7E0E6EAC7D1663594
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?..R{...{...{...o...q...o.......o...i...)...W...)...t...)...j...o...x...{.......-...s...-...z...-.4.z...-...z...Rich{...........PE..L....H.a...........!.....$...........h.......@............................... ............@.............................x.......(.......................................8..............................@............@..D............................text....#.......$.................. ..`.rdata...x...@...z...(..............@..@.data.... ..........................@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\CPointASP\bin\x86\ff_helper.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	62478
Entropy (8bit):	6.063363187934607
Encrypted:	false
SSDEEP:	768:q3s6+NMpjqudP/XB9rGCWLEc6wY3U0LvDcb0wGNPdqdRJy/5f4mdajO42iySAqB:q8zNM1nBId/ce7GNP6m/5AQGySAs
MD5:	940EEBDB301CB64C7EA2E7FA0646DAA3
SHA1:	0347F029DA33C30BBF3FB067A634B49E8C89FEC2
SHA-256:	B0B56F11549CE55B4DC6F94ECBA84AEEDBA4300D92F4DC8F43C3C9EEEFCBE3C5
SHA-512:	50D455C16076C0738FB1FECAE7705E2C9757DF5961D74B7155D7DFB3FAB671F964C73F919CC749D100F6A90A3454BFF0D15ED245A7D26ABCAA5E0FDE3DC958FD
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#...............................k.........................`................ .........................r.......D............................P..\|.......................................................\............................text...............................`.P`.data...0...........................@.0..rdata..8...........................@.`@/4......L...........................@.0@.bss..................................`..edata..r...........................@.0@.idata..D...........................@.0..CRT....,....0......................@.0..tls.........@......................@.0..reloc..\|....P......................@.0B................................................................................................................................................................................................................................

C:\Program Files (x86)\CPointASP\bin\x86\gain_analysis.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	26126
Entropy (8bit):	6.048294343792499
Encrypted:	false
SSDEEP:	384:hhkxE9v7/GRm4v5OxlBWaEybb9p7aCyS/hU7CateHcUwSCnq6D:Yx6jGXvc5WaBb99yS/hQh
MD5:	D1223F86EDF0D5A2D32F1E2AAAF8AE3F
SHA1:	C286CA29826A138F3E01A3D654B2F15E21DBE445
SHA-256:	E0E11A058C4B0ADD3892E0BEA204F6F60A47AFC86A21076036393607235B469C
SHA-512:	7EA1FFB23F8A850F5D3893C6BB66BF95FAB2F10F236A781620E9DC6026F175AAE824FD0E03082F0CF13D05D13A8EEDE4F5067491945FCA82BBCDCF68A0109CFF
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........f.........#.....6...b...............P.....h................................8-........ .........................i...................................................................Lk......................................................text....4.......6..................`.P`.data...,....P.......:..............@.0..rdata.......`.......<..............@.`@/4......T....p.......J..............@.0@.bss..................................`..edata..i............V..............@.0@.idata...............X..............@.0..CRT....,............^..............@.0..tls.................`..............@.0..reloc...............b..............@.0B................................................................................................................................................................................................................................

C:\Program Files (x86)\CPointASP\bin\x86\is-01D6N.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	11532
Entropy (8bit):	7.219753259626605
Encrypted:	false
SSDEEP:	192:Dqv1jf+0vAe7Dl+JTGxuK5Rbfh70Il9MWbzq6UWkE0FGemexbiJi8TK0Q2:m9KIAeNgTGxu2Jfh1DMSzqKkvFGLJi85
MD5:	073F34B193F0831B3DD86313D74F1D2A
SHA1:	3DF5592532619C5D9B93B04AC8DBCEC062C6DD09
SHA-256:	C5EEC9CD18A344227374F2BC1A0D2CE2F1797CFFD404A0A28CF85439D15941E9
SHA-512:	EEFD583D1F213E5A5607C2CFBAED39E07AEC270B184E61A1BA0B5EF67ED7AC5518B5C77345CA9BD4F39D2C86FCD261021568ED14945E7A7541ADF78E18E64B0C
Malicious:	false
Yara Hits:	Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: C:\Program Files (x86)\CPointASP\bin\x86\is-01D6N.tmp, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...................................D.... ..PE..L.....V...........!.........(...............P............................................@.........................P...........d....p..8...................82.........................................................8....................................`.......$..................@..@.rsrc........p.......&..............@..@.......................................@petite.............................`..`....................................#..L....y......"......O/..M...C.A.&:.e.i..l....CP...g.AK..S;.lf.?.g....].k.U.G.Y.J.",......%....:ge.D x.P }}..Tih.g......%G.Iy.j...\...S...s..$..........o..y..........,.........-..X.....v.M1..'...5R.4..8k!..q.=BVST<..M.E.._T.p...K.r....C.HEO....\..%%,I....>'.L.ct..{..I..l.Y#f Tk...:bH?.....G..Y.p..Q.....z/R.h>8....]S.....p.c/.m..6tc.d..(..{...=w4.w.^..d.....^..Tp.....Z..).Z."...&.-...o...xD+0.L+!...X.%?)+.P..Z.......P..F..P.".._.%9.^T;(..Y.>.. .....re

C:\Program Files (x86)\CPointASP\bin\x86\is-040AJ.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	43520
Entropy (8bit):	6.232860260916194
Encrypted:	false
SSDEEP:	768:XozEJVjDF38DrOPwLg0cAY7K+k+Y+TyHMjMbHVJx9jm3LkkteFfXbBekdAnPKx:Xo4JJDirOoLg0C7F/rDGdpB52PK
MD5:	B162992412E08888456AE13BA8BD3D90
SHA1:	095FA02EB14FD4BD6EA06F112FDAFE97522F9888
SHA-256:	2581A6BCA6F4B307658B24A7584A6B300C91E32F2FE06EB1DCA00ADCE60FA723
SHA-512:	078594DE66F7E065DCB48DA7C13A6A15F8516800D5CEE14BA267F43DC73BC38779A4A4ED9444AFDFA581523392CBE06B0241AA8EC0148E6BCEA8E23B78486824
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.....z.......D................,n.........................p.......`........ ...................... .......0...............................`..............................t........................0...............................text....x.......z..................`.P`.data...,............~..............@.0..rdata..............................@.P@.eh_fram\|...........................@.0@.bss.....B............................`..edata....... ......................@.0@.idata.......0......................@.0..CRT....,....@......................@.0..tls.........P......................@.0..reloc.......`......................@.0B................................................................................................................................................................................................................................

C:\Program Files (x86)\CPointASP\bin\x86\is-0U1TM.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	62478
Entropy (8bit):	6.063363187934607
Encrypted:	false
SSDEEP:	768:q3s6+NMpjqudP/XB9rGCWLEc6wY3U0LvDcb0wGNPdqdRJy/5f4mdajO42iySAqB:q8zNM1nBId/ce7GNP6m/5AQGySAs
MD5:	940EEBDB301CB64C7EA2E7FA0646DAA3
SHA1:	0347F029DA33C30BBF3FB067A634B49E8C89FEC2
SHA-256:	B0B56F11549CE55B4DC6F94ECBA84AEEDBA4300D92F4DC8F43C3C9EEEFCBE3C5
SHA-512:	50D455C16076C0738FB1FECAE7705E2C9757DF5961D74B7155D7DFB3FAB671F964C73F919CC749D100F6A90A3454BFF0D15ED245A7D26ABCAA5E0FDE3DC958FD
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#...............................k.........................`................ .........................r.......D............................P..\|.......................................................\............................text...............................`.P`.data...0...........................@.0..rdata..8...........................@.`@/4......L...........................@.0@.bss..................................`..edata..r...........................@.0@.idata..D...........................@.0..CRT....,....0......................@.0..tls.........@......................@.0..reloc..\|....P......................@.0B................................................................................................................................................................................................................................

C:\Program Files (x86)\CPointASP\bin\x86\is-1TTMQ.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18966
Entropy (8bit):	7.620111275837424
Encrypted:	false
SSDEEP:	384:gOKwxnw6OVDU839fgRgFMkucNauTT80CyTIz2bGjqXOK0Jo:gOHwBDUOe2McQkI0Cyo2Q/o
MD5:	F0F973781B6A66ADF354B04A36C5E944
SHA1:	8E8EE3A18D4CEC163AF8756E1644DF41C747EDC7
SHA-256:	04AB613C895B35044AF8A9A98A372A5769C80245CC9D6BF710A94C5BC42FA1B3
SHA-512:	118D5DACC2379913B725BD338F8445016F5A0D1987283B082D37C1D1C76200240E8C79660E980F05E13E4EB79BDA02256EAC52385DAA557C6E0C5D326D43A835
Malicious:	true
Yara Hits:	Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: C:\Program Files (x86)\CPointASP\bin\x86\is-1TTMQ.tmp, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...................................D.... ..PE..L...9#.]...........!.........B...............p............................................@.....................................x.......@....................M..........................................................@............................................>..................@..@.rsrc................@..............@..@.......................................@petite...............D..............`..`....................................g5 ....S%,_ .]/.0$R.yB..."@...N.AGG.^.?...1.........&?....v....6.0.. ME..(..gh\jv#.l..#$.Z&...._\`.@.......D.;.C~..m}3..\>.h..@.;.f Tho...(xVs..m.c..F..SS.C...z[....z...... .X.&....HY,...o.d..jP.nr..@.)..W.1#...b..Q.*E8.B..N5.....].........7..A..2c.M.q.O0(.Gi..B.....CT.(..+....>@T j.#!..."..P.u.3..5.Q0K..p....ERvG..._'...ir%m...NT.v:.....g.....8.+....m....8..Z.=.B.......D_..ln...C.......p8...e."...U...+.f..E.=X.j.DeD.X_.Y..n.r.!xWu..\.VB.......`.F.A....dx...

C:\Program Files (x86)\CPointASP\bin\x86\is-1V3O7.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	258560
Entropy (8bit):	6.491223412910377
Encrypted:	false
SSDEEP:	6144:X+FRYMGwNozw5upAagZnb80OXrGSc+w9nI7ZMcyVhk233M:SGMGbw5upAagZb80SMXzkgM
MD5:	DB191B89F4D015B1B9AEE99AC78A7E65
SHA1:	8DAC370768E7480481300DD5EBF8BA9CE36E11E3
SHA-256:	38A75F86DB58EB8D2A7C0213861860A64833C78F59EFF19141FFD6C3B6E28835
SHA-512:	A27E26962B43BA84A5A82238556D06672DCF17931F866D24E6E8DCE88F7B30E80BA38B071943B407A7F150A57CF1DA13D2137C235B902405BEDBE229B6D03784
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B.j..f...f...f..]....f..]...f..]....f......f......f......f......f..]....f...f..]f......f......f......f...f...f......f..Rich.f..........PE..L...y.._...........!................@........ ...............................@..........................................d...$...(.......h.................... ......................................(...@............ ..8............................text...q........................... ..`asmcode.>$.......&.................. ..`.rdata..B.... ......................@..@.data...............................@....rsrc...h...........................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................

C:\Program Files (x86)\CPointASP\bin\x86\is-2458N.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp
File Type:	PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	123406
Entropy (8bit):	6.263889638223575
Encrypted:	false
SSDEEP:	1536:hnPkU1t2P2hHV5JG1YBBAUBEd8+poyez9djcx2/8s6UJqfxX+1XOAhbKzb3+d:xPu21IYyCTToE6c+6e+d
MD5:	B49ECFA819479C3DCD97FAE2A8AB6EC6
SHA1:	1B8D47D4125028BBB025AAFCA1759DEB3FC0C298
SHA-256:	B9D5317E10E49AA9AD8AD738EEBE9ACD360CC5B20E2617E5C0C43740B95FC0F2
SHA-512:	18617E57A76EFF6D95A1ED735CE8D5B752F1FB550045FBBEDAC4E8E67062ACD7845ADC6FBE62238C383CED5E01D7AA4AB8F968DC442B67D62D2ED712DB67DC13
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........................R.......d>..........p....@...........................@......^........ ...............................@.4...................................................................................\|.@.@............................text....Q.......R..................`.P`.data...\....p.......V..............@.@..rdata...a.......b...X..............@.`@/4..................................@.0@.bss.....c>...........................`..idata..4.....@.....................@.0..CRT....4.....@.....................@.0..tls..........@.....................@.0.................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\CPointASP\bin\x86\is-2CL5A.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	197120
Entropy (8bit):	6.423554884287906
Encrypted:	false
SSDEEP:	6144:X+dMKihenEUunaA+mVMISPCG5vHglwiaJVZkRyAHeOdrQpCklkHy+axeY0R2JdXs:MagxOOZWP2dC28d+y2e
MD5:	67247C0ACA089BDE943F802BFBA8752C
SHA1:	508DA6E0CF31A245D27772C70FFA9A2AE54930A3
SHA-256:	BAB8D388EA3AF1AABB61B8884CFAA7276A2BFD77789856DD610480C55E4D0A60
SHA-512:	C4A690A53581D3E4304188FD772C6F1DA1C72ED2237A13951ACE8879D1986423813A6F7534FF506790CB81633CEB7FF6A6239C1F852725FBACA4B40D9AE3F2DB
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......d,.. M.. M.. M..4&..-M..4&...M..4&..3M..r8...M..r8../M..r8..1M..4&..#M.. M.._M..v8..$M..v8..!M..v8..!M..v8..!M..Rich M..........PE..L... ..a...........!.........................................................@............@.........................@...p.......(............................ ..(...P...8...............................@...............H............................text...>........................... ..`.rdata..d...........................@..@.data...H...........................@....rsrc...............................@..@.reloc..(.... ......................@..B........................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\CPointASP\bin\x86\is-4CSOT.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	35588
Entropy (8bit):	7.817557274117395
Encrypted:	false
SSDEEP:	768:dCrMZHv56WRldhmLjQDrbfc8cznHvc6modHQ:sAR0LzHvc6m2HQ
MD5:	58521D1AC2C588B85642354F6C0C7812
SHA1:	5912D2507F78C18D5DC567B2FA8D5AE305345972
SHA-256:	452EEE1E4EF2FE2E00060113CCE206E90986E2807BB966019AC4E9DEB303A9BD
SHA-512:	3988B61F6B633718DE36C0669101E438E70A17E3962A5C3A519BDECC3942201BA9C3B3F94515898BB2F8354338BA202A801B22129FC6D56598103B13364748C1
Malicious:	false
Yara Hits:	Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: C:\Program Files (x86)\CPointASP\bin\x86\is-4CSOT.tmp, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...................................D.... ..PE..L.....yX...........!.................@.......................................P............@.........................PB.......A..d.... ..@...................P........................................................A..8...............................................................@..@.rsrc........ ......................@..@.............0.........................@petite.......@......................`..`...................................._3.....g.ge..7t...R-_.R.@c.S.\..J?L.EZ.,....=H8..;.QJ.....P-)eFs93:.^...f......}..?...e...SD.......-.u.......q2...P...6..z5.T.S..P..Q....@..Mq.>....8" F...,..FE...S.[U..c......jr....b...-%...`......w..+W.C......]..#......LS....W.Y....o.8...i.[)..%(.2.t...YY .bL.....b.@&J,?l.........$..F..&...a#.\[".^...&]co....K.>...xQzw..XW.uT..+dm.o.b...@c....3..r....@]...P........{C/.....A!.&..........'....._..."S..&..F.......:.dxtK.6...7.I...Q..Nm2.....NX..fG..L..7.?..".(

C:\Program Files (x86)\CPointASP\bin\x86\is-7QIAL.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19008
Entropy (8bit):	7.672481244971812
Encrypted:	false
SSDEEP:	384:dz7otnjFa4ECX3yeGjA+tSXGnUav92hca+XWRlsuG+is:po7GU+szS3W7sQ7
MD5:	8EE91149989D50DFCF9DAD00DF87C9B0
SHA1:	E5581E6C1334A78E493539F8EA1CE585C9FFAF89
SHA-256:	3030E22F4A854E11A8AA2128991E4867CA1DF33BC7B9AFF76A5E6DEEF56927F6
SHA-512:	FA04E8524DA444DD91E4BD682CC9ADEE445259E0C6190A7DEF82B8C4478A78AAA8049337079AD01F7984DBA28316D72445A0F0D876F268A062AD9B8FF2A6E58D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...................................D.... ..PE..L....+vS...........!....6...6.......6........p......................................................................0..........P.......@...................tM.......................................................................................................>..................`....rsrc...........@....H..............@..@....................................@...........6...........................`.......................................D...n'......j...f.!.PRj.....j..S.ERROR!.Corrupt Data!......f.`P....h.5..j..P..C.h.....<$.3f....t...;S.^......Vj.PWj.j.Vj.PW....Y.Yf..X........X............f.......Z...t..$.4..l$..m..J...R...z.....XXXXZt.D$....P(......P...s.j.h`...h`.....j.h....h....j.3.3.0_.K~..[...s.3..^......s...$A."...L$..<.........;D$....;D$......$. ............u...........V+.48.^...u.........A............r..I..K..........(...\|...}K...................E..K....p..j...g........Q..........y...........

C:\Program Files (x86)\CPointASP\bin\x86\is-7RFNU.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	34392
Entropy (8bit):	7.81689943223162
Encrypted:	false
SSDEEP:	768:mYBs3O9YL558R6R8P8W2rjQZQtfTIxRYsetoPNvPWIl+syr:vsUY15mqzW2u8rIxisFcJr
MD5:	EA245B00B9D27EF2BD96548A50A9CC2C
SHA1:	8463FDCDD5CED10C519EE0B406408AE55368E094
SHA-256:	4824A06B819CBE49C485D68A9802D9DAE3E3C54D4C2D8B706C8A87B56CEEFBF3
SHA-512:	EF1E107571402925AB5B1D9B096D7CEFF39C1245A23692A3976164D0DE0314F726CCA0CB10246FE58A13618FD5629A92025628373B3264153FC1D79B0415D9A7
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ph..4...4...4.......0...[...0...[...6...4.......V...0...`*..........5....)......Rich4...........................PE..L.....T...........!................6 .......................................0......................................D#..y....!..d.......X............................................................................................................................z..................`....rsrc...........X...................@..@....................................`...petite....... ......................`...................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\CPointASP\bin\x86\is-7TH98.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	36752
Entropy (8bit):	7.780431937344781
Encrypted:	false
SSDEEP:	768:E7epCl6I8YbTvEKXQ2vm+iocmmMt7KjuDnlVahRlmftuY5B:EepUv8aZvmd+7nDDalauy
MD5:	9FF783BB73F8868FA6599CDE65ED21D7
SHA1:	F515F91D62D36DC64ADAA06FA0EF6CF769376BDF
SHA-256:	E0234AF5F71592C472439536E710BA8105D62DFA68722965DF87FED50BAB1816
SHA-512:	C9D3C3502601026B6D55A91C583E0BB607BFC695409B984C0561D0CBE7D4F8BD231BC614E0EC1621C287BF0F207017D3E041694320E692FF00BC2220BFA26C26
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......b...........!.........n.......................................................B....@.........................P...........d.......@............s.......x..........................................................8............................................j..................@..@.rsrc.... ...........l..............@..@petite...............p..............`..`..................8..u...I.x\|}...g{...@..ffe.c4.-.Bj..........U.J.`..s.N:`..I@;..B.kbmj..E%2. `....".]&.&.).BB...E..4u'.....Q.......%....V.............5...y....E..q<w.....j...B..O...p.....X...m...= .X..........4........~~.8.F@.V...6....;?.5..)S.m.9U......^.zO!1o.F.E. ...H=`2...9.(...4).E.!G..;R.1.#.h0..(..t8..O...Td.d..~...l.a..U...b<../..W....M6...U*G..II.x........>..I[...v.N/.V..3..Y.c...Zh.i..i.....n....M..D....5o."....(.9.+..z...._$t.T...X#\...N....Q%...>U..\|....J

C:\Program Files (x86)\CPointASP\bin\x86\is-93FRL.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	68042
Entropy (8bit):	6.090396152400884
Encrypted:	false
SSDEEP:	768:RX3HAdi7wgCsL6dVSngk2IFm3ZJVRDBLRROBBKRzPm3YRiF+ixh:NHQpe6SnZQLjICPm3Ytib
MD5:	5DDA5D34AC6AA5691031FD4241538C82
SHA1:	22788C2EBE5D50FF36345EA0CB16035FABAB8A6C
SHA-256:	DE1A9DD251E29718176F675455592BC1904086B9235A89E6263A3085DDDCBB63
SHA-512:	08385DE11A0943A6F05AC3F8F1E309E1799D28EA50BF1CA6CEB01E128C0CD7518A64E55E8B56A4B8EF9DB3ECD2DE33D39779DCA1FBF21DE735E489A09159A1FD
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........V......#...&...........................d......................................@... ..............................0..t....`..P....................p.......................................................1..H............................text...d...........................`..`.data...L...........................@....rdata..\...........................@..@/4.......2.......4..................@..@.bss.....................................edata..............................@..@.idata..t....0......................@....CRT....0....@......................@....tls.........P......................@....rsrc...P....`......................@....reloc.......p......................@..B........................................................................................................................................................................................

C:\Program Files (x86)\CPointASP\bin\x86\is-9JRC1.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	68876
Entropy (8bit):	7.922125376804506
Encrypted:	false
SSDEEP:	1536:q0Z4sz1ZMjCjDIhoLffiedENahBzzxO/JfgmYFGKEvi8TxCI+vHVl:v4MzMjGkhoLfsahS/JYN2vUl
MD5:	4E35BA785CD3B37A3702E577510F39E3
SHA1:	A2FD74A68BEFF732E5F3CB0835713AEA8D639902
SHA-256:	0AFE688B6FCA94C69780F454BE65E12D616C6E6376E80C5B3835E3FA6DE3EB8A
SHA-512:	1B839AF5B4049A20D9B8A0779FE943A4238C8FBFBF306BC6D3A27AF45C76F6C56B57B2EC8F087F7034D89B5B139E53A626A8D7316BE1374EAC28B06D23E7995D
Malicious:	false
Yara Hits:	Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: C:\Program Files (x86)\CPointASP\bin\x86\is-9JRC1.tmp, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...................................D.... ..PE..L.....U]...........!......................... ............................................@.........................P...........d.......@...............................................................................8...............................................................@..@.rsrc...............................@..@.......................................@petite..............................`..`...........................................&MK#H..OEJ..}??...:..$ayf.r7.w(/.d`...A(7.%p.f.>\..d."..W......[4.0..ZY..... .....~...T....9a+..'.......g!.....l...<..?Y.(..[k.I=....D.....c..=.?.8...D>0...#.ZdO..Z...%......X.P..bS..s..=$...m.N........A......A4..J>Wa.N..K.>....2n8.ii.#....y#.J ....i!...a7..Pbl@B.%h0..8RSr.........]..z.\...x..e..5.3.$h. <G.3....-......Q....O0..,......Y}......@...<...t.H).T..! .....ap......Tj.o...0b...`..yX.. g...hzA...b.7.s$M.... ..'....\$...H.\.l.C g..4..(.6@.Q....B(..

C:\Program Files (x86)\CPointASP\bin\x86\is-9SQN6.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	8456
Entropy (8bit):	6.767152008521429
Encrypted:	false
SSDEEP:	192:yxPHUtfhriUVoSoGtyo2xmJ8GbarAtT7/lxjFZnPK0cl:KPehriU3t2IiGbHTxZnPK0cl
MD5:	19E08B7F7B379A9D1F370E2B5CC622BD
SHA1:	3E2D2767459A92B557380C5796190DB15EC8A6EA
SHA-256:	AC97E5492A3CE1689A2B3C25D588FAC68DFF5C2B79FCF4067F2D781F092BA2A1
SHA-512:	564101A9428A053AA5B08E84586BCBB73874131154010A601FCE8A6FC8C4850C614B4B0A07ACF2A38FD2D4924D835584DB0A8B49EF369E2E450E458AC32CF256
Malicious:	false
Yara Hits:	Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: C:\Program Files (x86)\CPointASP\bin\x86\is-9SQN6.tmp, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...................................D.... ..PE..L...#.MZ...........!.................p.......0............................................@.........................Pr.......q..d....P..8....................%.......................................................q..8....................................@..........................@..@.rsrc........P......................@..@.............`.........................@petite.......p......................`..`..................................................l..a.......1...3W..Z.....H...5.(...$.. .>X9..Fn... ..."j1..........%.7.d...".m...n.ePY......`....I.gYo..UC....Rq(...F......s..8`.I.....i..F.....'......@..-;.........J...Oq...b@...........$.D4E..($.....8':;.q....[-..{..w....@M....J$..0d..9Q.I^.^y.E..L_-.x!s.......W.H.R..@.6....MQ.Q8.s.."...!."IX.vM...!e.$%......U.....F.CoI..X.dA...0.Y..r.8.*p...<..M y...8..s....N5<.J....&..`...w..'..\s..%..A.`....s..j.H...X#..R.\..)R3@..X.P.5...G..t.f/..C.b.d...\|.

C:\Program Files (x86)\CPointASP\bin\x86\is-AO7D9.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	512014
Entropy (8bit):	6.566561154468342
Encrypted:	false
SSDEEP:	12288:BNKab1bu1dEpBZvkO4KTYnyA0bFHmufLKNs3gv:rKcozEpbvkOCyA0xGufLKau
MD5:	C4A2068C59597175CD1A29F3E7F31BC1
SHA1:	89DE0169028E2BDD5F87A51E2251F7364981044D
SHA-256:	7AE79F834A4B875A14D63A0DB356EEC1D356F8E64FF9964E458D1C2050E5D180
SHA-512:	0989EA9E0EFADF1F6C31E7FC243371BB92BFD1446CF62798DCA38A021FAD8B6ADB0AEABDFBDC5CE8B71FE920E341FC8AB4E906B1839C6E469C75D8148A74A08A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P/.d...........#...(.l.........................n.........................P............@... ..........................:........... .......................0..L...........................d...........................P............................text....k.......l..................`..`.data................p..............@....rdata...t.......v...r..............@..@/4......L...........................@..@.bss....X................................edata...:.......<...j..............@..@.idata..............................@....CRT....,...........................@....tls................................@....rsrc........ ......................@....reloc..L....0......................@..B........................................................................................................................................................................................

C:\Program Files (x86)\CPointASP\bin\x86\is-AU9HG.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	227328
Entropy (8bit):	6.641153481093122
Encrypted:	false
SSDEEP:	6144:jtJXnqDMJgH50aKyumLCGTrS4ifbjoO88k:KqgHlKyumLCGTrS4inoZ
MD5:	BC824DC1D1417DE0A0E47A30A51428FD
SHA1:	C909C48C625488508026C57D1ED75A4AE6A7F9DB
SHA-256:	A87AA800F996902F06C735EA44F4F1E47F03274FE714A193C9E13C5D47230FAB
SHA-512:	566B5D5DDEA920A31E0FB9E048E28EF2AC149EF075DB44542A46671380F904427AC9A6F59FBC09FE3A4FBB2994F3CAEEE65452FE55804E403CEABC091FFAF670
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...e>.a...........#.........t...V.................e.........................@......1......... .........................#....................................0...............................).......................................................text...............................`.P`.data...............................@.`..rdata..d0.......2..................@.`@.eh_framd@...@...B..................@.0@.bss.....T............................`..edata..#............T..............@.0@.idata...............^..............@.0..CRT....,............d..............@.0..tls......... .......f..............@.0..reloc.......0.......h..............@.0B................................................................................................................................................................................................................................

C:\Program Files (x86)\CPointASP\bin\x86\is-AVN6H.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	394752
Entropy (8bit):	6.662070316214798
Encrypted:	false
SSDEEP:	6144:uAlmRfeS+mOxv8bgDTuXU54l8WybBE36IpuIT9nxQPQnhH/a0CRdWqWJwGKp:zlm0S+SEuXU54NylJIJ9KPQnhilRsVJ
MD5:	A4123DE65270C91849FFEB8515A864C4
SHA1:	93971C6BB25F3F4D54D4DF6C0C002199A2F84525
SHA-256:	43A9928D6604BF604E43C2E1BAB30AE1654B3C26E66475F9488A95D89A4E6113
SHA-512:	D0834F7DB31ABA8AA9D97479938DA2D4CD945F76DC2203D60D24C75D29D36E635C2B0D97425027C4DEBA558B8A41A77E288F73263FA9ABC12C54E93510E3D384
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......KL...-d..-d..-d..U...-d..Be..-d.TEe..-d..-e.:-d..Ba..-d..B`..-d..Bg..-d..B`.c-d..Bd..-d..B...-d..Bf..-d.Rich.-d.........................PE..L.....b`...........!.....L..........+S.......`...............................P............@.................................L........... .................... ..\ ..$...............................@...@............`...............................text...NK.......L.................. ..`.rdata......`.......P..............@..@.data...............................@....rsrc... ...........................@..@.reloc..\ ... ..."..................@..B................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\CPointASP\bin\x86\is-B87EH.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp
File Type:	PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	22542
Entropy (8bit):	5.5875455203930615
Encrypted:	false
SSDEEP:	384:RKAPwPQJgZd3rw0bGMtyz1fiaqmjj1nFY4j70UotV9mRyK:YPQJgZZwUGH1fJljj1+D18
MD5:	E1C0147422B8C4DB4FC4C1AD6DD1B6EE
SHA1:	4D10C5AD96756CBC530F3C35ADCD9E4B3F467CFA
SHA-256:	124F210C04C12D8C6E4224E257D934838567D587E5ABAEA967CBD5F088677049
SHA-512:	A163122DFFE729E6F1CA6EB756A776F6F01A784A488E2ACCE63AEAFA14668E8B1148BE948EB4AF4CA8C5980E85E681960B8A43C94B95DFFC72FCCEE1E170BD9A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........X...............,...T...............@....@.......................................... .................................@...........................................................PU..........................P............................text....+.......,..................`.P`.data........@.......0..............@.`..rdata..0....P.......2..............@.0@/4...........`.......<..............@.0@.bss.........p........................`..idata..@............J..............@.0..CRT....4............T..............@.0..tls.................V..............@.0.................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\CPointASP\bin\x86\is-DER7H.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	197646
Entropy (8bit):	6.1570532273946625
Encrypted:	false
SSDEEP:	3072:brPGp0y4SP+iBGgySYm+dE3sYrJqkAzhU88vsAGSW+:brPGaTEsHSYmbbOU8osAGG
MD5:	2C8EC61630F8AA6AAC674E4C63F4C973
SHA1:	64E3BB9AA505C66E87FE912D4EA3054ADF6CEF76
SHA-256:	DFD55D0DDD1A7D081FCE8E552DC29706A84DC6CA2FDD2F82D63F33D74E882849
SHA-512:	488378012FB5F477ED4636C37D7A883B1DAD0FBC671D238B577A9374EFE40AB781F5E483AE921F1909A9B7C1C2A3E78E29B533D3B6FFE15AAEE840CAD2DCF5D0
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#...............................m................................]_........ ...................... ..A....0...............................`..............................p0.......................1..D............................text...............................`.P`.data...............................@.0..rdata..L0.......2..................@.`@/4...........P......................@.0@.bss..................................`..edata..A.... ......................@.0@.idata.......0......................@.0..CRT....,....@......................@.0..tls.........P......................@.0..reloc.......`......................@.0B................................................................................................................................................................................................................................

C:\Program Files (x86)\CPointASP\bin\x86\is-EFHJ3.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	967168
Entropy (8bit):	6.500850562754145
Encrypted:	false
SSDEEP:	12288:j2ezAN6FpYQSzclODziLQEkkDHFb1aWGssVvVmPUwV+SiRm7rhj:jhAgFptPlqmPDHJ1apVdYUy+jRmX
MD5:	C06D6F4DABD9E8BBDECFC5D61B43A8A9
SHA1:	16D9F4F035835AFE8F694AE5529F95E4C3C78526
SHA-256:	665D47597146DDAAA44B771787B750D3CD82C5B5C0B33CA38F093F298326C9BB
SHA-512:	B0EBE9E2682A603C34F2B884121FA5D2D87ED3891990CCD91CD14005B28FE208A3B86FA20E182F9E7FC5142A267C8225AEFDCB23CF5B7556D2CF8F9E3BDE62D4
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......V.~..m...m...m......m.....m......m.......m..)3...m..)3...m..)3...m.......m...m..rm...m..m..3...m..3...m..3...m..Rich.m..........................PE..L...8..^...........!.........&.......`....................................................@..........................4.......G..<...............................HR..P+..T............................+..@...............D............................text............................... ..`.rdata..............................@..@.data........P...$...D..............@....trace.......`.......h..............@..@.gfids...............~..............@..@_RDATA..@...........................@..@.debug_o............................@..B.rsrc................l..............@..@.reloc..HR.......T...n..............@..B................................................................................................................

C:\Program Files (x86)\CPointASP\bin\x86\is-EJ9G2.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	7910
Entropy (8bit):	6.931925007191986
Encrypted:	false
SSDEEP:	192:piDl1jKrGer007ia6abHX0d/aeHeN+VPHIJQxNiJCl9AK0f:IDJ9aDb30dCe+4PHIJrJCl9AK0f
MD5:	1268DEA570A7511FDC8E70C1149F6743
SHA1:	1D646FC69145EC6A4C0C9CAD80626AD40F22E8CD
SHA-256:	F266DBA7B23321BF963C8D8B1257A50E1467FAAAB9952EF7FFED1B6844616649
SHA-512:	E19F0EA39FF7AA11830AF5AAD53343288C742BE22299C815C84D24251FA2643B1E0401AF04E5F9B25CAB29601EA56783522DDB06C4195C6A609804880BAE9E9B
Malicious:	false
Yara Hits:	Rule: JoeSecurity_PetiteVirus, Description: Yara detected Petite Virus, Source: C:\Program Files (x86)\CPointASP\bin\x86\is-EJ9G2.tmp, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...................................D.... ..PE..L.....V...........!.................p.......0............................................@.........................Pr.......q..d....P.......................%.......................................................q..8....................................@..........................@..@.rsrc........P......................@..@.............`.........................@petite.......p......................`..`.........................................\|7{M..... ........r B`.Zr..P.........T}.e..YJ...=.X..q.}......b.I...G.....^.d...R..-R.....d_.......K.q.H.A=.-S..,_.....L...........2.............u.u.%...:.q....c.[.....`...\.X..8..B.@L..3.7.q.....)!.- ...D.....p...J...RU..Q.A..[.#&..R.....".+4...px/7..\....4...., ..8...5.hV.>] ....3.-.<..I+.<r..T..H,Q..!..i--..+.Zq.[...H... ...N.8..#...a.x.iU.G..-_..R....Z(cT%.....S.P.U:g?...;....&....@..KI.X.Q..PQ..v..*....{..~..}..f....c..`....Q...q..%......,j.4.Y..)....Cf7..

C:\Program Files (x86)\CPointASP\bin\x86\is-F3LHF.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	772608
Entropy (8bit):	6.546391052615969
Encrypted:	false
SSDEEP:	6144:Q75mFL0MNnM/SQdtij4UujFhGiNV1SckT3wio2L2jV6EfnQ29mwF3s4iGtInw1m8:AwN0e0lN1fnQUFccGns9ukS6
MD5:	B3B487FC3832B607A853211E8AC42CAD
SHA1:	06E32C28103D33DAD53BE06C894203F8808D38C1
SHA-256:	30BC10BD6E5B2DB1ACE93C2004E24C128D20C242063D4F0889FD3FB3E284A9E4
SHA-512:	FA6BDBA4F2A0CF4CCA40A333B69FD041D9EDC0736EDA206F17F10AF5505CC4688B0401A3CAD2D2F69392E752B8877DB593C7872BCDB133DC785A200FF38598BB
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....1.d.................D..........$].......`....@.......................................@......@...................0..o............p...(...................`...............................P......................X........ .......................text...h4.......6.................. ..`.itext.......P.......:.............. ..`.data....7...`...8...H..............@....bss....0i...............................idata..............................@....didata...... ......................@....edata..o....0......................@..@.tls.........@...........................rdata..]....P......................@..@.reloc.......`......................@..B.rsrc....(...p...(..................@..@....................................@..@................

C:\Program Files (x86)\CPointASP\bin\x86\is-G4UPE.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	240654
Entropy (8bit):	6.518503846592995
Encrypted:	false
SSDEEP:	6144:yZDfF4DjzIHBV+bUeenu+t+oSTdjpNZ7utS81qpHW4paP2L:ekjzMBVKXeuq+oSTdjpr7N8f+L
MD5:	4F0C85351AEC4B00300451424DB4B5A4
SHA1:	BB66D807EDE0D7D86438207EB850F50126924C9D
SHA-256:	CC0B53969670C7275A855557EA16182C932160BC0F8543EFFC570F760AE2185E
SHA-512:	80C84403ED47380FF75EBA50A23E565F7E5C68C7BE8C208A5A48B7FB0798FF51F3D33780C902A6F8AB0E6DB328860C071C77B93AC88CADF84FEF7DF34DE3E2DA
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.....H...................`.....g.................................\........ .........................o.......\...............................t............................S.......................................................text...dF.......H..................`.P`.data...X....`.......L..............@.P..rdata.......p.......N..............@.`@/4.......<.......>...T..............@.0@.bss..................................`..edata..o...........................@.0@.idata..\...........................@.0..CRT....,...........................@.0..tls................................@.0..reloc..t...........................@.0B................................................................................................................................................................................................................................

C:\Program Files (x86)\CPointASP\bin\x86\is-GE7OO.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	13838
Entropy (8bit):	5.173769974589746
Encrypted:	false
SSDEEP:	192:oh3ZZBe9xz7rdz9Us5bsRuKUYDpesWAhQqCNhNXUwS7RuLH9+E:ohLBe3dz9UsikKDGZqCNhNXUwS4bcE
MD5:	9C55B3E5ED1365E82AE9D5DA3EAEC9F2
SHA1:	BB3D30805A84C6F0803BE549C070F21C735E10A9
SHA-256:	D2E374DF7122C0676B4618AED537DFC8A7B5714B75D362BFBE85B38F47E3D4A4
SHA-512:	EEFE8793309FDC801B1649661B0C17C38406A9DAA1E12959CD20344975747D470D6D9C8BE51A46279A42FE1843C254C432938981D108F4899B93CDD744B5D968
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........6.........#.........2...............0....@m.................................Z........ ......................p..J.......h............................................................@......................................................text...............................`.P`.data...,....0......................@.0..rdata.......@......................@.0@/4...........P......................@.0@.bss.........`........................`..edata..J....p.......(..............@.0@.idata..h............*..............@.0..CRT....,............0..............@.0..tls.................2..............@.0..reloc...............4..............@.0B................................................................................................................................................................................................................................

C:\Program Files (x86)\CPointASP\bin\x86\is-GR811.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	112640
Entropy (8bit):	6.540227486061059
Encrypted:	false
SSDEEP:	1536:45vq1zsdXYjZmGz9anu3MwjLA/eeiUKJP3Djl23HTKJ7WMU3lPyK+ZSrKxV/UJ9G:vzMMg/gMKeGsMIl6K+Zvry5zNY
MD5:	BDB65DCE335AC29ECCBC2CA7A7AD36B7
SHA1:	CE7678DCF7AF0DBF9649B660DB63DB87325E6F69
SHA-256:	7EC9EE07BFD67150D1BC26158000436B63CA8DBB2623095C049E06091FA374C3
SHA-512:	8AABCA6BE47A365ACD28DF8224F9B9B5E1654F67E825719286697FB9E1B75478DDDF31671E3921F06632EED5BB3DDA91D81E48D4550C2DCD8E2404D566F1BC29
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................f...N......0u............@.....................................................................2.......v...............................h...................................................................................CODE....Pe.......f.................. ..`DATA....D............j..............@...BSS......................................idata..v...........................@....edata..2...........................@..P.reloc..h...........................@..P.rsrc...............................@..P....................................@..P................................................................................................................................................................................

C:\Program Files (x86)\CPointASP\bin\x86\is-HRFH2.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	26126
Entropy (8bit):	6.048294343792499
Encrypted:	false
SSDEEP:	384:hhkxE9v7/GRm4v5OxlBWaEybb9p7aCyS/hU7CateHcUwSCnq6D:Yx6jGXvc5WaBb99yS/hQh
MD5:	D1223F86EDF0D5A2D32F1E2AAAF8AE3F
SHA1:	C286CA29826A138F3E01A3D654B2F15E21DBE445
SHA-256:	E0E11A058C4B0ADD3892E0BEA204F6F60A47AFC86A21076036393607235B469C
SHA-512:	7EA1FFB23F8A850F5D3893C6BB66BF95FAB2F10F236A781620E9DC6026F175AAE824FD0E03082F0CF13D05D13A8EEDE4F5067491945FCA82BBCDCF68A0109CFF
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........f.........#.....6...b...............P.....h................................8-........ .........................i...................................................................Lk......................................................text....4.......6..................`.P`.data...,....P.......:..............@.0..rdata.......`.......<..............@.`@/4......T....p.......J..............@.0@.bss..................................`..edata..i............V..............@.0@.idata...............X..............@.0..CRT....,............^..............@.0..tls.................`..............@.0..reloc...............b..............@.0B................................................................................................................................................................................................................................

C:\Program Files (x86)\CPointASP\bin\x86\is-II7SF.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	15374
Entropy (8bit):	5.192037544202194
Encrypted:	false
SSDEEP:	384:lhgkOI7BGi9gKV6uq+u6JewsNhNXUwSCgQ:DT7BGVKPKbXF
MD5:	BEFD36FE8383549246E1FD49DB270C07
SHA1:	1EF12B568599F31292879A8581F6CD0279F3E92A
SHA-256:	B5942E8096C95118C425B30CEC8838904897CDEF78297C7BBB96D7E2D45EE288
SHA-512:	FD9AA6A4134858A715BE846841827196382D0D86F2B1AA5C7A249B770408815B0FE30C4D1E634E8D6D3C8FEDBCE4654CD5DC240F91D54FC8A7EFE7CAE2E569F4
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........<.........#.........8...............0.....f................................b......... ......................p..E.......h...........................................................P@......................................................text...............................`.P`.data...,....0....... ..............@.0..rdata.......@......."..............@.0@/4...........P.......$..............@.0@.bss.........`........................`..edata..E....p......................@.0@.idata..h............0..............@.0..CRT....,............6..............@.0..tls.................8..............@.0..reloc...............:..............@.0B................................................................................................................................................................................................................................

C:\Program Files (x86)\CPointASP\bin\x86\is-K0GP7.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	337408
Entropy (8bit):	6.515131904432587
Encrypted:	false
SSDEEP:	6144:3nzsyDn7PDS+FDflUjvJUkbEOyF1rOpsuCOuOff5k4F/lTRHA:3377SKfgvqkbFyFJCRRzH
MD5:	62D2156E3CA8387964F7AA13DD1CCD5B
SHA1:	A5067E046ED9EA5512C94D1D17C394D6CF89CCCA
SHA-256:	59CBFBA941D3AC0238219DAA11C93969489B40F1E8B38FABDB5805AC3DD72BFA
SHA-512:	006F7C46021F339B6CBF9F0B80CFFA74ABB8D48E12986266D069738C4E6BDB799BFBA4B8EE4565A01E90DBE679A96A2399D795A6EAD6EACBB4818A155858BF60
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........@..\|...\|...\|...p...\|...w...\|.d.r...\|...v...\|...x...\|.i.#...\|...}.\|.\|.d.!...\|...w...\|..V....\|...v...\|.......\|. .z...\|.Rich..\|.........PE..L....r.b.....................>......\........ ....@.......................................@.....................................x....0.......................@...3................................................... ..(............................text............................... ..`.rdata..r.... ......................@..@.data....'..........................@....sxdata...... ......................@....rsrc........0......................@..@.reloc...<...@...>..................@..B........................................................................................................................................................................................................................................................

C:\Program Files (x86)\CPointASP\bin\x86\is-KBFH3.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	31936
Entropy (8bit):	6.6461204214578
Encrypted:	false
SSDEEP:	768:SEEn30ilOAb++HynTDbc3fwaVCPxWE/MM:SEa0YOU1HgU3fwaVCPxqM
MD5:	72E3BDD0CE0AF6A3A3C82F3AE6426814
SHA1:	A2FB64D5B9F5F3181D1A622D918262CE2F9A7AA3
SHA-256:	7AC8A8D5679C96D14C15E6DBC6C72C260AAEFB002D0A4B5D28B3A5C2B15DF0AB
SHA-512:	A876D0872BFBF099101F7F042AEAF1FD44208A354E64FC18BAB496BEEC6FDABCA432A852795CFC0A220013F619F13281B93ECC46160763AC7018AD97E8CC7971
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........P.........#.....&...L...............@.....d................................8......... .........................b............................P...,...................................R......................x................................text....%.......&..................`.P`.data........@.......*..............@.`..rdata.......P.......,..............@.0@/4...........`.......2..............@.0@.bss.........p........................`..edata..b............>..............@.0@.idata...............@..............@.0..CRT....,............H..............@.0..tls.................J..............@.0..reloc...............L..............@.0B................................................................................................................................................................................................................................

C:\Program Files (x86)\CPointASP\bin\x86\is-KDLQ5.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	294926
Entropy (8bit):	6.191604766067493
Encrypted:	false
SSDEEP:	3072:7E0FFjiAeF21pLQFgK33duKMnlCj3eWyNg2hlNvFXl8rzJjjOjVmdX566Uwqwqwm:wKFX3LygKjjN2HIfpruwqwqwFUgVE
MD5:	C76C9AE552E4CE69E3EB9EC380BC0A42
SHA1:	EFFEC2973C3D678441AF76CFAA55E781271BD1FB
SHA-256:	574595B5FD6223E4A004FA85CBB3588C18CC6B83BF3140D8F94C83D11DBCA7BD
SHA-512:	7FB385227E802A0C77749978831245235CD1343B95D97E610D20FB0454241C465387BCCB937A2EE8A2E0B461DD3D2834F7F542E7739D8E428E146F378A24EE97
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.........\|.....................n.................................c........ ......................`..j7...........................................................................................................................text...8...........................`.P`.data...x...........................@.0..rdata...F.......H..................@.`@/4.......U.......V..................@.0@.bss.........P........................`..edata..j7...`...8...$..............@.0@.idata...............\..............@.0..CRT....,............b..............@.0..tls.................d..............@.0..reloc...............f..............@.0B................................................................................................................................................................................................................................

C:\Program Files (x86)\CPointASP\bin\x86\is-KS29E.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	36416
Entropy (8bit):	7.842278356440954
Encrypted:	false
SSDEEP:	768:lshkyPXvH6bPACtmb8boNQdVfCXewki/OvXEApOqmFfSq1oIQMW:lsh3n5Pb8boOdVCuwNEXEAonfSq1JQb
MD5:	BEBA64522AA8265751187E38D1FC0653
SHA1:	63FFB566AA7B2242FCC91A67E0EDA940C4596E8E
SHA-256:	8C58BC6C89772D0CD72C61E6CF982A3F51DEE9AAC946E076A0273CD3AAF3BE9D
SHA-512:	13214E191C6D94DB914835577C048ADF2240C7335C0A2C2274C096114B7B75CD2CE13A76316963CCD55EE371631998FAC678FCF82AE2AE178B7813B2C35C6651
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...................................D.... ..PE..L....}.Q...........!................6 ............`..........................0......................................d#.......!..........@...................t...........................................................................................................................`....rsrc...........@...................@..@....................................@................ ......................`.......................................X...{.......j...f.!.PRj.....j..S.ERROR!.Corrupt Data!... c.f.`P....h.p..j..P..C.h..`..<$.3f....t...;S.^......Vj.PWj.j.Vj.PW....Y.Yf..X........X....................Z...t..$.4..l$..m..J...R...z.....XXXXZt.D$....P(......P...s.j.h`...h`.....j.h....h....j.3.3.0_.K~..[...s.3..^......s...$A."...L$..<.........;D$....;D$......$. ............u...........V+.48.^...u.........A............r..I.....................]...............'..................................A...%...........

C:\Program Files (x86)\CPointASP\bin\x86\is-L5J4J.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp
File Type:	Unicode text, UTF-8 text
Category:	dropped
Size (bytes):	1059
Entropy (8bit):	5.1208137218866945
Encrypted:	false
SSDEEP:	24:LLDrmJHHH0yN3gtsHw1hj9QHOsUv4eOk4/+/m3oqLF5n:LLDaJHlxE35QHOs5exm3ogF5n
MD5:	B7EDCC6CB01ACE25EBD2555CF15473DC
SHA1:	2627FF03833F74ED51A7F43C55D30B249B6A0707
SHA-256:	D6B4754BB67BDD08B97D5D11B2D7434997A371585A78FE77007149DF3AF8D09C
SHA-512:	962BD5C9FB510D57FAC0C3B189B7ADEB29E00BED60F0BB9D7E899601C06C2263EDA976E64C352E4B7C0AAEFB70D2FCB0ABEF45E43882089477881A303EB88C09
Malicious:	false
Preview:	Copyright (c) 2011 Jan Kokem.ller..Permission is hereby granted, free of charge, to any person obtaining a copy.of this software and associated documentation files (the "Software"), to deal.in the Software without restriction, including without limitation the rights.to use, copy, modify, merge, publish, distribute, sublicense, and/or sell.copies of the Software, and to permit persons to whom the Software is.furnished to do so, subject to the following conditions:..The above copyright notice and this permission notice shall be included in.all copies or substantial portions of the Software...THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR.IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,.FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE.AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER.LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,.OUT OF OR IN CONNECTION WITH

C:\Program Files (x86)\CPointASP\bin\x86\is-LJEF3.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	39304
Entropy (8bit):	7.819409739152795
Encrypted:	false
SSDEEP:	768:i5GGx+OZPWuGdoiwUpPLH7IN3x1eW0kIAJbfT13MMnahRlmftuohQf:i5DxDPWMApPLsNhkVkI6R3TnalauoQ
MD5:	C7A50ACE28DDE05B897E000FA398BBCE
SHA1:	33DA507B06614F890D8C8239E71D3D1372E61DAA
SHA-256:	F02979610F9BE2F267AA3260BB3DF0F79EEEB6F491A77EBBE719A44814602BCC
SHA-512:	4CD7F851C7778C99AFED492A040597356F1596BD81548C803C45565975CA6F075D61BC497FCE68C6B4FEDC1D0B5FD0D84FEAA187DC5E149F4E8E44492D999358
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....."b...........!.........x.......P.......................................`.......Z....@.........................PR.......Q..d....0..0............}......D........................................................Q..8.................................... .......t..................@..@.rsrc.... ...0.......v..............@..@petite.......P.......z..............`..`......................p..k..K..i{..\.H..'.\|w.t...\..dkB%..i.cX...`B...m.X..A.NU.i.I. J.I....x-.e2n.IA.2.:..2G5Z/.+(8w.S<...`ML........!..%+.r.s.1.~.D...]......U..q3.....9..?y.>j.E.T...Y..D..>..aJ......P^Y..w?.9w.,...+C^.[....\|..'.....7..F%..A.....)..b.)8.2Q`.v.F=.."S..{z...z-H=....L_....RM..s......H2P1a....[..i. 2..~.?...+R... .m(.I..X...H.g.Z..i..G.?.(......e.:.B......fh......gl.x.Z......I>..#....Hgv.;g.@ l.$(...0.........l.>.p..z;A.@...*4v..x.U.gU..Bqqb..6.x...D.....cIE(5m.g}J..

C:\Program Files (x86)\CPointASP\bin\x86\is-NEGHU.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	126478
Entropy (8bit):	6.268811819718352
Encrypted:	false
SSDEEP:	3072:UnNKg6JaJUeHjiaphKMLrn8uexz3TmBUg6xcE:UNcJGGehKMLJBUg6x
MD5:	6E93C9C8AADA15890073E74ED8D400C9
SHA1:	94757DBD181346C7933694EA7D217B2B7977CC5F
SHA-256:	B6E2FA50E0BE319104B05D6A754FE38991E6E1C476951CEE3C7EBDA0DC785E02
SHA-512:	A9F71F91961C75BB32871B1EFC58AF1E1710BDE1E39E7958AE9BB2A174E84E0DD32EBAAB9F5AE37275651297D8175EFA0B3379567E0EB0272423B604B4510852
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.....^...................p.....m.........................p......f......... .........................{.... ...............................P..............................X........................!...............................text....\.......^..................`.P`.data........p.......b..............@.`..rdata..h&.......(...d..............@.`@/4......\B.......D..................@.0@.bss..................................`..edata..{...........................@.0@.idata....... ......................@.0..CRT....,....0......................@.0..tls.........@......................@.0..reloc.......P......................@.0B................................................................................................................................................................................................................................

C:\Program Files (x86)\CPointASP\bin\x86\is-O49TE.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp
File Type:	ASCII text
Category:	dropped
Size (bytes):	26526
Entropy (8bit):	4.600837395607617
Encrypted:	false
SSDEEP:	384:Lc56OuAbnn0UReX6wFDVxnFw7xqsvzt+z/k8E9HinIhFkspcM9bc7ups0CZuQG:Lc5trLeDnFMz1ReScmc7GshZuQG
MD5:	BD7A443320AF8C812E4C18D1B79DF004
SHA1:	37D2F1D62FEC4DA0CAF06E5DA21AFC3521B597AA
SHA-256:	B634AB5640E258563C536E658CAD87080553DF6F34F62269A21D554844E58BFE
SHA-512:	21AEF7129B5B70E3F9255B1EA4DC994BF48B8A7F42CD90748D71465738D934891BBEC6C6FC6A1CCFAF7D3F35496677D62E2AF346D5E8266F6A51AE21A65C4460
Malicious:	false
Preview:	GNU LESSER GENERAL PUBLIC LICENSE. Version 2.1, February 1999.. Copyright (C) 1991, 1999 Free Software Foundation, Inc.. 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. Everyone is permitted to copy and distribute verbatim copies. of this license document, but changing it is not allowed...[This is the first released version of the Lesser GPL. It also counts. as the successor of the GNU Library Public License, version 2, hence. the version number 2.1.].. Preamble.. The licenses for most software are designed to take away your.freedom to share and change it. By contrast, the GNU General Public.Licenses are intended to guarantee your freedom to share and change.free software--to make sure the software is free for all its users... This license, the Lesser General Public License, applies to some.specially designated software packages--typically libraries--of the.Free Software Foundation and other authors who

C:\Program Files (x86)\CPointASP\bin\x86\is-ODNC4.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	115712
Entropy (8bit):	6.401537154757194
Encrypted:	false
SSDEEP:	3072:rY4gILp0Vt7BMkvfHutO+eP0ZjflQf5xqkYXeo21sb2rqG70:rY4gILp0Vt77nLBCtQfjqv8qG70
MD5:	840D631DA54C308B23590AD6366EBA77
SHA1:	5ED0928667451239E62E6A0A744DA47C74E1CF89
SHA-256:	6BAD60DF9A560FB7D6F8647B75C367FDA232BDFCA2291273A21179495DAC3DB9
SHA-512:	1394A48240BA4EF386215942465BDE418C5C6ED73FC935FE7D207D2A1370155C94CDC15431985ED4E656CA6B777BA79FFC88E78FA3D99DB7E0E6EAC7D1663594
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......?..R{...{...{...o...q...o.......o...i...)...W...)...t...)...j...o...x...{.......-...s...-...z...-.4.z...-...z...Rich{...........PE..L....H.a...........!.....$...........h.......@............................... ............@.............................x.......(.......................................8..............................@............@..D............................text....#.......$.................. ..`.rdata...x...@...z...(..............@..@.data.... ..........................@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\CPointASP\bin\x86\is-P9QDC.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	16910
Entropy (8bit):	5.289608933932413
Encrypted:	false
SSDEEP:	384:ohtyjknGC7hipL+9mLYFOozxkdlDNUwS5Qq:UGknGC74l+MUFI7C
MD5:	2F040608E68E679DD42B7D8D3FCA563E
SHA1:	4B2C3A6B8902E32CDA33A241B24A79BE380C55FC
SHA-256:	6B980CADC3E7047CC51AD1234CB7E76FF520149A746CB64E5631AF1EA1939962
SHA-512:	718AF5BE259973732179ABA45B672637FCA21AE575B4115A62139A751C04F267F355B8F7F7432B56719D91390DABA774B39283CBCFE18F09CA033389FB31A4FC
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........B.........#.........>...f...........0.....h......................... ................ .........................{.......\|...............................$...........................pA.......................................................text...4...........................`.P`.data...<....0......."..............@.0..rdata.......@.......$..............@.`@/4...........P.......(..............@.0@.bss.....d...`........................`..edata..{............2..............@.0@.idata..\|............4..............@.0..CRT....,............:..............@.0..tls.................<..............@.0..reloc..$............>..............@.0B................................................................................................................................................................................................................................

C:\Program Files (x86)\CPointASP\bin\x86\is-RRNMJ.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	214016
Entropy (8bit):	6.676457645865373
Encrypted:	false
SSDEEP:	3072:v3UEEkp2yVTcc295GSSazZq0/OlxAOxN5jZ2Ti30ezAg0Fu9RBhk1Xion:cEEpYcc2G/adqLtxLZ2+vAO9Hhkzn
MD5:	2C747F19BF1295EBBDAB9FB14BB19EE2
SHA1:	6F3B71826C51C739D6BB75085E634B2B2EF538BC
SHA-256:	D2074B91A63219CFD3313C850B2833CD579CC869EF751B1F5AD7EDFB77BD1EDD
SHA-512:	C100C0A5AF52D951F3905884E9B9D0EC1A0D0AEBE70550A646BA6E5D33583247F67CA19E1D045170A286D92EE84E1676A6C1B0527E017A35B6242DD9DEE05AF4
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......}6,.9WB.9WB.9WB...9.:WB.9WC.hWB....;WB."..&WB."..WB."...WB.9WB.?WB."..8WB."..8WB."..8WB.Rich9WB.........PE..L......W...........!.....N...........n.......`............................................@.........................`...h.......(....`..X....................p.......................................................`...............................text...?L.......N.................. ..`.rdata......`.......R..............@..@.data....W.......2..................@....rsrc...X....`......................@..@.reloc..f&...p...(..................@..B........................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\CPointASP\bin\x86\is-VRA2K.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5960
Entropy (8bit):	5.956401374574174
Encrypted:	false
SSDEEP:	96:dj78cqhzbWKlECE7WbjDFf6IhaYYUOAoDf4+XCVhovG9AkM7Ui10:CjlEJ7WbjDFf6waYvdc4gYAkM10
MD5:	B3CC560AC7A5D1D266CB54E9A5A4767E
SHA1:	E169E924405C2114022674256AFC28FE493FBFDF
SHA-256:	EDDE733A8D2CA65C8B4865525290E55B703530C954F001E68D1B76B2A54EDCB5
SHA-512:	A836DECACB42CC3F7D42E2BF7A482AE066F5D1DF08CCCC466880391028059516847E1BF71E4C6A90D2D34016519D16981DDEEACFB94E166E4A9A720D9CC5D699
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...................................D.... ..PE..L......I...........!.....4...T......6`....... ...............................p......................................lc.......a.......@..H....................................................................................................................0..........................`....rsrc........@..H...................@..@.............P......................@................`......................`.......................................X....E......j...f.!.PRj.....j..S.ERROR!.Corrupt Data!...`..f.`P....h....j..P..C.h.....<$.3f....t...;S.^......Vj.PWj.j.Vj.PW....Y.Yf..X........X....................Z...t..$.4..l$..m..J...R...z.....XXXXZt.D$....P(......P...s.j.h`...h`.....j.h....h....j.3.3.0_.K~..[...s.3..^......s...$A."...L$..<.........;D$....;D$......$. ............u...........V+.48.^...u.........A............r..I.e...h....P..0................0..............h.... ..0...........6...........k...........

C:\Program Files (x86)\CPointASP\bin\x86\is-VT3M5.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	17472
Entropy (8bit):	7.524548435291935
Encrypted:	false
SSDEEP:	384:IwwsQD13cT5HhSVeEQNW5kbbcGEh/qTio+lyTnGy:QRD13ySVeEOW5kbSSTHNTnr
MD5:	7B52BE6D702AA590DB57A0E135F81C45
SHA1:	518FB84C77E547DD73C335D2090A35537111F837
SHA-256:	9B5A8B323D2D1209A5696EAF521669886F028CE1ECDBB49D1610C09A22746330
SHA-512:	79C1959A689BDC29B63CA771F7E1AB6FF960552CADF0644A7C25C31775FE3458884821A0130B1BAB425C3B41F1C680D4776DD5311CE3939775A39143C873A6FE
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...................................D.... ..PE..L....^.L...........!....%v..%.......6........`......................................................................h..................@....................F...............................................................................................p.......8..................`....rsrc...........@....B..............@..@....................................@...........%...........................`.......................................X...x..0....j...f.!.PRj.....j..S.ERROR!.Corrupt Data!......f.`P....h.,..j..P..C.h.....<$.3f....t...;S.^......Vj.PWj.j.Vj.PW....Y.Yf..X........X....................Z...t..$.4..l$..m..J...R...z.....XXXXZt.D$....P(......P...s.j.h`...h`.....j.h....h....j.3.3.0_.K~..[...s.3..^......s...$A."...L$..<.........;D$....;D$......$. ............u...........V+.48.^...u.........A............r..I..D..%...........\|...CC.......p......n....<.......`..............lH......)...............

C:\Program Files (x86)\CPointASP\bin\x86\lame_enc.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	967168
Entropy (8bit):	6.500850562754145
Encrypted:	false
SSDEEP:	12288:j2ezAN6FpYQSzclODziLQEkkDHFb1aWGssVvVmPUwV+SiRm7rhj:jhAgFptPlqmPDHJ1apVdYUy+jRmX
MD5:	C06D6F4DABD9E8BBDECFC5D61B43A8A9
SHA1:	16D9F4F035835AFE8F694AE5529F95E4C3C78526
SHA-256:	665D47597146DDAAA44B771787B750D3CD82C5B5C0B33CA38F093F298326C9BB
SHA-512:	B0EBE9E2682A603C34F2B884121FA5D2D87ED3891990CCD91CD14005B28FE208A3B86FA20E182F9E7FC5142A267C8225AEFDCB23CF5B7556D2CF8F9E3BDE62D4
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......V.~..m...m...m......m.....m......m.......m..)3...m..)3...m..)3...m.......m...m..rm...m..m..3...m..3...m..3...m..Rich.m..........................PE..L...8..^...........!.........&.......`....................................................@..........................4.......G..<...............................HR..P+..T............................+..@...............D............................text............................... ..`.rdata..............................@..@.data........P...$...D..............@....trace.......`.......h..............@..@.gfids...............~..............@..@_RDATA..@...........................@..@.debug_o............................@..B.rsrc................l..............@..@.reloc..HR.......T...n..............@..B................................................................................................................

C:\Program Files (x86)\CPointASP\bin\x86\lessmsi\is-79TKP.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	506871
Entropy (8bit):	7.998074018431883
Encrypted:	true
SSDEEP:	12288:VCtY2iynJj4iqp1WjsxlD71zFusqzKZXGky4H2po:V+Y1y7qp0oxF7T3ZXGky4Wq
MD5:	D52F8AE89AC65F755C28A95C274C1FFE
SHA1:	50D581469FF0648EE628A027396F39598995D8B0
SHA-256:	2F9A9DFD0C0B0CFAF9C700B4659A4F2F3D11368E6C30A3FA0F93ECDD3B4D2E66
SHA-512:	B7B585EED261C262499C73688DFD985818F7869319285168AEEAC1F2CF5FAD487280FCAE1DAC633296E5DB0E0BC454495A09A90C2E37A7E7AF07EF93563503C6
Malicious:	false
Preview:	PK...........N..UD...."....$.AddWindowsExplorerShortcut.exe.. ..........p.../..L..../..L..../...Ykl...>3..f...6I..!7..qL.......Y;...M.HJ\....z....Y?R.B+P...."......US.R.SB....i.....T.R.......3./;/..Q.].{....:s=t.c....\|>...%....v:.Ot.....7.....il.rY^..4r.4.Gxl.3Yp...Q....X.".%......B......q..]k..7ae.O.....;..u.n....b..<............ w,.L'O.&...^.OJ...WT.X?RQOx\|...}MA.n.].q:!]iB`....\|VW.!.@Br[...N.Xl....f....GH..~..h.......:zZ..'. ..n..._.......Gw../.X...t$$...Z.7...&X...[V.e..p..&z..-Wj.r...ku...VKg.t.5.......,.[.,G........w...}...6.rD.EN.#..uu...kb..5"..gL.>.....D.....N..!...1.o..j..tD.!....H.X......a...._Fw..SQ~u{...4.to..7a.rrkT[.F.......nkV.....Sqc..f..gW..9Y.'.....L....U....\'=$...h...a...y...).?......Z......Z.l....+.b...O...h^.._..k......l._Q..m....w..s.eGm.=.nP..v57....H.U..6hQ~98z.A.'.z..H&...=.R.6..B'l...h...l....d]%./....<>....~....@..=....7...T0..J;.J....o.[.O....P.....'.k.......:.i.Bu.)...P#......^.....Jy.(o..:.?.......]./........

C:\Program Files (x86)\CPointASP\bin\x86\lessmsi\lessmsi-v1.6.91.zip (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	506871
Entropy (8bit):	7.998074018431883
Encrypted:	true
SSDEEP:	12288:VCtY2iynJj4iqp1WjsxlD71zFusqzKZXGky4H2po:V+Y1y7qp0oxF7T3ZXGky4Wq
MD5:	D52F8AE89AC65F755C28A95C274C1FFE
SHA1:	50D581469FF0648EE628A027396F39598995D8B0
SHA-256:	2F9A9DFD0C0B0CFAF9C700B4659A4F2F3D11368E6C30A3FA0F93ECDD3B4D2E66
SHA-512:	B7B585EED261C262499C73688DFD985818F7869319285168AEEAC1F2CF5FAD487280FCAE1DAC633296E5DB0E0BC454495A09A90C2E37A7E7AF07EF93563503C6
Malicious:	false
Preview:	PK...........N..UD...."....$.AddWindowsExplorerShortcut.exe.. ..........p.../..L..../..L..../...Ykl...>3..f...6I..!7..qL.......Y;...M.HJ\....z....Y?R.B+P...."......US.R.SB....i.....T.R.......3./;/..Q.].{....:s=t.c....\|>...%....v:.Ot.....7.....il.rY^..4r.4.Gxl.3Yp...Q....X.".%......B......q..]k..7ae.O.....;..u.n....b..<............ w,.L'O.&...^.OJ...WT.X?RQOx\|...}MA.n.].q:!]iB`....\|VW.!.@Br[...N.Xl....f....GH..~..h.......:zZ..'. ..n..._.......Gw../.X...t$$...Z.7...&X...[V.e..p..&z..-Wj.r...ku...VKg.t.5.......,.[.,G........w...}...6.rD.EN.#..uu...kb..5"..gL.>.....D.....N..!...1.o..j..tD.!....H.X......a...._Fw..SQ~u{...4.to..7a.rrkT[.F.......nkV.....Sqc..f..gW..9Y.'.....L....U....\'=$...h...a...y...).?......Z......Z.l....+.b...O...h^.._..k......l._Q..m....w..s.eGm.=.nP..v57....H.U..6hQ~98z.A.'.z..H&...=.R.6..B'l...h...l....d]%./....<>....~....@..=....7...T0..J;.J....o.[.O....P.....'.k.......:.i.Bu.)...P#......^.....Jy.(o..:.?.......]./........

C:\Program Files (x86)\CPointASP\bin\x86\libFLAC_dynamic.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	512014
Entropy (8bit):	6.566561154468342
Encrypted:	false
SSDEEP:	12288:BNKab1bu1dEpBZvkO4KTYnyA0bFHmufLKNs3gv:rKcozEpbvkOCyA0xGufLKau
MD5:	C4A2068C59597175CD1A29F3E7F31BC1
SHA1:	89DE0169028E2BDD5F87A51E2251F7364981044D
SHA-256:	7AE79F834A4B875A14D63A0DB356EEC1D356F8E64FF9964E458D1C2050E5D180
SHA-512:	0989EA9E0EFADF1F6C31E7FC243371BB92BFD1446CF62798DCA38A021FAD8B6ADB0AEABDFBDC5CE8B71FE920E341FC8AB4E906B1839C6E469C75D8148A74A08A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...P/.d...........#...(.l.........................n.........................P............@... ..........................:........... .......................0..L...........................d...........................P............................text....k.......l..................`..`.data................p..............@....rdata...t.......v...r..............@..@/4......L...........................@..@.bss....X................................edata...:.......<...j..............@..@.idata..............................@....CRT....,...........................@....tls................................@....rsrc........ ......................@....reloc..L....0......................@..B........................................................................................................................................................................................

C:\Program Files (x86)\CPointASP\bin\x86\libdtsdec.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	126478
Entropy (8bit):	6.268811819718352
Encrypted:	false
SSDEEP:	3072:UnNKg6JaJUeHjiaphKMLrn8uexz3TmBUg6xcE:UNcJGGehKMLJBUg6x
MD5:	6E93C9C8AADA15890073E74ED8D400C9
SHA1:	94757DBD181346C7933694EA7D217B2B7977CC5F
SHA-256:	B6E2FA50E0BE319104B05D6A754FE38991E6E1C476951CEE3C7EBDA0DC785E02
SHA-512:	A9F71F91961C75BB32871B1EFC58AF1E1710BDE1E39E7958AE9BB2A174E84E0DD32EBAAB9F5AE37275651297D8175EFA0B3379567E0EB0272423B604B4510852
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.....^...................p.....m.........................p......f......... .........................{.... ...............................P..............................X........................!...............................text....\.......^..................`.P`.data........p.......b..............@.`..rdata..h&.......(...d..............@.`@/4......\B.......D..................@.0@.bss..................................`..edata..{...........................@.0@.idata....... ......................@.0..CRT....,....0......................@.0..tls.........@......................@.0..reloc.......P......................@.0B................................................................................................................................................................................................................................

C:\Program Files (x86)\CPointASP\bin\x86\libsoxr.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	227328
Entropy (8bit):	6.641153481093122
Encrypted:	false
SSDEEP:	6144:jtJXnqDMJgH50aKyumLCGTrS4ifbjoO88k:KqgHlKyumLCGTrS4inoZ
MD5:	BC824DC1D1417DE0A0E47A30A51428FD
SHA1:	C909C48C625488508026C57D1ED75A4AE6A7F9DB
SHA-256:	A87AA800F996902F06C735EA44F4F1E47F03274FE714A193C9E13C5D47230FAB
SHA-512:	566B5D5DDEA920A31E0FB9E048E28EF2AC149EF075DB44542A46671380F904427AC9A6F59FBC09FE3A4FBB2994F3CAEEE65452FE55804E403CEABC091FFAF670
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...e>.a...........#.........t...V.................e.........................@......1......... .........................#....................................0...............................).......................................................text...............................`.P`.data...............................@.`..rdata..d0.......2..................@.`@.eh_framd@...@...B..................@.0@.bss.....T............................`..edata..#............T..............@.0@.idata...............^..............@.0..CRT....,............d..............@.0..tls......... .......f..............@.0..reloc.......0.......h..............@.0B................................................................................................................................................................................................................................

C:\Program Files (x86)\CPointASP\bin\x86\libwebp.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	394752
Entropy (8bit):	6.662070316214798
Encrypted:	false
SSDEEP:	6144:uAlmRfeS+mOxv8bgDTuXU54l8WybBE36IpuIT9nxQPQnhH/a0CRdWqWJwGKp:zlm0S+SEuXU54NylJIJ9KPQnhilRsVJ
MD5:	A4123DE65270C91849FFEB8515A864C4
SHA1:	93971C6BB25F3F4D54D4DF6C0C002199A2F84525
SHA-256:	43A9928D6604BF604E43C2E1BAB30AE1654B3C26E66475F9488A95D89A4E6113
SHA-512:	D0834F7DB31ABA8AA9D97479938DA2D4CD945F76DC2203D60D24C75D29D36E635C2B0D97425027C4DEBA558B8A41A77E288F73263FA9ABC12C54E93510E3D384
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......KL...-d..-d..-d..U...-d..Be..-d.TEe..-d..-e.:-d..Ba..-d..B`..-d..Bg..-d..B`.c-d..Bd..-d..B...-d..Bf..-d.Rich.-d.........................PE..L.....b`...........!.....L..........+S.......`...............................P............@.................................L........... .................... ..\ ..$...............................@...@............`...............................text...NK.......L.................. ..`.rdata......`.......P..............@..@.data...............................@....rsrc... ...........................@..@.reloc..\ ... ..."..................@..B................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\CPointASP\bin\x86\libwinpthread-1.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	68042
Entropy (8bit):	6.090396152400884
Encrypted:	false
SSDEEP:	768:RX3HAdi7wgCsL6dVSngk2IFm3ZJVRDBLRROBBKRzPm3YRiF+ixh:NHQpe6SnZQLjICPm3Ytib
MD5:	5DDA5D34AC6AA5691031FD4241538C82
SHA1:	22788C2EBE5D50FF36345EA0CB16035FABAB8A6C
SHA-256:	DE1A9DD251E29718176F675455592BC1904086B9235A89E6263A3085DDDCBB63
SHA-512:	08385DE11A0943A6F05AC3F8F1E309E1799D28EA50BF1CA6CEB01E128C0CD7518A64E55E8B56A4B8EF9DB3ECD2DE33D39779DCA1FBF21DE735E489A09159A1FD
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........V......#...&...........................d......................................@... ..............................0..t....`..P....................p.......................................................1..H............................text...d...........................`..`.data...L...........................@....rdata..\...........................@..@/4.......2.......4..................@..@.bss.....................................edata..............................@..@.idata..t....0......................@....CRT....0....@......................@....tls.........P......................@....rsrc...P....`......................@....reloc.......p......................@..B........................................................................................................................................................................................

C:\Program Files (x86)\CPointASP\bin\x86\mp3gain.exe (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp
File Type:	PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	123406
Entropy (8bit):	6.263889638223575
Encrypted:	false
SSDEEP:	1536:hnPkU1t2P2hHV5JG1YBBAUBEd8+poyez9djcx2/8s6UJqfxX+1XOAhbKzb3+d:xPu21IYyCTToE6c+6e+d
MD5:	B49ECFA819479C3DCD97FAE2A8AB6EC6
SHA1:	1B8D47D4125028BBB025AAFCA1759DEB3FC0C298
SHA-256:	B9D5317E10E49AA9AD8AD738EEBE9ACD360CC5B20E2617E5C0C43740B95FC0F2
SHA-512:	18617E57A76EFF6D95A1ED735CE8D5B752F1FB550045FBBEDAC4E8E67062ACD7845ADC6FBE62238C383CED5E01D7AA4AB8F968DC442B67D62D2ED712DB67DC13
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........................R.......d>..........p....@...........................@......^........ ...............................@.4...................................................................................\|.@.@............................text....Q.......R..................`.P`.data...\....p.......V..............@.@..rdata...a.......b...X..............@.`@/4..................................@.0@.bss.....c>...........................`..idata..4.....@.....................@.0..CRT....4.....@.....................@.0..tls..........@.....................@.0.................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\CPointASP\bin\x86\pcm2dsd.exe (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp
File Type:	PE32 executable (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	22542
Entropy (8bit):	5.5875455203930615
Encrypted:	false
SSDEEP:	384:RKAPwPQJgZd3rw0bGMtyz1fiaqmjj1nFY4j70UotV9mRyK:YPQJgZZwUGH1fJljj1+D18
MD5:	E1C0147422B8C4DB4FC4C1AD6DD1B6EE
SHA1:	4D10C5AD96756CBC530F3C35ADCD9E4B3F467CFA
SHA-256:	124F210C04C12D8C6E4224E257D934838567D587E5ABAEA967CBD5F088677049
SHA-512:	A163122DFFE729E6F1CA6EB756A776F6F01A784A488E2ACCE63AEAFA14668E8B1148BE948EB4AF4CA8C5980E85E681960B8A43C94B95DFFC72FCCEE1E170BD9A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........X...............,...T...............@....@.......................................... .................................@...........................................................PU..........................P............................text....+.......,..................`.P`.data........@.......0..............@.`..rdata..0....P.......2..............@.0@/4...........`.......<..............@.0@.bss.........p........................`..idata..@............J..............@.0..CRT....4............T..............@.0..tls.................V..............@.0.................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\CPointASP\bin\x86\plugins\internal\is-HHJJI.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	15374
Entropy (8bit):	5.25938266470983
Encrypted:	false
SSDEEP:	192:l0HhuwYqkoiCBJRgcsZQPCkWa/HI77wbcRODYCpes2n13dwczbUwS7RE8SD:lqhoqkVCXWgI77B0hGnLwczbUwSC8g
MD5:	228EE3AFDCC5F75244C0E25050A346CB
SHA1:	822B7674D1B7B091C1478ADD2F88E0892542516F
SHA-256:	7ACD537F3BE069C7813DA55D6BC27C3A933DF2CF07D29B4120A8DF0C26D26561
SHA-512:	7DFA06B9775A176A9893E362B08DA7F2255037DC99FB6BE53020ECD4841C7E873C03BAC11D14914EFDFE84EFEB3FB99745566BB39784962365BEEBDB89A4531B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........<.........#.........8...............0....Xj.......................................... ......................p......................................................................P@......................................................text...$...........................`.P`.data...,....0......................@.0..rdata.......@....... ..............@.0@/4...........P......."..............@.0@.bss.........`........................`..edata.......p......................@.0@.idata...............0..............@.0..CRT....,............6..............@.0..tls.................8..............@.0..reloc...............:..............@.0B................................................................................................................................................................................................................................

C:\Program Files (x86)\CPointASP\bin\x86\plugins\internal\is-IOMGH.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	25614
Entropy (8bit):	6.0293046975090325
Encrypted:	false
SSDEEP:	768:MiksLrrN6mRXYYYYYYYYYYYYYYYYYYYYYYYYYI9W0oM:zrHFYYYYYYYYYYYYYYYYYYYYYYYYY70N
MD5:	B82364A204396C352F8CC9B2F8ABEF73
SHA1:	20AD466787D65C987A9EBDBD4A2E8845E4D37B68
SHA-256:	2A64047F9B9B07F6CB22BFE4F9D4A7DB06994B6107B5EA2A7E38FAFA9E282667
SHA-512:	C8CAFA4C315CE96D41AD521E72180DF99931B5F448C8647161E7F9DCA29AA07213B9CCEF9E3F7FB5353C7B459E3DA620E560153BDBA1AB529C206330DBD26FF5
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........d.........#....."...`...............@.... g.................................a........ .........................@.......@...............................`............................c.......................................................text.... ......."..................`.P`.data........@.......&..............@.`..rdata.......`.......@..............@.0@/4...........p.......F..............@.0@.bss..................................`..edata..@............T..............@.0@.idata..@............V..............@.0..CRT....,............\..............@.0..tls.................^..............@.0..reloc..`............`..............@.0B................................................................................................................................................................................................................................

C:\Program Files (x86)\CPointASP\bin\x86\plugins\internal\peak_scanner_plugin_c.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	15374
Entropy (8bit):	5.25938266470983
Encrypted:	false
SSDEEP:	192:l0HhuwYqkoiCBJRgcsZQPCkWa/HI77wbcRODYCpes2n13dwczbUwS7RE8SD:lqhoqkVCXWgI77B0hGnLwczbUwSC8g
MD5:	228EE3AFDCC5F75244C0E25050A346CB
SHA1:	822B7674D1B7B091C1478ADD2F88E0892542516F
SHA-256:	7ACD537F3BE069C7813DA55D6BC27C3A933DF2CF07D29B4120A8DF0C26D26561
SHA-512:	7DFA06B9775A176A9893E362B08DA7F2255037DC99FB6BE53020ECD4841C7E873C03BAC11D14914EFDFE84EFEB3FB99745566BB39784962365BEEBDB89A4531B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........<.........#.........8...............0....Xj.......................................... ......................p......................................................................P@......................................................text...$...........................`.P`.data...,....0......................@.0..rdata.......@....... ..............@.0@/4...........P......."..............@.0@.bss.........`........................`..edata.......p......................@.0@.idata...............0..............@.0..CRT....,............6..............@.0..tls.................8..............@.0..reloc...............:..............@.0B................................................................................................................................................................................................................................

C:\Program Files (x86)\CPointASP\bin\x86\plugins\internal\raw_decode_plugin_c.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	25614
Entropy (8bit):	6.0293046975090325
Encrypted:	false
SSDEEP:	768:MiksLrrN6mRXYYYYYYYYYYYYYYYYYYYYYYYYYI9W0oM:zrHFYYYYYYYYYYYYYYYYYYYYYYYYY70N
MD5:	B82364A204396C352F8CC9B2F8ABEF73
SHA1:	20AD466787D65C987A9EBDBD4A2E8845E4D37B68
SHA-256:	2A64047F9B9B07F6CB22BFE4F9D4A7DB06994B6107B5EA2A7E38FAFA9E282667
SHA-512:	C8CAFA4C315CE96D41AD521E72180DF99931B5F448C8647161E7F9DCA29AA07213B9CCEF9E3F7FB5353C7B459E3DA620E560153BDBA1AB529C206330DBD26FF5
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........d.........#....."...`...............@.... g.................................a........ .........................@.......@...............................`............................c.......................................................text.... ......."..................`.P`.data........@.......&..............@.`..rdata.......`.......@..............@.0@/4...........p.......F..............@.0@.bss..................................`..edata..@............T..............@.0@.idata..@............V..............@.0..CRT....,............\..............@.0..tls.................^..............@.0..reloc..`............`..............@.0B................................................................................................................................................................................................................................

C:\Program Files (x86)\CPointASP\bin\x86\rg_ebur128.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	43520
Entropy (8bit):	6.232860260916194
Encrypted:	false
SSDEEP:	768:XozEJVjDF38DrOPwLg0cAY7K+k+Y+TyHMjMbHVJx9jm3LkkteFfXbBekdAnPKx:Xo4JJDirOoLg0C7F/rDGdpB52PK
MD5:	B162992412E08888456AE13BA8BD3D90
SHA1:	095FA02EB14FD4BD6EA06F112FDAFE97522F9888
SHA-256:	2581A6BCA6F4B307658B24A7584A6B300C91E32F2FE06EB1DCA00ADCE60FA723
SHA-512:	078594DE66F7E065DCB48DA7C13A6A15F8516800D5CEE14BA267F43DC73BC38779A4A4ED9444AFDFA581523392CBE06B0241AA8EC0148E6BCEA8E23B78486824
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.....z.......D................,n.........................p.......`........ ...................... .......0...............................`..............................t........................0...............................text....x.......z..................`.P`.data...,............~..............@.0..rdata..............................@.P@.eh_fram\|...........................@.0@.bss.....B............................`..edata....... ......................@.0@.idata.......0......................@.0..CRT....,....@......................@.0..tls.........P......................@.0..reloc.......`......................@.0B................................................................................................................................................................................................................................

C:\Program Files (x86)\CPointASP\bin\x86\sd.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	240654
Entropy (8bit):	6.518503846592995
Encrypted:	false
SSDEEP:	6144:yZDfF4DjzIHBV+bUeenu+t+oSTdjpNZ7utS81qpHW4paP2L:ekjzMBVKXeuq+oSTdjpr7N8f+L
MD5:	4F0C85351AEC4B00300451424DB4B5A4
SHA1:	BB66D807EDE0D7D86438207EB850F50126924C9D
SHA-256:	CC0B53969670C7275A855557EA16182C932160BC0F8543EFFC570F760AE2185E
SHA-512:	80C84403ED47380FF75EBA50A23E565F7E5C68C7BE8C208A5A48B7FB0798FF51F3D33780C902A6F8AB0E6DB328860C071C77B93AC88CADF84FEF7DF34DE3E2DA
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.....H...................`.....g.................................\........ .........................o.......\...............................t............................S.......................................................text...dF.......H..................`.P`.data...X....`.......L..............@.P..rdata.......p.......N..............@.`@/4.......<.......>...T..............@.0@.bss..................................`..edata..o...........................@.0@.idata..\...........................@.0..CRT....,...........................@.0..tls................................@.0..reloc..t...........................@.0B................................................................................................................................................................................................................................

C:\Program Files (x86)\CPointASP\bin\x86\tak_deco_lib.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	112640
Entropy (8bit):	6.540227486061059
Encrypted:	false
SSDEEP:	1536:45vq1zsdXYjZmGz9anu3MwjLA/eeiUKJP3Djl23HTKJ7WMU3lPyK+ZSrKxV/UJ9G:vzMMg/gMKeGsMIl6K+Zvry5zNY
MD5:	BDB65DCE335AC29ECCBC2CA7A7AD36B7
SHA1:	CE7678DCF7AF0DBF9649B660DB63DB87325E6F69
SHA-256:	7EC9EE07BFD67150D1BC26158000436B63CA8DBB2623095C049E06091FA374C3
SHA-512:	8AABCA6BE47A365ACD28DF8224F9B9B5E1654F67E825719286697FB9E1B75478DDDF31671E3921F06632EED5BB3DDA91D81E48D4550C2DCD8E2404D566F1BC29
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................f...N......0u............@.....................................................................2.......v...............................h...................................................................................CODE....Pe.......f.................. ..`DATA....D............j..............@...BSS......................................idata..v...........................@....edata..2...........................@..P.reloc..h...........................@..P.rsrc...............................@..P....................................@..P................................................................................................................................................................................

C:\Program Files (x86)\CPointASP\bin\x86\takdec.exe (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	772608
Entropy (8bit):	6.546391052615969
Encrypted:	false
SSDEEP:	6144:Q75mFL0MNnM/SQdtij4UujFhGiNV1SckT3wio2L2jV6EfnQ29mwF3s4iGtInw1m8:AwN0e0lN1fnQUFccGns9ukS6
MD5:	B3B487FC3832B607A853211E8AC42CAD
SHA1:	06E32C28103D33DAD53BE06C894203F8808D38C1
SHA-256:	30BC10BD6E5B2DB1ACE93C2004E24C128D20C242063D4F0889FD3FB3E284A9E4
SHA-512:	FA6BDBA4F2A0CF4CCA40A333B69FD041D9EDC0736EDA206F17F10AF5505CC4688B0401A3CAD2D2F69392E752B8877DB593C7872BCDB133DC785A200FF38598BB
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....1.d.................D..........$].......`....@.......................................@......@...................0..o............p...(...................`...............................P......................X........ .......................text...h4.......6.................. ..`.itext.......P.......:.............. ..`.data....7...`...8...H..............@....bss....0i...............................idata..............................@....didata...... ......................@....edata..o....0......................@..@.tls.........@...........................rdata..]....P......................@..@.reloc.......`......................@..B.rsrc....(...p...(..................@..@....................................@..@................

C:\Program Files (x86)\CPointASP\bin\x86\uchardet.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	294926
Entropy (8bit):	6.191604766067493
Encrypted:	false
SSDEEP:	3072:7E0FFjiAeF21pLQFgK33duKMnlCj3eWyNg2hlNvFXl8rzJjjOjVmdX566Uwqwqwm:wKFX3LygKjjN2HIfpruwqwqwFUgVE
MD5:	C76C9AE552E4CE69E3EB9EC380BC0A42
SHA1:	EFFEC2973C3D678441AF76CFAA55E781271BD1FB
SHA-256:	574595B5FD6223E4A004FA85CBB3588C18CC6B83BF3140D8F94C83D11DBCA7BD
SHA-512:	7FB385227E802A0C77749978831245235CD1343B95D97E610D20FB0454241C465387BCCB937A2EE8A2E0B461DD3D2834F7F542E7739D8E428E146F378A24EE97
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#.........\|.....................n.................................c........ ......................`..j7...........................................................................................................................text...8...........................`.P`.data...x...........................@.0..rdata...F.......H..................@.`@/4.......U.......V..................@.0@.bss.........P........................`..edata..j7...`...8...$..............@.0@.idata...............\..............@.0..CRT....,............b..............@.0..tls.................d..............@.0..reloc...............f..............@.0B................................................................................................................................................................................................................................

C:\Program Files (x86)\CPointASP\bin\x86\utils.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	13838
Entropy (8bit):	5.173769974589746
Encrypted:	false
SSDEEP:	192:oh3ZZBe9xz7rdz9Us5bsRuKUYDpesWAhQqCNhNXUwS7RuLH9+E:ohLBe3dz9UsikKDGZqCNhNXUwS4bcE
MD5:	9C55B3E5ED1365E82AE9D5DA3EAEC9F2
SHA1:	BB3D30805A84C6F0803BE549C070F21C735E10A9
SHA-256:	D2E374DF7122C0676B4618AED537DFC8A7B5714B75D362BFBE85B38F47E3D4A4
SHA-512:	EEFE8793309FDC801B1649661B0C17C38406A9DAA1E12959CD20344975747D470D6D9C8BE51A46279A42FE1843C254C432938981D108F4899B93CDD744B5D968
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........6.........#.........2...............0....@m.................................Z........ ......................p..J.......h............................................................@......................................................text...............................`.P`.data...,....0......................@.0..rdata.......@......................@.0@/4...........P......................@.0@.bss.........`........................`..edata..J....p.......(..............@.0@.idata..h............*..............@.0..CRT....,............0..............@.0..tls.................2..............@.0..reloc...............4..............@.0B................................................................................................................................................................................................................................

C:\Program Files (x86)\CPointASP\bin\x86\wavpackdll.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	258560
Entropy (8bit):	6.491223412910377
Encrypted:	false
SSDEEP:	6144:X+FRYMGwNozw5upAagZnb80OXrGSc+w9nI7ZMcyVhk233M:SGMGbw5upAagZb80SMXzkgM
MD5:	DB191B89F4D015B1B9AEE99AC78A7E65
SHA1:	8DAC370768E7480481300DD5EBF8BA9CE36E11E3
SHA-256:	38A75F86DB58EB8D2A7C0213861860A64833C78F59EFF19141FFD6C3B6E28835
SHA-512:	A27E26962B43BA84A5A82238556D06672DCF17931F866D24E6E8DCE88F7B30E80BA38B071943B407A7F150A57CF1DA13D2137C235B902405BEDBE229B6D03784
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B.j..f...f...f..]....f..]...f..]....f......f......f......f......f..]....f...f..]f......f......f......f...f...f......f..Rich.f..........PE..L...y.._...........!................@........ ...............................@..........................................d...$...(.......h.................... ......................................(...@............ ..8............................text...q........................... ..`asmcode.>$.......&.................. ..`.rdata..B.... ......................@..@.data...............................@....rsrc...h...........................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................

C:\Program Files (x86)\CPointASP\cpointasp.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	1642495
Entropy (8bit):	7.046845970009018
Encrypted:	false
SSDEEP:	24576:wmCaH7LA76aNXR2g5iXj8Y1d1mEkrg/VFp6P1WJCkKfWTo0aII1AvMDwMVgJwpC2:v1uViz8Y1d1Jq
MD5:	9DCE8CBCB90200F461757260260F7FB7
SHA1:	C602735F22B53E4FB38858C0BDF143A28590460A
SHA-256:	5922E374C679519E68C34E99B1DD21A519665EDB7FC024E93A8F8A24D19150B5
SHA-512:	3F6056DAB3009F445DF13657A25EF2BF653BE1610777D27BFC1F76EC873B0B25AE88055CBFCE3366E9A9877C4E216142869BE4F6E21CEC481D85D0CBFC899ABA
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Q.e............................&........ ....@.......................... ...............................................%.......p...b........................................................................... ...............................text............................... ..`.rdata...$... ...0... ..............@..@.data........P.......P..............@....rsrc....b...p...p...`..............@..@_text_9..@.......?..................`...........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\CPointASP\is-8I1H0.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp
File Type:	data
Category:	dropped
Size (bytes):	1642495
Entropy (8bit):	7.046846233358879
Encrypted:	false
SSDEEP:	24576:vmCaH7LA76aNXR2g5iXj8Y1d1mEkrg/VFp6P1WJCkKfWTo0aII1AvMDwMVgJwpC2:Y1uViz8Y1d1Jq
MD5:	9CAE4F6988E3F4FFAFF16466F1F1F69C
SHA1:	B67220AD071B3470223B3B0B4A5EAB82938FA0E5
SHA-256:	C958449303A54A1ECF8847531F84DE6F7A0DBEE06D1F00184336A1D6631A26B4
SHA-512:	53B53EA1C46AE9A8DED3B7BEE6C6066B4401655A8E9D9153402F4E1FF9CA2E34026830DE9C017B17B28482D2FC56CF0800F6EA160AFB93388DCB8BFB4DCCD2D2
Malicious:	false
Preview:	.Z......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Q.e............................&........ ....@.......................... ...............................................%.......p...b........................................................................... ...............................text............................... ..`.rdata...$... ...0... ..............@..@.data........P.......P..............@....rsrc....b...p...p...`..............@..@_text_9..@.......?..................`...........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Program Files (x86)\CPointASP\is-UK3TA.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	715038
Entropy (8bit):	6.5050297315914065
Encrypted:	false
SSDEEP:	12288:cRObekMSkfohrPUs37uzHnA6zg5cIsalHERjUrNN/RQ9wgUT5EDExycA:eObekrkfohrP337uzHnA6cHswHE/6gUQ
MD5:	5A85B97E92D4F4E43E49307DD931C78B
SHA1:	9988FD92ABAB7AE560020C486EFC5FA7DF8A21D6
SHA-256:	FBDBE0C8EC6D3B8DD5FD80373DB9DA2E1D82DE250544C9181EB6537AC0F8F5C4
SHA-512:	EF085F9610D7A3B37CE079D8F0F4F1998494DED9E3CBF07431C667515D2035F739E851AF143DB37B2CE1D721C8A1D789E8C1EA41B775D15FF814A6E650E39130
Malicious:	false
Preview:	MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................f...........q............@..............................................@...............................%..................................................................................................................CODE....(d.......f.................. ..`DATA.................j..............@...BSS..................\|...................idata...%.......&...\|..............@....tls.....................................rdata..............................@..P.reloc.............................@..P.rsrc...............................@..P.....................J..............@..P........................................................................................................................................

C:\Program Files (x86)\CPointASP\stuff\date.txt (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp
File Type:	IFF data
Category:	dropped
Size (bytes):	1716
Entropy (8bit):	4.781797138644031
Encrypted:	false
SSDEEP:	24:wSXqInX3C5DMDxJWyjPTw2C4F0lB6v4AnFt+cUeC1/B0vFFNgpX27:wSacX3ChMDxPpulB6gAFHSJE6X27
MD5:	257D1BF38FA7859FFC3717EF36577C04
SHA1:	A9D2606CFC35E17108D7C079A355A4DB54C7C2EE
SHA-256:	DFACC2F208EBF6D6180EE6E882117C31BB58E8B6A76A26FB07AC4F40E245A0CB
SHA-512:	E13A6F489C9C5BA840502F73ACD152D366E0CCDD9D3D8E74B65FF89FDC70CD46F52E42EEE0B4BA9F151323EC07C4168CF82446334564ADAA8666624F7B8035F3
Malicious:	false
Preview:	FORMAT controls the output. Interpreted sequences are:.. %% a literal %. %a locale's abbreviated weekday name (e.g., Sun). %A locale's full weekday name (e.g., Sunday). %b locale's abbreviated month name (e.g., Jan). %B locale's full month name (e.g., January). %c locale's date and time (e.g., Thu Mar 3 23:05:25 2005). %C century; like %Y, except omit last two digits (e.g., 20). %d day of month (e.g., 01). %D date; same as %m/%d/%y. %e day of month, space padded; same as %_d. %F full date; same as %Y-%m-%d. %g last two digits of year of ISO week number (see %G). %G year of ISO week number (see %V); normally useful only with %V. %h same as %b. %H hour (00..23). %I hour (01..12). %j day of year (001..366). %k hour, space padded ( 0..23); same as %_H. %l hour, space padded ( 1..12); same as %_I. %m month (01..12). %M minute (00..59). %n a newline. %N nanoseconds (000000000..999999999). %p locale's equivalent of eith

C:\Program Files (x86)\CPointASP\stuff\is-FE4PQ.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1825
Entropy (8bit):	5.088030483893024
Encrypted:	false
SSDEEP:	24:ZhIPjdbiNJQ387Udf9NpHjjY2S7AJYazRMiZMjYzMX2OP5usmC2ZxJnIBVjYHwZ2:vg79lS7sbtujNfuvlXJEVjH4O2
MD5:	992C00BEAB194CE392117BB419F53051
SHA1:	8F9114C95E2A2C9F9C65B9243D941DCB5CEA40DE
SHA-256:	9E35C8E29CA055CE344E4C206E7B8FF1736158D0B47BF7B3DBC362F7EC7E722C
SHA-512:	FACDCA78AE7D874300EACBE3014A9E39868C93493B9CD44AAE1AB39AFA4D2E0868E167BCA34F8C445AA7CCC9DDB27E1B607D739AF94AA4840789A3F01E7BED9D
Malicious:	false
Preview:	.# Tag replace definition..# ..# Values must be put into sections...# The following section names are supported:..#..# [*] is for all tags, i.e. values specified under this section will be replace in all tags..# Following tag-specific identifiers can be used. Values will be replaced only in specified tag...# [Conductor]..# [Date]..# [Publisher]..# [Lyrics]..# [Flags]..# [ISRC]..# [Title]..# [Catalog]..# [Year]..# [Genre]..# [Artist]..# [Album]..# [DiscId]..# [BPM]..# [Album Artist]..# [Composer]..# [Content Group]..# [Compilation]..# [Disc]..# [Track]..# [Comments]..# [Encoded by]..#..# Format is <value from>=<value to>..# where <value from> is case-sensitive value, which will be replaced..# with <value to>, which is RegEx expression...#..# If you want to do a case insensitive replacement, add ! to the name of the section ..#..# Those are specific value, which can be used as <value from>:..#..# <NULL> is used to specify empty tag as well as empty value, e.g. ..# [Comments]..# <ANY>=<

C:\Program Files (x86)\CPointASP\stuff\is-G80DQ.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp
File Type:	IFF data
Category:	dropped
Size (bytes):	1716
Entropy (8bit):	4.781797138644031
Encrypted:	false
SSDEEP:	24:wSXqInX3C5DMDxJWyjPTw2C4F0lB6v4AnFt+cUeC1/B0vFFNgpX27:wSacX3ChMDxPpulB6gAFHSJE6X27
MD5:	257D1BF38FA7859FFC3717EF36577C04
SHA1:	A9D2606CFC35E17108D7C079A355A4DB54C7C2EE
SHA-256:	DFACC2F208EBF6D6180EE6E882117C31BB58E8B6A76A26FB07AC4F40E245A0CB
SHA-512:	E13A6F489C9C5BA840502F73ACD152D366E0CCDD9D3D8E74B65FF89FDC70CD46F52E42EEE0B4BA9F151323EC07C4168CF82446334564ADAA8666624F7B8035F3
Malicious:	false
Preview:	FORMAT controls the output. Interpreted sequences are:.. %% a literal %. %a locale's abbreviated weekday name (e.g., Sun). %A locale's full weekday name (e.g., Sunday). %b locale's abbreviated month name (e.g., Jan). %B locale's full month name (e.g., January). %c locale's date and time (e.g., Thu Mar 3 23:05:25 2005). %C century; like %Y, except omit last two digits (e.g., 20). %d day of month (e.g., 01). %D date; same as %m/%d/%y. %e day of month, space padded; same as %_d. %F full date; same as %Y-%m-%d. %g last two digits of year of ISO week number (see %G). %G year of ISO week number (see %V); normally useful only with %V. %h same as %b. %H hour (00..23). %I hour (01..12). %j day of year (001..366). %k hour, space padded ( 0..23); same as %_H. %l hour, space padded ( 1..12); same as %_I. %m month (01..12). %M minute (00..59). %n a newline. %N nanoseconds (000000000..999999999). %p locale's equivalent of eith

C:\Program Files (x86)\CPointASP\stuff\is-HMHU4.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp
File Type:	IFF data
Category:	dropped
Size (bytes):	1716
Entropy (8bit):	4.781797138644031
Encrypted:	false
SSDEEP:	24:wSXqInX3C5DMDxJWyjPTw2C4F0lB6v4AnFt+cUeC1/B0vFFNgpX27:wSacX3ChMDxPpulB6gAFHSJE6X27
MD5:	257D1BF38FA7859FFC3717EF36577C04
SHA1:	A9D2606CFC35E17108D7C079A355A4DB54C7C2EE
SHA-256:	DFACC2F208EBF6D6180EE6E882117C31BB58E8B6A76A26FB07AC4F40E245A0CB
SHA-512:	E13A6F489C9C5BA840502F73ACD152D366E0CCDD9D3D8E74B65FF89FDC70CD46F52E42EEE0B4BA9F151323EC07C4168CF82446334564ADAA8666624F7B8035F3
Malicious:	false
Preview:	FORMAT controls the output. Interpreted sequences are:.. %% a literal %. %a locale's abbreviated weekday name (e.g., Sun). %A locale's full weekday name (e.g., Sunday). %b locale's abbreviated month name (e.g., Jan). %B locale's full month name (e.g., January). %c locale's date and time (e.g., Thu Mar 3 23:05:25 2005). %C century; like %Y, except omit last two digits (e.g., 20). %d day of month (e.g., 01). %D date; same as %m/%d/%y. %e day of month, space padded; same as %_d. %F full date; same as %Y-%m-%d. %g last two digits of year of ISO week number (see %G). %G year of ISO week number (see %V); normally useful only with %V. %h same as %b. %H hour (00..23). %I hour (01..12). %j day of year (001..366). %k hour, space padded ( 0..23); same as %_H. %l hour, space padded ( 1..12); same as %_I. %m month (01..12). %M minute (00..59). %n a newline. %N nanoseconds (000000000..999999999). %p locale's equivalent of eith

C:\Program Files (x86)\CPointASP\stuff\is-VHERS.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1825
Entropy (8bit):	5.088030483893024
Encrypted:	false
SSDEEP:	24:ZhIPjdbiNJQ387Udf9NpHjjY2S7AJYazRMiZMjYzMX2OP5usmC2ZxJnIBVjYHwZ2:vg79lS7sbtujNfuvlXJEVjH4O2
MD5:	992C00BEAB194CE392117BB419F53051
SHA1:	8F9114C95E2A2C9F9C65B9243D941DCB5CEA40DE
SHA-256:	9E35C8E29CA055CE344E4C206E7B8FF1736158D0B47BF7B3DBC362F7EC7E722C
SHA-512:	FACDCA78AE7D874300EACBE3014A9E39868C93493B9CD44AAE1AB39AFA4D2E0868E167BCA34F8C445AA7CCC9DDB27E1B607D739AF94AA4840789A3F01E7BED9D
Malicious:	false
Preview:	.# Tag replace definition..# ..# Values must be put into sections...# The following section names are supported:..#..# [*] is for all tags, i.e. values specified under this section will be replace in all tags..# Following tag-specific identifiers can be used. Values will be replaced only in specified tag...# [Conductor]..# [Date]..# [Publisher]..# [Lyrics]..# [Flags]..# [ISRC]..# [Title]..# [Catalog]..# [Year]..# [Genre]..# [Artist]..# [Album]..# [DiscId]..# [BPM]..# [Album Artist]..# [Composer]..# [Content Group]..# [Compilation]..# [Disc]..# [Track]..# [Comments]..# [Encoded by]..#..# Format is <value from>=<value to>..# where <value from> is case-sensitive value, which will be replaced..# with <value to>, which is RegEx expression...#..# If you want to do a case insensitive replacement, add ! to the name of the section ..#..# Those are specific value, which can be used as <value from>:..#..# <NULL> is used to specify empty tag as well as empty value, e.g. ..# [Comments]..# <ANY>=<

C:\Program Files (x86)\CPointASP\stuff\tagsreplace.txt (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp
File Type:	Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
Category:	dropped
Size (bytes):	1825
Entropy (8bit):	5.088030483893024
Encrypted:	false
SSDEEP:	24:ZhIPjdbiNJQ387Udf9NpHjjY2S7AJYazRMiZMjYzMX2OP5usmC2ZxJnIBVjYHwZ2:vg79lS7sbtujNfuvlXJEVjH4O2
MD5:	992C00BEAB194CE392117BB419F53051
SHA1:	8F9114C95E2A2C9F9C65B9243D941DCB5CEA40DE
SHA-256:	9E35C8E29CA055CE344E4C206E7B8FF1736158D0B47BF7B3DBC362F7EC7E722C
SHA-512:	FACDCA78AE7D874300EACBE3014A9E39868C93493B9CD44AAE1AB39AFA4D2E0868E167BCA34F8C445AA7CCC9DDB27E1B607D739AF94AA4840789A3F01E7BED9D
Malicious:	false
Preview:	.# Tag replace definition..# ..# Values must be put into sections...# The following section names are supported:..#..# [*] is for all tags, i.e. values specified under this section will be replace in all tags..# Following tag-specific identifiers can be used. Values will be replaced only in specified tag...# [Conductor]..# [Date]..# [Publisher]..# [Lyrics]..# [Flags]..# [ISRC]..# [Title]..# [Catalog]..# [Year]..# [Genre]..# [Artist]..# [Album]..# [DiscId]..# [BPM]..# [Album Artist]..# [Composer]..# [Content Group]..# [Compilation]..# [Disc]..# [Track]..# [Comments]..# [Encoded by]..#..# Format is <value from>=<value to>..# where <value from> is case-sensitive value, which will be replaced..# with <value to>, which is RegEx expression...#..# If you want to do a case insensitive replacement, add ! to the name of the section ..#..# Those are specific value, which can be used as <value from>:..#..# <NULL> is used to specify empty tag as well as empty value, e.g. ..# [Comments]..# <ANY>=<

C:\Program Files (x86)\CPointASP\unins000.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp
File Type:	InnoSetup Log CPointASP, version 0x30, 7548 bytes, 585948\user, "C:\Program Files (x86)\CPointASP"
Category:	dropped
Size (bytes):	7548
Entropy (8bit):	5.015952047732236
Encrypted:	false
SSDEEP:	96:T45WgDX7pbgUHm4JOIhnC4cVSQs0Ln/UauxVWIDn:T45WgD7pXGTIhrcVSQ1n/CQyn
MD5:	BC5451FBBD329FE9FB7CD01F25E59657
SHA1:	3B3F0F1315FFC22B41CDA627EBD8E556AA85FD4E
SHA-256:	478BF161861C855C2D4650D14359E85A5206E9D7673590B1A558ECD81A467B5E
SHA-512:	B1C12A7544F1FE22613C2797BDBBD409E2514CA11AD8B65B2F84208133BA87C1609B19BBAF7B05C7D1BC714F368FA6BB18E7A9ADC06B92227AF7853693969667
Malicious:	false
Preview:	Inno Setup Uninstall Log (b)....................................CPointASP.......................................................................................................................CPointASP.......................................................................................................................0...;...\|...%.................................................................................................................,L..........%.......?....585948.user C:\Program Files (x86)\CPointASP...........!...).. .....S....2.IFPS.............................................................................................................BOOLEAN..............TWIZARDFORM....TWIZARDFORM.........TPASSWORDEDIT....TPASSWORDEDIT...........................................!MAIN....-1..(...dll:kernel32.dll.CreateFileA..............$...dll:kernel32.dll.WriteFile............"...dll:kernel32.dll.CloseHandle........"...dll:kernel32.dll.ExitProcess........%...dll:User32.dll.GetSystemMet

C:\Program Files (x86)\CPointASP\unins000.exe (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	715038
Entropy (8bit):	6.5050297315914065
Encrypted:	false
SSDEEP:	12288:cRObekMSkfohrPUs37uzHnA6zg5cIsalHERjUrNN/RQ9wgUT5EDExycA:eObekrkfohrP337uzHnA6cHswHE/6gUQ
MD5:	5A85B97E92D4F4E43E49307DD931C78B
SHA1:	9988FD92ABAB7AE560020C486EFC5FA7DF8A21D6
SHA-256:	FBDBE0C8EC6D3B8DD5FD80373DB9DA2E1D82DE250544C9181EB6537AC0F8F5C4
SHA-512:	EF085F9610D7A3B37CE079D8F0F4F1998494DED9E3CBF07431C667515D2035F739E851AF143DB37B2CE1D721C8A1D789E8C1EA41B775D15FF814A6E650E39130
Malicious:	false
Preview:	MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................f...........q............@..............................................@...............................%..................................................................................................................CODE....(d.......f.................. ..`DATA.................j..............@...BSS..................\|...................idata...%.......&...\|..............@....tls.....................................rdata..............................@..P.reloc.............................@..P.rsrc...............................@..P.....................J..............@..P........................................................................................................................................

C:\ProgramData\AAEHIDAK

Download File

Process:	C:\Users\user\AppData\Local\Temp\nsuAC75.tmp.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.1211596417522893
Encrypted:	false
SSDEEP:	192:r2qAdB9TbTbuDDsnxCkvSAE+WslKOMq+8wH0hL3kWieF:r2qOB1nxCkvSAELyKOMq+8wH0hLUZs
MD5:	0AB67F0950F46216D5590A6A41A267C7
SHA1:	3E0DD57E2D4141A54B1C42DD8803C2C4FD26CB69
SHA-256:	4AE2FD6D1BEDB54610134C1E58D875AF3589EDA511F439CDCCF230096C1BEB00
SHA-512:	D19D99A54E7C7C85782D166A3010ABB620B32C7CD6C43B783B2F236492621FDD29B93A52C23B1F4EFC9BF998E1EF1DFEE953E78B28DF1B06C24BADAD750E6DF7
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\AAKJKJDGCGDBGDHIJKJE

Download File

Process:	C:\Users\user\AppData\Local\Temp\nsuAC75.tmp.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\AKECBFBAEBKJJJJKFCGC

Download File

Process:	C:\Users\user\AppData\Local\Temp\nsuAC75.tmp.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	0.8746135976761988
Encrypted:	false
SSDEEP:	96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
MD5:	9E68EA772705B5EC0C83C2A97BB26324
SHA1:	243128040256A9112CEAC269D56AD6B21061FF80
SHA-256:	17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
SHA-512:	312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\BJZFPPWAPT.docx

Download File

Process:	C:\Users\user\AppData\Local\Temp\nsuAC75.tmp.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.704346314649071
Encrypted:	false
SSDEEP:	24:XPzUwxdkbbeZScSZIv3ZoJNWhjcfzkabZsHx:fzUwx4bK+W/+fzuR
MD5:	8B66CD8FCBCEB253D75DB5CDE6291FA2
SHA1:	6CE0386190B9753849299B268AA7B8D15F9F72E2
SHA-256:	51AD0E037F53D8EEDFEBC58112BDFA30796A0A56FBD31B65384B41896489BDB4
SHA-512:	7C46027769E82ACD4E3ACB038FB80E34792E81B0527AE318194FE22BD066699A86E9B3E55AC5A1BCAC005FE0E8B7FB70B041656DF78BF84983A97CEDAA8861DC
Malicious:	false
Preview:	BJZFPPWAPTZISGUNDSDXEATFCUXAGEFCTTZKBNFYFVKDZEMPHZAJNCAVKZWYYNTVOWAJJLGAAUTHJTXJTGQLSVTGXPQIMVSAZAKJXHFSFGEVOJUYTICTQZLJZDQYBUBYFSZSBIOBVSAJCHKIQYCAYMMOZZQCCHGYUFOUMXHXCPNMUMVVZRXZCGPDXYDBBMVMWVPHNHLTQKLDBALGGHIVJYUKXJWAFDLMMQQUEQFWPXRQQODUGQSALTDJTROBSIRXEJYUMIWWHBCANDJZNUJGIKFXUWXKPWKATRJSISRBLFZRNYVGGJJMECDAMBUVQBAZGLVITWWCNZFHKZSKXZCMBCAKDDJCKKLPSOZVUJSWOYBBVEUPDSCKJRFEYGLDGCUHDWDNXCLOHDPVAIFYDTEOJCHJMFFBYBQICVVKCFBQZTCRCDMDLPWOJNYPCOZSCAPIZTHRAONKKSINEYBBWDVGRURGHBALLNKTXIGFWNKLQZPCTSMBRQYVMGXEIBGKILOUERUQSZIKLJQNKDPZJVSDIANCPNMTCRACOINNDAMOQOPAIVLAVJQWKZFANIEXSROWVPTCRRWMWEOIFZXRTNMYBGRZIKPJCTJYJQFKGVOKPTJYXUDCYYOIPMURGGXZGVLUDYKKODERMFIEIWKVSJARDMDMBGKRQHSUCNHMIFNOOKAZIJQSDSIGSBRMCBLXMKFSZZUAJROFXWXYRGSBMDTXFEMBZEMCYBLNRDJBWBOCUMLSOLNUPTETGCYWROACYQSFXBWNHGWPJVQNWAWKUVISCLHXAODXHGTGYBIVDGQQULRMEJMCYHRYXYWXLQTNEIINUCYEPKOEPHTQOQWVAZSBUDRHGYAFVQYNMYCERIVKOVOQNJLBIXTRBDBHNTZPWPYCVFUNIEAVJGCCWWHQQNTFCFYJDTKIZERPJVHSNNBWBOTMBMGRTKDWRLWPSEQAWSWDOFSPSEHOQRGFTQGBAGLJEZFNAHFMRNONCLEXLHXV

C:\ProgramData\CZQKSDDMWR.docx

Download File

Process:	C:\Users\user\AppData\Local\Temp\nsuAC75.tmp.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.700739677288544
Encrypted:	false
SSDEEP:	24:ppydEKvTSBiqFHi8v+wyNV+fxloGJjN3y5j1xTEC3ugbIvso8wFjas:rmEKvMiYC8Wwyr88GFAH/UvsuZl
MD5:	57582F5B6AE65D8DFCBD4A26382C6138
SHA1:	DC27AD5E54D1BDCCA4EC0D54ED1FB5A3235E9842
SHA-256:	7918D6E76741E42934BB32547E2D7EA395304AEA3383C0E6B7FCF82ACE125749
SHA-512:	6D75F68E608CB12378605F06C74F2F0414486072CC25961A1EA421B94EA5827F92110B902C2190E04AAE2D79152B0AB9B5B1ACECDCAAADD93A6F25028DD1E060
Malicious:	false
Preview:	CZQKSDDMWRVXFLQDZCLIIZCHKUTASMCLXARWUFPBFEESBCKPMBKHTZOAVUSGWGQBPZXNCLVHGKNWOAOTOSOFYOKUZEGHVYFBBGTMFWOOTOTSLTKZBTPTBZMUKYOSGWCRRYGDZWOEMUMCRRCZIEIYJAYGXMDKNOLEIKRXPEZKZGIXGYJYIBDXPZGYVGHMUCSHXXAYXQQNWIVOLMGKTXTGEAEKAOKQQSCTUWFEFQMLQUREMQDBYWFEQOMAJXVXIMMKWJJFKSSTMQZNWPBIQBZROXFYPWCYBVRMKUOGMEJJHYTWCOZYZXVANCHSTYZHRBVSORLGLSOWPDGEBVMQLDWKSLQFPEZDXWPZYNPSNTKGPNKUHFMAEGDWSDLCDNYFQZWURNIMQZDJNJPPOXINSGMUVHRDBWXOXDRPWKGITAKUVBIDIBIWIIANONNQUMKNATQWTVSOUCLOFKCCAISNABSKDPLNCYIQIFQMVEHZLIAFYDDSJJTQSUEVQKACGQHHXCYTZJABESDNXLIPGYKWXJZQWYJMSZUZHKYCGKQIKCYIWZOHAVHKCRNACDVNLPEXUPOQVKBGVFKCQDKJPNALRMAYMZRBAGMTICYZEFMXXYLDXTMKSZLDKSKSRQTDUDGFZXFQEHEDXVFBYBNEOVKFLNIRSTGZDIJXNRZEZFJHNPZDGPGECJTHNVMTSURANVWOVRBTYGZGIPOXWTRIHNKWFKCTXVVKOFHISZVHNVVRXJGJEZEJDSCKNIDUQYQWFNDXBQQJAYENVZXKXVUERYEPFEGNWBAJHHQSAFTHXGXMHUHJVQEYGVKPBTQMWUEZMBBSFENGBBVZIYHLXFRDPALQUURINJMTQGTPGJRGIWXIXWOPVDTWDBDNJJVXOPMTWAGMWQFUPMRROBBTRTOQBMZKPGWTYPWAVOKTSPLMOWJJDVZIIDATCEGNLHPVRONAQJFLFUZXJVRXMCGQNRKTYBRGRMKBPVPQSPFOIOHXGEGDHOJP

C:\ProgramData\CZQKSDDMWR.xlsx

Download File

Process:	C:\Users\user\AppData\Local\Temp\nsuAC75.tmp.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.700739677288544
Encrypted:	false
SSDEEP:	24:ppydEKvTSBiqFHi8v+wyNV+fxloGJjN3y5j1xTEC3ugbIvso8wFjas:rmEKvMiYC8Wwyr88GFAH/UvsuZl
MD5:	57582F5B6AE65D8DFCBD4A26382C6138
SHA1:	DC27AD5E54D1BDCCA4EC0D54ED1FB5A3235E9842
SHA-256:	7918D6E76741E42934BB32547E2D7EA395304AEA3383C0E6B7FCF82ACE125749
SHA-512:	6D75F68E608CB12378605F06C74F2F0414486072CC25961A1EA421B94EA5827F92110B902C2190E04AAE2D79152B0AB9B5B1ACECDCAAADD93A6F25028DD1E060
Malicious:	false
Preview:	CZQKSDDMWRVXFLQDZCLIIZCHKUTASMCLXARWUFPBFEESBCKPMBKHTZOAVUSGWGQBPZXNCLVHGKNWOAOTOSOFYOKUZEGHVYFBBGTMFWOOTOTSLTKZBTPTBZMUKYOSGWCRRYGDZWOEMUMCRRCZIEIYJAYGXMDKNOLEIKRXPEZKZGIXGYJYIBDXPZGYVGHMUCSHXXAYXQQNWIVOLMGKTXTGEAEKAOKQQSCTUWFEFQMLQUREMQDBYWFEQOMAJXVXIMMKWJJFKSSTMQZNWPBIQBZROXFYPWCYBVRMKUOGMEJJHYTWCOZYZXVANCHSTYZHRBVSORLGLSOWPDGEBVMQLDWKSLQFPEZDXWPZYNPSNTKGPNKUHFMAEGDWSDLCDNYFQZWURNIMQZDJNJPPOXINSGMUVHRDBWXOXDRPWKGITAKUVBIDIBIWIIANONNQUMKNATQWTVSOUCLOFKCCAISNABSKDPLNCYIQIFQMVEHZLIAFYDDSJJTQSUEVQKACGQHHXCYTZJABESDNXLIPGYKWXJZQWYJMSZUZHKYCGKQIKCYIWZOHAVHKCRNACDVNLPEXUPOQVKBGVFKCQDKJPNALRMAYMZRBAGMTICYZEFMXXYLDXTMKSZLDKSKSRQTDUDGFZXFQEHEDXVFBYBNEOVKFLNIRSTGZDIJXNRZEZFJHNPZDGPGECJTHNVMTSURANVWOVRBTYGZGIPOXWTRIHNKWFKCTXVVKOFHISZVHNVVRXJGJEZEJDSCKNIDUQYQWFNDXBQQJAYENVZXKXVUERYEPFEGNWBAJHHQSAFTHXGXMHUHJVQEYGVKPBTQMWUEZMBBSFENGBBVZIYHLXFRDPALQUURINJMTQGTPGJRGIWXIXWOPVDTWDBDNJJVXOPMTWAGMWQFUPMRROBBTRTOQBMZKPGWTYPWAVOKTSPLMOWJJDVZIIDATCEGNLHPVRONAQJFLFUZXJVRXMCGQNRKTYBRGRMKBPVPQSPFOIOHXGEGDHOJP

C:\ProgramData\DAECFIJDAAAKECBFCGHIJKFCGD

Download File

Process:	C:\Users\user\AppData\Local\Temp\nsuAC75.tmp.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\DWTHNHNNJB.xlsx

Download File

Process:	C:\Users\user\AppData\Local\Temp\nsuAC75.tmp.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.706547634051575
Encrypted:	false
SSDEEP:	24:hvsWN1mO5uGrz/I7zHH1p0zqzlGo9+kLDw5vXGTxrVYDH+:h3N8O5Rrz/Ww4lGoPLdVg+
MD5:	B8F3A1455E95B1CF3432BF983042773B
SHA1:	F205A118C84B93F8D41F9F3A0C3F5739B308A3BD
SHA-256:	F28BAE1CF8CA75EF22D6F1B09E711B7CE094E88420F0085CD54522F42E2F01CC
SHA-512:	8E565B641B5FD2E12605880EDE93270A75B170462139E0A604E9392EAE17E9ED898657AC5CF3940D6642FA1C30932B5457C5ED3F48945406D8D52FFDAE4C75EC
Malicious:	false
Preview:	DWTHNHNNJBNUOLHJSZISMDGJOYXTZZHUGXLVDUQRAEGRPGUJZOCKQITJDWWXLEKCBGNUXRHFKQNVYEOUAPWVUNRKEGOVRSMLUWJEDVYMGZNTPHFYBRBQKTDCSSUSYEFMSBVJIUZXBZTSOHJUGSMYXMCHCXFJRJWCIMIIBLQTYLCFAYBJJDFARAIASDNTGSCWOVPZQVOLZSDXHBWJKTFKDASDWBZAKTZORAZAYMGQAWYBXYSFHGIFDLGGWKOZHAKPMQDVATIAOQBMHQSPKRBCMODLQIXQPGYLUPHCCYRGFMMUNVADRWLBPHJTZMIBWBBNTGIKVBMISXLSCBVIJKSLAYUGSXYTWZXZEUNPSJHQDCYEUFAEFXVKTZLRWTCCBJEUMWRIOJQZDSKPYAXWZFFGELTRSKYQLZIJELZOOYTMOTXAVQFHZOTOYJRTETJWEYJSIKLGRPKHTDUAISIYRKTOTNIFBGJZDDLKNVDBWZPCZRBGCQVYWVVYPGSOJLVEEYAEGKNLGKHGWDNSTUBBACNMNKWHSEVSQQBPUBUQDPMAYUMOEKRDDULTRBJHROGAKDVOBRFGLXLEPPGPAOSMYHGQPLZVPJQPHVJECMGUAKGHDTRXXACRQCFVKNWHWLHHCPJPVQQVIJGFKFVKEZUOFIJPAGHPJNNXVXIPDRSYFAAUMDAXMMQYHYXSQCVGYKVCLTYUTCPZJEMADJIUEQIXZWEBGFSJRPNCJBGIRLATPCTHDDTOZYQETROWIDHELZOIYGROYRHTLACZEAAOGNJQWDLKLGFABXVJYRCNUWGFVDZUUJMAZAOCPBSGXKYOBTOFSVELAWARUWBQDAJUSVWCITXEQOPHLMEQQFXPPYDIRXJXPELMDYSPWTSNOQKFKNHOSIBCKLQWNBVVZSZKFPEPAAYEMUOZCVBZFPQTOSLEUQFOMZPXBRUFRPVLLIMOKJVZSYBIUFACEGBCKQVRWLXWDOKKECLVGPWOMOUDVXKXHIQF

C:\ProgramData\Drivers\csrss.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\83BC.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2029056
Entropy (8bit):	7.944729497213148
Encrypted:	false
SSDEEP:	49152:S3fAWuVHSdrO+tzwZHkr+8d3OCWwhdGshy5N7gQwgY9P:S3fAWubyzn7+3whNw7wg
MD5:	15184ED11B2354EDA1F1787DCBBCF04A
SHA1:	F21CFDFDB3D6BE8054CD9B5F21AC39EF2EC28011
SHA-256:	C4F00AD34B1347583B292ACACBCA0EE00E9DD594519E26F22DA895ECF6002B9A
SHA-512:	1FA8BFB44652654CB0FC72C793DDD4431A1EE293B326FAE7D4095BDE00CD4717CD5CDCFFAABA8CDCCB43E5BCEAE19574661CACA4E8011B0D22C67AB34CE761AB
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 74%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........o].s<].s<].s<C..<{.s<C..<G.s<C..<..s<z2.<X.s<].r<!.s<C..<\.s<C..<\.s<C..<\.s<Rich].s<........PE..L......b..........................................@..........................p..................................................<...................................................................0...@............................................text.............................. ..`.rdata...4.......6..................@..@.data....h.......&..................@....venowe.\|............ ..............@....rsrc................"..............@..@........................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\EFOYFBOLXA.docx

Download File

Process:	C:\Users\user\AppData\Local\Temp\nsuAC75.tmp.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.696178193607948
Encrypted:	false
SSDEEP:	24:/X8jyAbnZdGxzRopIIg0xlAqLR61W80Ic9ALjzEk1CceqZQ:gyYnjGxdKL8NlMAzEk0EK
MD5:	960ECA5919CC00E1B4542A6E039F413E
SHA1:	2079091F1BDF5B543413D549EF9C47C5269659BA
SHA-256:	A103755C416B99D910D0F9B374453FADF614C0C87307A63DB0591D47EBBD14F4
SHA-512:	57D6AD727BEB9ADB7DED05BC0FCE84B43570492DA4E7A0CCAB42FFF2D4EEF6410AEDC446F2D2F07D9CE524C4640B0FB6E13DCD819051E7B233B35F8672A5ADB7
Malicious:	false
Preview:	EFOYFBOLXACUDYURQVAYVJXHJUGEEDPZADUOAPPOQQWQWQUHVVNJESQUUMLWZGSPUVGMFUNVUAJZVMUXELMWQMQASSSGGGJJGKEXZJITZCZHBFNFKPSAPJIYNYUGZHKNTNXKHXTBXQPWUVNOKJUTUOXNNMDSUPTQRWVDMMOHKVXWMJEBHSPNNEQFXTJSRJUQDTTDGEDEKBKLUEAXKKKWXKHTVKNTWBHTZOKZNDMJXKTTGHRNAWWIBUILXUMWZIMCXVXLGVWBIWAGGRITYGTHZCIUGGSPBVQPVSAMZBKHRKSRUKMYEZBGFASYOHNDHDAZICVMOQUNZQXFSSSWJJUJLOPCNSUDNPJGXSQCNLKWNAYAVAFMTSLCNOUBHQKHOIALXKEFDFFQBAGKRNRBIWVREZJOOFMLXAZTWLEAOZRHRBFSBONLILGVTOFKSPDKLHKEYWTXRPOWVHUMWWBBJNKSDDHCZCEZBDSJNMTTRGVZQVZUMECWAMCSNGCNYLUINFNXYCBEUKXUHVXAVTHIPURBBNFYVJTFMOLRZVAXLTLVSXETAIDBKHKCPFZAFQDPCXVFIVQQGEEICSHLCAYFSNSDHOELLSCZOGAAUENDMPCOCUFYZDMLPBNKDUGRDZRARSOMIJFRZRZUIHDMSAFFCNVKSOSQISTWGPAEHFMPZCCZNXMQBAWCBEUPECUJREOJQIHRSWCZZFJMFLJKICDWHXVLIXNXPRQGJYJUOGNEDHQPGFRLOHFADQRBTSXNGFAZNOZBJCPSPRRNIVIHFGIRZACAKFSLJETQMVKRUZJTTQSUXQEUOQNSNEMJADFUZUYAEXCLKPKWEYZNEOFNRPIUJKDSUTOXHDBKNTEVKKRRKWGOAZKYTICBSAEESHOCGXXGAWBZZLXBQCOVSSJALBIGTSKJTMZXGQLEURKHCIHHNDAYOKUXKAVYIWQFZVMPKEXXMPJUYHRWAIPFWTLCJRNQCRDENEBUALFGVEULSBFIKWOO

C:\ProgramData\EHDAFIJJ

Download File

Process:	C:\Users\user\AppData\Local\Temp\nsuAC75.tmp.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1368932887859682
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cF/k4:MnlyfnGtxnfVuSVumEHFs4
MD5:	9A534FD57BED1D3E9815232E05CCF696
SHA1:	916474D7D073A4EB52A2EF8F7D9EF9549C0808A1
SHA-256:	7BB87D8BC8D49EECAB122B7F5BCD9E77F77B36C6DB173CB41E83A2CCA3AC391B
SHA-512:	ADE77FBBDE6882EF458A43F301AD84B12B42D82E222FC647A78E5709554754714DB886523A639C78D05BC221D608F0F99266D89165E78F76B21083002BE8AEFF
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\EOWRVPQCCS.xlsx

Download File

Process:	C:\Users\user\AppData\Local\Temp\nsuAC75.tmp.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.692990330209164
Encrypted:	false
SSDEEP:	24:NCzz4hMQMxH70HULgnraTryj1S0KEX64u+O572j79DwzpnQf8A:axH70cauYS0k4u+O125wtnm8A
MD5:	DD71B9C0322AD45992E56A9BCE43FE82
SHA1:	60945B6BC3027451A2E1CFA29D263A994F50E91A
SHA-256:	19AC62FD471E562088365029F7B0672623511CF3E58F2EF6DE1A15C14A2E94E7
SHA-512:	86EA2B42FEB542977FCF534B4708F7A07E09F4ACC413307E660B905408BC4AA9E26C50E907FA02379EA3EBFD18C532CC9DC269B6EA5994E3290082E429CAAE03
Malicious:	false
Preview:	EOWRVPQCCSGUYRPSSKREBPXVQXUWKHGDIJHLBLYMXTIUESLNTSFMRJGDSQHOWECQAJMENKQNNWPVETUPWMXJTCUIAKPCZEENXVLTKYPKROZPDEBFNAJOVCNEXQJFUHQCMLNHGMRJJIPLOMWFWJKKXSTRHWFVLVQPEMFBLDTSCCSXADJIIDQIYCEGSDEDZDWUEJLTYJHMYEHHMBFZCRDHXZVPESWNDGUEFQZTJFSJVKZMWREMIZGAIZANQJKWWXITTXHDQDZOEOGKCEMDUUBDTMNWBRSOWEKQXQDCYJXERQRAMVQCWCTYJPEAJUAWNBRQWGFJAHXJJFRYTZMSGCREPRECKHXXMJGSQEKUCUNCWUAAPBWQVSMWCJGYSLPHJJHJGXSMNLNICJMSGSWRKARHMQXLYSAOPDAPXSMORZLUWYOQTJQNKSCAJWRUEYRFPNOVSMNYRKMTSGRIFLOAJUGJYDTLINOTCEADKRENVYNODFSIJGSDCICIDXZTLLSKKJQSOHYTZRBSHPHXWZOOSKQIRSGPTAOQPBVJAMXOGPYNJMJXAKCTMRRTFCBPOAMNJORWRNZOGZMNBVCCZYQPOQOUXBGKNLFSQWAWEREFQBRDLTVHEFNRUSOARHJPRECDRMPANZRBGCANIUWEBUDVWLYHFTPGBHSZBZBEFUWFHUZPJOVMHGSINZWDUKWPGMGSNSSJNOMETOCJILXRQRGZQFAJCWYQEENIZIMHRBTZUYEOKCQXYLWCKFHOHCOVRVPNTEUARVJEFALBUVYXIYZRMGJWZNYNLPYHZSSCODVXZBIWXIOAVMGMPKCPYIFZIKWRIHNIYASXZLMOLNZOMMYUSCRZBCXRANWWODLPHCXXDPLNYLMHYIUYZJWQLECFNXQEERYDVDBPXOLGZLZQCVYUYKFZGKXWVDQANPXQYAATYFJALGENVLDMHDASWKNNXODUHLXYGCBUKEFWISCCUWXNUNETWMTQHQDJMAXNPFPLMPQO

C:\ProgramData\EWZCVGNOWT.docx

Download File

Process:	C:\Users\user\AppData\Local\Temp\nsuAC75.tmp.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.690071120548773
Encrypted:	false
SSDEEP:	24:Hpi2eIMaeHmnj0AhtUkcnKCORSCQH8qvLrUo:Hs2e4njIkc6xQH8qvv5
MD5:	8F49644C9029260CF4D4802C90BA5CED
SHA1:	0A49DD925EF88BDEA0737A4151625525E247D315
SHA-256:	C666CACFDB412CE2BC653F9E2F19484DE94216D950F8C304D1F1F8ADD2EE32CE
SHA-512:	CA63EE1758AFE40FB8569FB3FF5A52BED8A593DC163F5F2462CEBFE1EA4F3F7AB4561435912279C4371944F7C63068D7474AB9F38492F34567E10E5188338C7E
Malicious:	false
Preview:	EWZCVGNOWTCRGCAHGHIARWHBREQUWUMDZTEFKOZTBZKDHTGWOMOMXQJLCILTVOXJTWXEZRFVVOJJDUXCZNNWMUHQTYLHFYPOOBFJLGZGDSYZASNMWULDKVPIBSBESQVOBWTJCIQCCRZOQSMEFZAEOCFIPUXIHTROYFKQUTFSAUWBWISJHTVIQQEEIJVJHOBGZOPHDRBICMJCZJYKKJVLBUSHZHJSFDMYEGPBFRDSFIJIUADWYUWFSOFGQCFBFZHQMDWRKPFVNPDGQDAXYWPQENYPVCKPJTHAOXRLVMNFIOJBVFWANBCOTBENTFVQZCFBFDBMQUHCCCHMMQUOWSBCZYACVCNJFQKUCOMHGVNGGVDACUHMUYLJZQAKUNMISIRRZWDKBKSCPQEZJBHYOZZAXJVBHPFZNDXVHGWHNSVWMYZWRVIDTUCEOPZZRDVHTZKWHATLUHBDJSDWLCXQNXOWYUDQGZJKCAXDTIVXTBCQYHDKCAAFPJFSMAIFXPBWZRPFPKSDNBTLCMBJVBNHSANLTYRSVYQCPKAVQBYOUIOKJPCSLSZRHROXWWPPNZAAXTNVEINHTCLXLDMDBKYPOGMKCUIRVICNSACARZMRYFMXNDTHABPDGEHGCEAXGZZZNHYOCNFJZCIJNBBNBGAUMIROJJYSLPZARPCRZNPUZHXYZLDLXFPTCUWDLYNUMOSJWAOBYFOHEOOAGSALYXBYBYNOLNVRWYGBMDREEFNSPFBRMCNZKOZYEFYTGCMVSCLNGPIPBUDCPAMQEHOAUUBIQZZVXLYZWJOMBCITZXNLTEPYYRLUUAPJTGKEVKMNIMNQWNLLBUVLJOYGWJXXREBMWKGHQSRPNVJAECVNLXPVKWNPACZWFRCNSRBCRVPAPFJGUCNKUOOMSEURPZQJTKWTBOYFSFQOBHOUCLHWYMZMDGTXJBELWCWSQGBSNYBSEAJYTJCJQBKRUPJLBACULNATKEWAJTPTTOUKYDWVFZCDBMMO

C:\ProgramData\GRXZDKKVDB.docx

Download File

Process:	C:\Users\user\AppData\Local\Temp\nsuAC75.tmp.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.697358951122591
Encrypted:	false
SSDEEP:	24:GllFjmGrUw8wsY1UbsUhBRShwdYjDuvHNeGXNei:WFewtsZZp8DkHzNL
MD5:	244A1B624BD2C9C3A0D660425CB1F3C6
SHA1:	FB6C19991CC49A27F0277F54D88B4522F479BE5F
SHA-256:	E8C5EAACF4D2C4A65761719C311785A7873F0B25D849418ED86BBFE9D7F55C96
SHA-512:	9875E6DE2ACC859CACC2873F537DDE6ED4EC8CA00CBA3D28535E0440D76FFD475B66C52B6217D311D301C4B9A097619CF29A26B2FD54D03CD27A20A17EC9CA31
Malicious:	false
Preview:	GRXZDKKVDBUGJWVAVQNLKHTVWJFMWUAIFGXJYDZTDDYOZYAHDDDHNXHNVSFVZJEMKSJXGDABHWXKQZCQXBMLFZCFZRGZPZWYYNETLMDWOLDLPIFOVKRDMQEWUEHKITHNGNRTRZWQHFMBDECTTQKFDEVNVHBAPCNMCJNWWITPVACWBIUNPCYFZKGJXCMBWDNHDCVDCGEKHYPPPEGKPCPMYZEKRCOGRHDFANVZFDZEKZWOKLRIOUPCTJCKQPECVEEGNTLJWZOKHSKZRNLJEDQLEQNRWIYLSXHSNVGFTCDJOFJSSGANZFCFSTDUPYBCCAPQWVVVHWQMAMBVDQNABQSQOSDYDMOVPXENCAXSTPDCENIQOWPCOQHPSISEOWFKMBLGAZRALPTAYHDZLKJTCHXGTPXNIVUMCOJRZXPUVUFPCWEAEZMMLATLTGHPJIMHWFBUWIATNBBPFGVFXNULJLRYLAGRNCKVAJADSLQGVLGIYOHDIWUERAQSCTFBMXCMLCXSHZGTWPBCVHUYPVAFSBZNBGAGMHGULJYULEEHPGNBGEQRAOPBXXMZIUIPJMFAOVNMZZTOZGOZOJPKWCEFTTAVUBAADATZYJDWSZEZPLDTGYCYWTSDQTIMZHCKMQLZFEYSYUUWFJSYEFNDDKQMZVTBOZLQBDKFHMMKIYQPFKZLTSHIJVNPHPCTWBWPTTKDHDZEMDVWXXBLPWLCSSBMTLIVOVYOKQCJKTYJWGJUBQUGQVBYJQQLLGTHWSPFLDMDWBTOQUISHXBCHIJKAJFIPBNKMWVQGUSJVNKXAXFDNOBYJXMWRDAZWUJSRMMFQXDPYYKOFBEROBQMDZHDZZHOEIOKDOCHQQDQQRHOROOIFAGQEJZJFZIGPJIRWVNQYZAJAHAWIEFFNXLXQWIUWYSGZDFYPCCGWYBBFQQMSMJBRIUPFBWIHWJWVCYOBNNXKIIWTIXOWRVLFBGPGWFQTGPUNWKWUUMQXIKNCLTTGYHBMKXJ

C:\ProgramData\GRXZDKKVDB.xlsx

Download File

Process:	C:\Users\user\AppData\Local\Temp\nsuAC75.tmp.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.697358951122591
Encrypted:	false
SSDEEP:	24:GllFjmGrUw8wsY1UbsUhBRShwdYjDuvHNeGXNei:WFewtsZZp8DkHzNL
MD5:	244A1B624BD2C9C3A0D660425CB1F3C6
SHA1:	FB6C19991CC49A27F0277F54D88B4522F479BE5F
SHA-256:	E8C5EAACF4D2C4A65761719C311785A7873F0B25D849418ED86BBFE9D7F55C96
SHA-512:	9875E6DE2ACC859CACC2873F537DDE6ED4EC8CA00CBA3D28535E0440D76FFD475B66C52B6217D311D301C4B9A097619CF29A26B2FD54D03CD27A20A17EC9CA31
Malicious:	false
Preview:	GRXZDKKVDBUGJWVAVQNLKHTVWJFMWUAIFGXJYDZTDDYOZYAHDDDHNXHNVSFVZJEMKSJXGDABHWXKQZCQXBMLFZCFZRGZPZWYYNETLMDWOLDLPIFOVKRDMQEWUEHKITHNGNRTRZWQHFMBDECTTQKFDEVNVHBAPCNMCJNWWITPVACWBIUNPCYFZKGJXCMBWDNHDCVDCGEKHYPPPEGKPCPMYZEKRCOGRHDFANVZFDZEKZWOKLRIOUPCTJCKQPECVEEGNTLJWZOKHSKZRNLJEDQLEQNRWIYLSXHSNVGFTCDJOFJSSGANZFCFSTDUPYBCCAPQWVVVHWQMAMBVDQNABQSQOSDYDMOVPXENCAXSTPDCENIQOWPCOQHPSISEOWFKMBLGAZRALPTAYHDZLKJTCHXGTPXNIVUMCOJRZXPUVUFPCWEAEZMMLATLTGHPJIMHWFBUWIATNBBPFGVFXNULJLRYLAGRNCKVAJADSLQGVLGIYOHDIWUERAQSCTFBMXCMLCXSHZGTWPBCVHUYPVAFSBZNBGAGMHGULJYULEEHPGNBGEQRAOPBXXMZIUIPJMFAOVNMZZTOZGOZOJPKWCEFTTAVUBAADATZYJDWSZEZPLDTGYCYWTSDQTIMZHCKMQLZFEYSYUUWFJSYEFNDDKQMZVTBOZLQBDKFHMMKIYQPFKZLTSHIJVNPHPCTWBWPTTKDHDZEMDVWXXBLPWLCSSBMTLIVOVYOKQCJKTYJWGJUBQUGQVBYJQQLLGTHWSPFLDMDWBTOQUISHXBCHIJKAJFIPBNKMWVQGUSJVNKXAXFDNOBYJXMWRDAZWUJSRMMFQXDPYYKOFBEROBQMDZHDZZHOEIOKDOCHQQDQQRHOROOIFAGQEJZJFZIGPJIRWVNQYZAJAHAWIEFFNXLXQWIUWYSGZDFYPCCGWYBBFQQMSMJBRIUPFBWIHWJWVCYOBNNXKIIWTIXOWRVLFBGPGWFQTGPUNWKWUUMQXIKNCLTTGYHBMKXJ

C:\ProgramData\IJEBKKEGDBFIIEBFHIEHCBKJJK

Download File

Process:	C:\Users\user\AppData\Local\Temp\nsuAC75.tmp.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6732424250451717
Encrypted:	false
SSDEEP:	24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
MD5:	CFFF4E2B77FC5A18AB6323AF9BF95339
SHA1:	3AA2C2115A8EB4516049600E8832E9BFFE0C2412
SHA-256:	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
SHA-512:	0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\IZMFBFKMEB.xlsx

Download File

Process:	C:\Users\user\AppData\Local\Temp\nsuAC75.tmp.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.695566741548326
Encrypted:	false
SSDEEP:	24:61iSJC9lUfmxZoTgwj7WkGrivJpQ4t468phJvvHIm:6M/lU+x27HleIQ4t4bHIm
MD5:	CA699715DA51DFD5AB81CDA02AFD2CD7
SHA1:	72D44C17A04FAB316BEA20F61A80D7AC787879D4
SHA-256:	BA61F500E1845F2FC03C990DA95B7DD92ED8B7583744C941D37BDD90DA666D21
SHA-512:	497F9D6B6EE52454F4B740A6B765F46EBC10575E9A20B62D76594E1CC4E37868182D18315E05E62A78D5131A5569C95C8989F248E3A8C72BD95A99883DF196D2
Malicious:	false
Preview:	IZMFBFKMEBTITTFFYOGRJOKLUYKYEMJURKRTIEUFEDJKBQPELZNUOXWVNDZJRAOONFPZIJHBCSQXWTLQPDNPIJFFQZDETQFKNDQYRTMSHJIWQXJBNOXAVBJCARKFOKHIBUFVCEOHZTISPCFZSEFFASUHHMDHUBAMSDTGESWVKGUMZNYRLTUEBNLLDQOMZLGIFYUADUMCNGQHUWJKQAWHNDDSWUDEYOPPNFAUERMDDQUABWZCHPIWYDNDHUXDNYSLQSQXHUJRCQMGRZMRHEOVRBHVMIEIIBHEADKNABKWVMULXGOWXFOLUTZDUOKAMBBJKEPASVGVTDOUQMBCJGMPZZSAVFTSOBTVJPGYYQSJQWHRBFXNUHYKYXWZSTJELLKRMBHUVLFEPITLTURHTDAKMVDVNYWADPMNSQACTPRPTZDAYSYQHCRSDUXMKTYASRROVGGBBIXHTORYFNKLOIBCKWHWPTJGKEQOSVXTUUTFZVORIRTKYSUWDEDDGTJHWLZYRYCPYUENHHDNRWCVEAZUDOXSWLHJDIGSALQSCJKGZEXAIJUDAQHXCOAVPDFCQIEHQEFVSBLKSKPDHYCYSPHGVTEDVHAWYWOOWFAJSTOXLDYSHUWZIJQGRICKYUZPXLOZURIDFCEWXUMATNYLUVJTEOTDEYCCRPCVBPHMOLWESOWCICFDWLNMYIPCOLYFBDDSRCSOZZCSIWGDPTAXMSUSNBSGLDTYGEEBZGXKIVMAHAMBSJEUPRTVXERTMYQWIYUTCCWNXDLXQQSMSGHDXMIYKWUXJBHOCOBAEVHTWJOZVUWZIGVYBPSQGRQDABKLPWJJRURTHDJAMMOZSJFGCHHDVYXDYYIUIOZDZJWQLIKTEKOTISNTJFMZOMVLIYUHJEAMEKRMBWXHAYWZVDUJKHILQWXCRKUPFLJKIKWARBWYUOFDHFXEHJWSBCSSQMNJANADKJFCPMBCMQGQXNUCZETZWJFUFSMVAZQXHOGKPFDO

C:\ProgramData\JJJJDAAECGHDGDGCGHDBAECFHJ

Download File

Process:	C:\Users\user\AppData\Local\Temp\nsuAC75.tmp.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.8517407251719497
Encrypted:	false
SSDEEP:	24:TLyAF1kwNbXYFpFNYcw+6UwcQVXH5fBO4wxeHChWEE1:TeAFawNLopFgU10XJBOaT3
MD5:	D0962B221779A756754334848DCFF184
SHA1:	22CD3B9D687216E6921553F55958449CE7ABF05D
SHA-256:	7BA5110096912E6B352060FFF79B07EA95CA114A13D3994D7814831DFAA649B8
SHA-512:	05AFC25BA53913F0685075B6EC27A2A416168CB7A6D5C869D2F3DBA06AAD88633F1A709DD51AA1EDC946FF74E6271D9D3A5652FE4E0B8F226A452FDF6BAED36F
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\JKEGDHCFCAAECAKECBAFHIIJKJ

Download File

Process:	C:\Users\user\AppData\Local\Temp\nsuAC75.tmp.exe
File Type:	SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	5242880
Entropy (8bit):	0.03799545499236577
Encrypted:	false
SSDEEP:	192:58rJQaXoMXp0VW9FxWZru/bNb/fc3DDTnHI:58r54w0VW3xWZrwbFHc3T
MD5:	96AB9233CA2AB3982F98B1BA44CFFE32
SHA1:	A72C6AF1881274392B7D73594D78C4D3F1B91428
SHA-256:	C764FE5DA2665335A3C2E60091F08E21A16CEC35EFD453AE092FEB1D7C3D69BC
SHA-512:	E09E96834C049E56FE5E9A56BA1635CA6A4FB5DF2F2EB8F339C94D4BCF2D24150592B2833D084BD4BD7D0319B4D5C493B5B49A64310E084684375D645DD8CEEC
Malicious:	false
Preview:	SQLite format 3......@ ...................&...................K..................................j.....-a>.~...\|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\JSCoreService75\JSCoreService75.exe

Download File

Process:	C:\Program Files (x86)\CPointASP\cpointasp.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1642495
Entropy (8bit):	7.046845970009018
Encrypted:	false
SSDEEP:	24576:wmCaH7LA76aNXR2g5iXj8Y1d1mEkrg/VFp6P1WJCkKfWTo0aII1AvMDwMVgJwpC2:v1uViz8Y1d1Jq
MD5:	9DCE8CBCB90200F461757260260F7FB7
SHA1:	C602735F22B53E4FB38858C0BDF143A28590460A
SHA-256:	5922E374C679519E68C34E99B1DD21A519665EDB7FC024E93A8F8A24D19150B5
SHA-512:	3F6056DAB3009F445DF13657A25EF2BF653BE1610777D27BFC1F76EC873B0B25AE88055CBFCE3366E9A9877C4E216142869BE4F6E21CEC481D85D0CBFC899ABA
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Q.e............................&........ ....@.......................... ...............................................%.......p...b........................................................................... ...............................text............................... ..`.rdata...$... ...0... ..............@..@.data........P.......P..............@....rsrc....b...p...p...`..............@..@_text_9..@.......?..................`...........................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\PALRGUCVEH.docx

Download File

Process:	C:\Users\user\AppData\Local\Temp\nsuAC75.tmp.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.696508269038202
Encrypted:	false
SSDEEP:	24:RSjVGe9uHEleifrd16Wa05tSl2jFQzpqPMXexMApqIjsp:2Ge9MQ/d16Wjtc2j64Phxjpq82
MD5:	0E9E92228B27AD7E7B4449467A529B0C
SHA1:	209F92CDFC879EE2B98DEF315CCE166AFEC00331
SHA-256:	284937D0EBFEDD95B2347297D957320D8D5CA5FC48218296767069CABA6B14A6
SHA-512:	CECA5F634268817B4A076414FFAB7D81F93EEC7E7D08B8691CCE0B2BCAF8FC694365455886E36983B4D8D758BC65BC1868BE8DB51AD41E082473726BB1FFD7B8
Malicious:	false
Preview:	PALRGUCVEHIRKBYGKJJWKNMNYKFUTLHCEDOTKTWJCZHNZMOUNMNREQTGFDNZTATQQPDFONRIRAZYJEPXQVIVWNBDQIMKULZMUINYTVUPNMQBQQYLGCAJYFEIWZTWGYTHEJPFBRNGCTANCYOISUQMRINVDUEIROITGPJZCCOVCZIZBHLYBDARSNRLEOQQDWOSMHXNRNBXNWMRVAQZUASARYHEITVTVSLHRGBYURPTEUNAUCYMZTXOZXKDXUEUUVTNGWGSBRAWIJZDVZDLMZBKEVESROLUEDPITQGUXFSRFAVNSESAFZLNXMXUYRFUEUKCMNFITMUQEWTCKEGDPOXHJSXBDLFIOLLHDYIVOQVEYJEZMDIOFXZFCPXJEQLPCSHKUGRQKXAUMKTHUMHWFQZRGBRZHGHYRXRODJXEBANQHOOVFBZXKJHDCAAKHZGSWGKGEDWOOCFCEYHPAQBYBKRXOTJWSCPMRDXNRYAQFQHSHOFCHWJDKTFHACROGLPZFWDCIBJSUTMTRHJKEGAHSBAQLDTWPTXBLVYYBNJBKDUNGOUDVWZOBKOJKSMZERYOYBNMDSYUPHFDPUXOMKCYNSEBJHJVXSWTIMBDLPWYMYMQKYICPQEWMYDUMYJRSVQHDEELUFOEQYUIZBTNUNJNZQTDTIJKNOJNFJDDGEYVGDXTQINCQDGJRRPOBRUHQLMKFJSSNNCQMDHWQYMHWIBVNPHRQCBTMYBSOJYXCUAYTWUDETCJTTEQSPXKTRSQBDJYENXLXJTQIYOZHEFAQOFBXKATTASAWEYGDPTTLZDAFVKRYLRNFSWZYBGUMRHHMNPVCVECBEVWEXNMSCXSGJRAQKAYEIULWHXXFKTJWPDMYUAOSFBKCTNCTQQXTLXIIJKYOPYBMSFGYLZDGOXTVIHYLUMJCRDRQXFLBDAUXBTNAPMACHVQILKZSQLNPPJVGXAXUMTOUMJJJYJSPJALITYYHOOMVVOQNOSSPBLMRBWWPYXB

C:\ProgramData\PALRGUCVEH.xlsx

Download File

Process:	C:\Users\user\AppData\Local\Temp\nsuAC75.tmp.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.696508269038202
Encrypted:	false
SSDEEP:	24:RSjVGe9uHEleifrd16Wa05tSl2jFQzpqPMXexMApqIjsp:2Ge9MQ/d16Wjtc2j64Phxjpq82
MD5:	0E9E92228B27AD7E7B4449467A529B0C
SHA1:	209F92CDFC879EE2B98DEF315CCE166AFEC00331
SHA-256:	284937D0EBFEDD95B2347297D957320D8D5CA5FC48218296767069CABA6B14A6
SHA-512:	CECA5F634268817B4A076414FFAB7D81F93EEC7E7D08B8691CCE0B2BCAF8FC694365455886E36983B4D8D758BC65BC1868BE8DB51AD41E082473726BB1FFD7B8
Malicious:	false
Preview:	PALRGUCVEHIRKBYGKJJWKNMNYKFUTLHCEDOTKTWJCZHNZMOUNMNREQTGFDNZTATQQPDFONRIRAZYJEPXQVIVWNBDQIMKULZMUINYTVUPNMQBQQYLGCAJYFEIWZTWGYTHEJPFBRNGCTANCYOISUQMRINVDUEIROITGPJZCCOVCZIZBHLYBDARSNRLEOQQDWOSMHXNRNBXNWMRVAQZUASARYHEITVTVSLHRGBYURPTEUNAUCYMZTXOZXKDXUEUUVTNGWGSBRAWIJZDVZDLMZBKEVESROLUEDPITQGUXFSRFAVNSESAFZLNXMXUYRFUEUKCMNFITMUQEWTCKEGDPOXHJSXBDLFIOLLHDYIVOQVEYJEZMDIOFXZFCPXJEQLPCSHKUGRQKXAUMKTHUMHWFQZRGBRZHGHYRXRODJXEBANQHOOVFBZXKJHDCAAKHZGSWGKGEDWOOCFCEYHPAQBYBKRXOTJWSCPMRDXNRYAQFQHSHOFCHWJDKTFHACROGLPZFWDCIBJSUTMTRHJKEGAHSBAQLDTWPTXBLVYYBNJBKDUNGOUDVWZOBKOJKSMZERYOYBNMDSYUPHFDPUXOMKCYNSEBJHJVXSWTIMBDLPWYMYMQKYICPQEWMYDUMYJRSVQHDEELUFOEQYUIZBTNUNJNZQTDTIJKNOJNFJDDGEYVGDXTQINCQDGJRRPOBRUHQLMKFJSSNNCQMDHWQYMHWIBVNPHRQCBTMYBSOJYXCUAYTWUDETCJTTEQSPXKTRSQBDJYENXLXJTQIYOZHEFAQOFBXKATTASAWEYGDPTTLZDAFVKRYLRNFSWZYBGUMRHHMNPVCVECBEVWEXNMSCXSGJRAQKAYEIULWHXXFKTJWPDMYUAOSFBKCTNCTQQXTLXIIJKYOPYBMSFGYLZDGOXTVIHYLUMJCRDRQXFLBDAUXBTNAPMACHVQILKZSQLNPPJVGXAXUMTOUMJJJYJSPJALITYYHOOMVVOQNOSSPBLMRBWWPYXB

C:\ProgramData\SNIPGPPREP.docx

Download File

Process:	C:\Users\user\AppData\Local\Temp\nsuAC75.tmp.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.701796197804446
Encrypted:	false
SSDEEP:	24:C1U2g6pCwYBq9+pGzEcrz023TZ9iFxwELi:2U2gCCm9drz0wTZsIEe
MD5:	C8350CE91F4E8E8B04269B5F3C6148DA
SHA1:	22D523A327EBAF8616488087E2DCE9DBD857F0CC
SHA-256:	1BE0B3682C4F3A3315465E66A2C7C357BB06225947C526B1B89A39D9D120AFBF
SHA-512:	C4891D35B6E895E4A9F4A785701EFFA4305AE88D09D309865F9312D95C296CB417916D8CBA461099E80F68C5AE5015A1172E60319256A453DE81445660F55806
Malicious:	false
Preview:	SNIPGPPREPVDSXKMBCQXEQRWSYOYKDGHPXSNVTYLWVPMUIXPKXDRFHMINIQBFZTPTVMTSZAWIXFLHCKJNAWKCQYMBHUKFDOIJBXXLUNVNMKEDOTTPPDLIAGSTXKJKMHVVGIGUNGKPTPDUEUVMGZRIBRMBHLZOZZIBTDOCDOASXCIFRVGCSENFOEARIYUEACCMVFPUDRRUHYQQFJBAWDGKHRWDHTGYUXKSSVSTFCVQOQGTKOBOMZZTKVYFLAXTKJMTUDSETBGCOOKYGPLGPNAFICZERONWJHOMIWLGEWSSANDAVRYRUWZSRNZFYKTMSQXLZZGTQKXVQLDKQIHEDADRTKYMYNBVWROSFBYUXYULCESFAKNPBXYOELAWZCZFAPVQWMMNLBQRIPMVDMMWGXGKDJNUJGGGBNSGWEDDLRHGAAWJCYOEMVEHAYXYEHSKMWJPPHERNLXAGENBCUAZODRTUDIOUWNPZSHJGYOVHWQKWRAGGUMLCITTLAJXOXDUPFFLAHWLWPRQRAXSKOBHTXQNNGYHHVLBOEFTHAXTLKUGTNIYSDATIJHBUFTSGQHRXQQGXCBWVJIULNMYSMFYMPXRZOWMHYMZOLIBIYHPQRQJTZOMJZHKRTSWQQVINGIZHWDLNCJKAMKHSMFOTUPQMESXHXMJSAXESVNVSKORQSXVCYCKNZKOFZFUKINTRLLEGXVQTQURFVKWLFRQZVQVBVOEMATWFLXFDJVWCYMPYCSJCUUGUCIPOPIVLEFNZCPNYAWTXOATSTYLECDEFJNQFYGVPQWTJBNAVWKGALRTACLENBODJOQDXMPOYCYEFXOOOOMCQXLRGDBUUVJNQAEBZDSPDLPFIEOXRWSFCHXDUSBTSLEDLCZPOHIMIMQZMHHTMDFUUMKUAMBYNWWRQKDEXPPDWGKCNTWTFNHBMNDQIMVNFYWGALYORHHPUAXLDHMTGOKMMTAOCOVLGFIHZLZFADWMNNCWOLNJDSGFCWVDBYK

C:\ProgramData\ZGGKNSUKOP.xlsx

Download File

Process:	C:\Users\user\AppData\Local\Temp\nsuAC75.tmp.exe
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.6959554225029665
Encrypted:	false
SSDEEP:	24:TifvYKkubZMu3HGRW2lJUao1nH5o4WGAZ46:rKkmZMuklJUj+GAZ46
MD5:	DCABA2748DFEAEF0BFBC56FD9F79315C
SHA1:	B87FBA690A774893B22B9F611DFDCB5CDC520269
SHA-256:	86DF5957E0CD2EBDFC2FF8C2F05569BA71462149042DF57ECE5E8228E3BC5DDD
SHA-512:	65F10692D0AE5CBAADDB03E89D6CD1D3486429906437A17C2B1157BEDB069202B1DC52A4E864AA8F90B8CBD171FD2A3E150185BF7DFF81540E209B6A8F8829F3
Malicious:	false
Preview:	ZGGKNSUKOPMPPNHVZHJQGVEFQIYKECDTBUUNZDYNGQNIRYRWHUTXXPSHQTZPTZVHQXNNQJMVUKUOXVGORIAYJGXFFBGSTKCIJZKEQXQQIVFFMJLOMJSXIEOLRGDCSILZBJCYZNNVATINEQDJPDYKYEGAQWQMEKFVPOYVPNSSIUTCUVWRTSGVMOYKONZJJHVYYHDVZQPBVLAEYYFULQVIAJCQYCDCEGDPRRLXXZXFIPXZYSZYOHEAPCISCQQIAXVPAQUVHGATHPNBNNZVCLFBZBDBZXOQODZLPUONDHVUIQLSZFYHOZHZHEGULYTEVGGLQVDEJVLJEVPQFWMTICLCXTQWMOFFAXIMODRSEVRDYZWTZFYKVZAJEAQBNILURHKTJBNMYKYFSYGEEBYTRKZAHNYHNKUVIQXUDTDSCKKVFAHEOCHUYENGZNJLYIKKSHPNCIQVEDXXJBQWLPTRWDPYUIEDKEYQXNAFVHZZHVLORWXSFDRTMIHTRSJAHAAHMDOMCQGDKDFHBNGVZQTTCSWSPIHCTQXSLLYZTFMEMACZONDWHGUSVOCWSBRSQZPAKSJHSWPMXYNSVNZCBVQSSDMAXHBCCABCBJMXUBBMSGLUNDNJSGZUMDVFIJNOELGIFULZKPJDVNZQPDOWCXYQGTVJKDHOFHYVKNSZDNMILUISTCTZRFSEWRMDZLOBGFMXNVDCJYYLJUDJGSTSUEEGOSENKRNGXAGHHNOGGDSDRGIFROBPWJOCJPXDATRXEPUOWMBLLOQTSWYHGAJBORDMNUEAHWTKUYXIIPMYCMRMTPBVKTCXSHVYJOWCUSTTUMTZOYSOSDSUBSGMLOTYCZCTXANUCXZOADEOEJYBCLEULBLYXGMGORWYBNIGNRUWJATDKWTNSTJBVFQENEPZJCVWRRMXFFHEBPBGQZTDBCCMCQDYUYICLUZKGYRMAVIURGHOINFOGSJSSMACWITEPVYEMKEJTPCQQMYWOBTBOCHUSNOE

C:\ProgramData\freebl3.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\nsuAC75.tmp.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	685392
Entropy (8bit):	6.872871740790978
Encrypted:	false
SSDEEP:	12288:4gPbPpxMofhPNN0+RXBrp3M5pzRN4l2SQ+PEu9tUs/abAQb51FW/IzkOfWPO9UN7:4gPbPp9NNP0BgInfW2WMC4M+hW
MD5:	550686C0EE48C386DFCB40199BD076AC
SHA1:	EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB
SHA-256:	EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
SHA-512:	0B7F47AF883B99F9FBDC08020446B58F2F3FA55292FD9BC78FC967DD35BDD8BD549802722DE37668CC89EDE61B20359190EFBFDF026AE2BDC854F4740A54649E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........4......p.....................................................@A........................H...S...............x............F..P/.......#................................... ..................@............................text............................... ..`.rdata....... ......................@..@.data...<F...0......................@....00cfg..............................@..@.rsrc...x...........................@..@.reloc...#.......$..."..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\mozglue.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\nsuAC75.tmp.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	608080
Entropy (8bit):	6.833616094889818
Encrypted:	false
SSDEEP:	12288:BlSyAom/gcRKMdRm4wFkRHuyG4RRGJVDjMk/x21R8gY/r:BKgcRKMdRm4wFkVVDGJVv//x21R8br
MD5:	C8FD9BE83BC728CC04BEFFAFC2907FE9
SHA1:	95AB9F701E0024CEDFBD312BCFE4E726744C4F2E
SHA-256:	BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
SHA-512:	FBB446F4A27EF510E616CAAD52945D6C9CC1FD063812C41947E579EC2B54DF57C6DC46237DED80FCA5847F38CBE1747A6C66A13E2C8C19C664A72BE35EB8B040
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........^......................................................j.....@A.........................`...W.....,.... ..................P/...0...A...S..............................h.......................Z.......................text...a........................... ..`.rdata..............................@..@.data...D...........................@....00cfg..............................@..@.tls................................@....rsrc........ ......................@..@.reloc...A...0...B..................@..B................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\msvcp140.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\nsuAC75.tmp.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	450024
Entropy (8bit):	6.673992339875127
Encrypted:	false
SSDEEP:	12288:McPa9C9VbL+3Omy5CvyOvzeOKdqhUgiW6QR7t5s03Ooc8dHkC2esGAWf:McPa90Vbky5CvyUeOKn03Ooc8dHkC2eN
MD5:	5FF1FCA37C466D6723EC67BE93B51442
SHA1:	34CC4E158092083B13D67D6D2BC9E57B798A303B
SHA-256:	5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
SHA-512:	4802EF62630C521D83A1D333969593FB00C9B38F82B4D07F70FBD21F495FEA9B3F67676064573D2C71C42BC6F701992989742213501B16087BB6110E337C7546
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1C.._..._..._.)n...._......._...^."._..^..._..\..._..[..._..Z..._.._..._......_..]..._.Rich.._.........................PE..L.....0].........."!.....(..........`........@......................................,.....@A.........................g.......r...........................A.......=..`x..8............................w..@............p.......c..@....................text....&.......(.................. ..`.data...H)...@.......,..............@....idata.......p.......D..............@..@.didat..4............X..............@....rsrc................Z..............@..@.reloc...=.......>...^..............@..B................................................................................................................................................................................................................................................................

C:\ProgramData\nss3.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\nsuAC75.tmp.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2046288
Entropy (8bit):	6.787733948558952
Encrypted:	false
SSDEEP:	49152:fECf12gikHlnKGxJRIB+y5nvxnaOSJ3HFNWYrVvE4CQsgzMmQfTU1NrWmy4KoAzh:J7Tf8J1Q+SS5/nr
MD5:	1CC453CDF74F31E4D913FF9C10ACDDE2
SHA1:	6E85EAE544D6E965F15FA5C39700FA7202F3AAFE
SHA-256:	AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
SHA-512:	DD9FF4E06B00DC831439BAB11C10E9B2AE864EA6E780D3835EA7468818F35439F352EF137DA111EFCDF2BB6465F6CA486719451BF6CF32C6A4420A56B1D64571
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................`........................................p......l- ...@A.........................&..........@....P..x...............P/...`..\...................................................\|...\....&..@....................text............................... ..`.rdata..l...........................@..@.data...DR..........................@....00cfg.......@......................@..@.rsrc...x....P......................@..@.reloc..\....`......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\rc75.dat

Download File

Process:	C:\Program Files (x86)\CPointASP\cpointasp.exe
File Type:	data
Category:	dropped
Size (bytes):	4
Entropy (8bit):	0.8112781244591328
Encrypted:	false
SSDEEP:	3:X:X
MD5:	CBCB73D49417B1A35BD3AB2570374644
SHA1:	A8A33EA8EF657B138FB43E474B416E6B510DB115
SHA-256:	60F2E332C71BCDA81951EA38D3C52D4A9B1A2056B334F99001F41C588AFD0892
SHA-512:	1347798A7BB434876B635E9A7C3B62B0C5FA60F107B6A29B4E9E67C2FB3B2578EA74CCF46BDFED40DAD7E5D23BBF88C3EEA189422C9160F3ECBC58651C14A893
Malicious:	false
Preview:	....

C:\ProgramData\resource.dat

Download File

Process:	C:\Program Files (x86)\CPointASP\cpointasp.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	128
Entropy (8bit):	2.9069818137270764
Encrypted:	false
SSDEEP:	3:1k/GTQycTEvIgAnDTa3pkHil/:1rQy0EvIxPa3pkHit
MD5:	357ACA400DC2E1FC61FC5B8C66BA4975
SHA1:	35BD8E97F1FF7F55C3D1082C70AB99BDBBCDFD44
SHA-256:	F5832873187B52BE987AF2BDDB7E2FEA81E0605C6A9843020C375D1710CED212
SHA-512:	2CE616BC68801013EA59C59FD232822D59B68C30AB8701F802D0D686DF92CDB19B329A6FD2B3EAE2E91862F048D2BD7A35A2430C70F466F609A350745E88549C
Malicious:	false
Preview:	3e0f2500c0db57d92fa196d33e7a2b8f6ce30e1128f6a30e537a9ba072d59a73................................................................

C:\ProgramData\softokn3.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\nsuAC75.tmp.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	257872
Entropy (8bit):	6.727482641240852
Encrypted:	false
SSDEEP:	6144:/yF/zX2zfRkU62THVh/T2AhZxv6A31obD6Hq/8jis+FvtVRpsAAs0o8OqTYz+xnU:/yRzX2zfRkX2T1h/SA5PF9m8jJqKYz+y
MD5:	4E52D739C324DB8225BD9AB2695F262F
SHA1:	71C3DA43DC5A0D2A1941E874A6D015A071783889
SHA-256:	74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
SHA-512:	2D4168A69082A9192B9248F7331BD806C260478FF817567DF54F997D7C3C7D640776131355401E4BDB9744E246C36D658CB24B18DE67D8F23F10066E5FE445F6
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................P...............................................Sg....@A........................Dv..S....w..........................P/.......5..8q...............................................{...............................text...&........................... ..`.rdata.............................@..@.data................\|..............@....00cfg..............................@..@.rsrc...............................@..@.reloc...5.......6..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\ts75.dat

Download File

Process:	C:\Program Files (x86)\CPointASP\cpointasp.exe
File Type:	Non-ISO extended-ASCII text, with no line terminators
Category:	dropped
Size (bytes):	8
Entropy (8bit):	2.0
Encrypted:	false
SSDEEP:	3:id//:il/
MD5:	01BB1929BD311F7A8F00E320DFF6CF2C
SHA1:	343128FED98014B5A2E7AD907F0002C877858768
SHA-256:	4CA0529CEA71984EC671C65824A2BA25024FBF9C4E99672F513F61C12056B2CB
SHA-512:	F8AF366DFF199499D00CDA489602CB4719818FAF5A59E1C7880B2D2FED95B59682369CE284665C51A0589E505CF309D733A02B8868E0C9E26FBC4EC02E83F29A
Malicious:	false
Preview:	~..e....

C:\ProgramData\vcruntime140.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\nsuAC75.tmp.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	80880
Entropy (8bit):	6.920480786566406
Encrypted:	false
SSDEEP:	1536:lw2886xv555et/MCsjw0BuRK3jteo3ecbA2W86b+Ld:lw28V55At/zqw+Iq9ecbA2W8H
MD5:	A37EE36B536409056A86F50E67777DD7
SHA1:	1CAFA159292AA736FC595FC04E16325B27CD6750
SHA-256:	8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
SHA-512:	3A7C260646315CF8C01F44B2EC60974017496BD0D80DD055C7E43B707CADBA2D63AAB5E0EFD435670AA77886ED86368390D42C4017FC433C3C4B9D1C47D0F356
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................08e...................................................u............Rich............PE..L...\|.0].........."!.........................................................0.......m....@A.............................................................A... ....... ..8............................ ..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\9561.exe.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\9561.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	425
Entropy (8bit):	5.353683843266035
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhav:ML9E4KlKDE4KhKiKhk
MD5:	859802284B12C59DDBB85B0AC64C08F0
SHA1:	4FDDEFC6DB9645057FEB3322BE98EF10D6A593EE
SHA-256:	FB234B6DAB715ADABB23E450DADCDBCDDFF78A054BAF19B5CE7A9B4206B7492B
SHA-512:	8A371F671B962AE8AE0F58421A13E80F645FF0A9888462C1529B77289098A0EA4D6A9E2E07ABD4F96460FCC32AA87B0581CA4D747E77E69C3620BF1368BA9A67
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.dat

Download File

Process:	C:\Windows\explorer.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	1018
Entropy (8bit):	5.235990633565231
Encrypted:	false
SSDEEP:	24:YqHZ6T06Mhmpvmyb0O0bihmAvmy6CUXyhmDvmybxdB6hmKvmyz0JahmlvmybNdBd:YqHZ6T06McEyb0O0biczyDUXycaybxdp
MD5:	0D158326133D9F27F44A933593B668BB
SHA1:	634FB34DC528526CA14417C73DBC57C6A1155D28
SHA-256:	F0C4D41D7073B5255B4F85056C20C29F4435D540A0C9D6D9EED8B38F6508D9FC
SHA-512:	D108588E8D57AC94B4763A8C07C25E62F11CB089084791E5DF7C0621E3229E0637B9BBCE1AC26583889230B2517125CAC680CFD688BEFF5159C88771A9F89024
Malicious:	false
Preview:	{"RecentItems":[{"AppID":"Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge","PenUsageSec":15,"LastSwitchedLowPart":1015884592,"LastSwitchedHighPart":31061873,"PrePopulated":true},{"AppID":"Microsoft.WindowsCommunicationsApps_8wekyb3d8bbwe!Microsoft.WindowsLive.Mail","PenUsageSec":15,"LastSwitchedLowPart":1005884592,"LastSwitchedHighPart":31061873,"PrePopulated":true},{"AppID":"Microsoft.Office.OneNote_8wekyb3d8bbwe!microsoft.onenoteim","PenUsageSec":15,"LastSwitchedLowPart":995884592,"LastSwitchedHighPart":31061873,"PrePopulated":true},{"AppID":"Microsoft.Windows.Photos_8wekyb3d8bbwe!App","PenUsageSec":15,"LastSwitchedLowPart":985884592,"LastSwitchedHighPart":31061873,"PrePopulated":true},{"AppID":"Microsoft.MSPaint_8wekyb3d8bbwe!Microsoft.MSPaint","PenUsageSec":15,"LastSwitchedLowPart":975884592,"LastSwitchedHighPart":31061873,"PrePopulated":true},{"AppID":"Microsoft.WindowsMaps_8wekyb3d8bbwe!App","PenUsageSec":15,"LastSwitchedLowPart":965884592,"LastSwitchedHighPart":31061873,"Pre

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GIBVL2EB\4AOTMOXE.htm

Download File

Process:	C:\Users\user\AppData\Local\Temp\InstallSetup9.exe
File Type:	HTML document, ASCII text
Category:	dropped
Size (bytes):	233
Entropy (8bit):	5.097437238923001
Encrypted:	false
SSDEEP:	6:pn0+Dy9xwol6hEr6VX16hu9nPic4i9KmGd+KqD:J0+ox0RJWWPN9FGIT
MD5:	484B1529A803141CC1C5A217C5C17391
SHA1:	5B1D11CBE92B50A9278177ED3116638DADA43712
SHA-256:	255B4FD0A69DE10E5A85DBBBC3BF95F3936F79CAA87E34D1CE0E02E7D2734BF6
SHA-512:	8F6AC48EE517E9EF8C8BE0F2CCC3011077B7A9478380038EA0256627CDC29B79B3499654B6B96BEB79582E73980AA00BBA237A1CF64522679B3CA64019749310
Malicious:	false
Preview:	<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>301 Moved Permanently</title>.</head><body>.<h1>Moved Permanently</h1>.<p>The document has moved <a href="http://www.zonealarm.com/">here</a>.</p>.</body></html>.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GIBVL2EB\freebl3[1].dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\nsuAC75.tmp.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	685392
Entropy (8bit):	6.872871740790978
Encrypted:	false
SSDEEP:	12288:4gPbPpxMofhPNN0+RXBrp3M5pzRN4l2SQ+PEu9tUs/abAQb51FW/IzkOfWPO9UN7:4gPbPp9NNP0BgInfW2WMC4M+hW
MD5:	550686C0EE48C386DFCB40199BD076AC
SHA1:	EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB
SHA-256:	EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
SHA-512:	0B7F47AF883B99F9FBDC08020446B58F2F3FA55292FD9BC78FC967DD35BDD8BD549802722DE37668CC89EDE61B20359190EFBFDF026AE2BDC854F4740A54649E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........4......p.....................................................@A........................H...S...............x............F..P/.......#................................... ..................@............................text............................... ..`.rdata....... ......................@..@.data...<F...0......................@....00cfg..............................@..@.rsrc...x...........................@..@.reloc...#.......$..."..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GIBVL2EB\mozglue[1].dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\nsuAC75.tmp.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	608080
Entropy (8bit):	6.833616094889818
Encrypted:	false
SSDEEP:	12288:BlSyAom/gcRKMdRm4wFkRHuyG4RRGJVDjMk/x21R8gY/r:BKgcRKMdRm4wFkVVDGJVv//x21R8br
MD5:	C8FD9BE83BC728CC04BEFFAFC2907FE9
SHA1:	95AB9F701E0024CEDFBD312BCFE4E726744C4F2E
SHA-256:	BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
SHA-512:	FBB446F4A27EF510E616CAAD52945D6C9CC1FD063812C41947E579EC2B54DF57C6DC46237DED80FCA5847F38CBE1747A6C66A13E2C8C19C664A72BE35EB8B040
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........^......................................................j.....@A.........................`...W.....,.... ..................P/...0...A...S..............................h.......................Z.......................text...a........................... ..`.rdata..............................@..@.data...D...........................@....00cfg..............................@..@.tls................................@....rsrc........ ......................@..@.reloc...A...0...B..................@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GIBVL2EB\msvcp140[1].dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\nsuAC75.tmp.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	450024
Entropy (8bit):	6.673992339875127
Encrypted:	false
SSDEEP:	12288:McPa9C9VbL+3Omy5CvyOvzeOKdqhUgiW6QR7t5s03Ooc8dHkC2esGAWf:McPa90Vbky5CvyUeOKn03Ooc8dHkC2eN
MD5:	5FF1FCA37C466D6723EC67BE93B51442
SHA1:	34CC4E158092083B13D67D6D2BC9E57B798A303B
SHA-256:	5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
SHA-512:	4802EF62630C521D83A1D333969593FB00C9B38F82B4D07F70FBD21F495FEA9B3F67676064573D2C71C42BC6F701992989742213501B16087BB6110E337C7546
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1C.._..._..._.)n...._......._...^."._..^..._..\..._..[..._..Z..._.._..._......_..]..._.Rich.._.........................PE..L.....0].........."!.....(..........`........@......................................,.....@A.........................g.......r...........................A.......=..`x..8............................w..@............p.......c..@....................text....&.......(.................. ..`.data...H)...@.......,..............@....idata.......p.......D..............@..@.didat..4............X..............@....rsrc................Z..............@..@.reloc...=.......>...^..............@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GIBVL2EB\nss3[1].dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\nsuAC75.tmp.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2046288
Entropy (8bit):	6.787733948558952
Encrypted:	false
SSDEEP:	49152:fECf12gikHlnKGxJRIB+y5nvxnaOSJ3HFNWYrVvE4CQsgzMmQfTU1NrWmy4KoAzh:J7Tf8J1Q+SS5/nr
MD5:	1CC453CDF74F31E4D913FF9C10ACDDE2
SHA1:	6E85EAE544D6E965F15FA5C39700FA7202F3AAFE
SHA-256:	AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
SHA-512:	DD9FF4E06B00DC831439BAB11C10E9B2AE864EA6E780D3835EA7468818F35439F352EF137DA111EFCDF2BB6465F6CA486719451BF6CF32C6A4420A56B1D64571
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................`........................................p......l- ...@A.........................&..........@....P..x...............P/...`..\...................................................\|...\....&..@....................text............................... ..`.rdata..l...........................@..@.data...DR..........................@....00cfg.......@......................@..@.rsrc...x....P......................@..@.reloc..\....`......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GIBVL2EB\softokn3[1].dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\nsuAC75.tmp.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	257872
Entropy (8bit):	6.727482641240852
Encrypted:	false
SSDEEP:	6144:/yF/zX2zfRkU62THVh/T2AhZxv6A31obD6Hq/8jis+FvtVRpsAAs0o8OqTYz+xnU:/yRzX2zfRkX2T1h/SA5PF9m8jJqKYz+y
MD5:	4E52D739C324DB8225BD9AB2695F262F
SHA1:	71C3DA43DC5A0D2A1941E874A6D015A071783889
SHA-256:	74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
SHA-512:	2D4168A69082A9192B9248F7331BD806C260478FF817567DF54F997D7C3C7D640776131355401E4BDB9744E246C36D658CB24B18DE67D8F23F10066E5FE445F6
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................P...............................................Sg....@A........................Dv..S....w..........................P/.......5..8q...............................................{...............................text...&........................... ..`.rdata.............................@..@.data................\|..............@....00cfg..............................@..@.rsrc...............................@..@.reloc...5.......6..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GIBVL2EB\vcruntime140[1].dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\nsuAC75.tmp.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	80880
Entropy (8bit):	6.920480786566406
Encrypted:	false
SSDEEP:	1536:lw2886xv555et/MCsjw0BuRK3jteo3ecbA2W86b+Ld:lw28V55At/zqw+Iq9ecbA2W8H
MD5:	A37EE36B536409056A86F50E67777DD7
SHA1:	1CAFA159292AA736FC595FC04E16325B27CD6750
SHA-256:	8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
SHA-512:	3A7C260646315CF8C01F44B2EC60974017496BD0D80DD055C7E43B707CADBA2D63AAB5E0EFD435670AA77886ED86368390D42C4017FC433C3C4B9D1C47D0F356
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................08e...................................................u............Rich............PE..L...\|.0].........."!.........................................................0.......m....@A.............................................................A... ....... ..8............................ ..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GJ1F663Z\113BJA0I.htm

Download File

Process:	C:\Users\user\AppData\Local\Temp\InstallSetup9.exe
File Type:	HTML document, ASCII text, with no line terminators
Category:	dropped
Size (bytes):	91
Entropy (8bit):	4.745401272671828
Encrypted:	false
SSDEEP:	3:w+u7F6nmqDISLi9KYLGGHuK0HXb:wH7FULLi9KmGFb
MD5:	6CDA7D67D51D07AFE8AA43223A04BEFF
SHA1:	F86571424DFD82F6FBF7F86C36F5107442028CF3
SHA-256:	E74F2B0E1F60C5A66256A63BD889EBA0D522E95447723FB49FCF0E4743CC6E19
SHA-512:	5023A91AAD2B8A36D26AD0F02C47B1B0365907DEF113F66619F3967437476DA89829716921D7F90711F088B0607BBA1E23CE919AF23CD9398741F764FC1B99BA
Malicious:	false
Preview:	<head><body> This object may be found <a HREF="https://www.zonealarm.com/">here</a> </body>

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\GJ1F663Z\plus[1].htm

Download File

Process:	C:\Users\user\AppData\Local\Temp\InstallSetup9.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:V:V
MD5:	CFCD208495D565EF66E7DFF9F98764DA
SHA1:	B6589FC6AB0DC82CF12099D1C2D40AB994E8410C
SHA-256:	5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9
SHA-512:	31BCA02094EB78126A517B206A88C73CFA9EC6F704C7030D18212CACE820F025F00BF0EA68DBF3F3A5436CA63B53BF7BF80AD8D5DE7D8359D0B7FED9DBC3AB99
Malicious:	false
Preview:	0

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ONMZACOW\12AYSI9S.htm

Download File

Process:	C:\Users\user\AppData\Local\Temp\InstallSetup9.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (1397)
Category:	dropped
Size (bytes):	58036
Entropy (8bit):	4.957693911358508
Encrypted:	false
SSDEEP:	768:3fHAtJUT9pv73dOLrW5nZ7i9vLrD43ovlp:3fHAjUT9pj3sLruZ7ilrD434lp
MD5:	76C8F0672E133EDAA89D343D60EAB88B
SHA1:	790F35B9641FFA8A30C4CB35CB6E2193B0A436B9
SHA-256:	535B055AEC12785E72F558E1DE70EEE96ECDE8DF4979DC20E466E95DB52960A9
SHA-512:	E6D3B4B16C83CD1ECAD0FC3EC553F2C89B6F0C657F2047E5A4D07619CBB87701161200661E6188DD5A4A626935950702B1C2C04FFDA7EDA835EB99E678F8A95C
Malicious:	false
Preview:	<!doctype html>..<html lang="en" dir="ltr">.<head>..<script type="text/javascript"> (function (){ var unescape = function unescapeHtmlEntitiesDeepLite(r){if("function"!=typeof Array.isArray\|\|"function"!=typeof Array.prototype.forEach\|\|"function"!=typeof Array.prototype.map\|\|"function"!=typeof Object.keys)throw Error("Unsupported browser: Missing support for `Array.isArray`, `Array.prototype.forEach`, `Array.prototype.map`, or `Object.keys`! (Sails' built-in HTML-unescaping for exposed locals supports IE9 and up.)");return function t(r){if(null===r)return r;if(r===!0\|\|r===!1)return r;if("number"==typeof r)return r;if("string"==typeof r){var e=/&(?:amp\|lt\|gt\|quot\|#39\|#96);/g,o=RegExp(e.source);if(""===r)return r;if(o.test(r)){var n={"&":"&","<":"<",">":">",""":'"',"'":"'","`":"`"};return r=r.replace(e,function(r){return n[r]})}return r}return Array.isArray(r)?r=r.map(function(r){return t(r)}):(Object.keys(r).forEach(function(e){r[e]=t(r[e],e)}),r)}(r)}; window.SA

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ONMZACOW\syncUpd[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\InstallSetup9.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	300032
Entropy (8bit):	6.866758361796511
Encrypted:	false
SSDEEP:	6144:uecWWVV0YLY6TUIXxCelOvOZfKi76bRXMA:ucWVGYc6TUIXevCKiebph
MD5:	8D7509943A544938231EAF3A6BE9332E
SHA1:	4813C94230AE01377C4166D8C312C4409FB52D64
SHA-256:	6EBDBC0B9B3A3D8EFB3BD29076241EC71C6C2E7D39C93409EB5B1D06FC9B70A8
SHA-512:	03981CBD08217DDE1F9D584AEF7F426B924179961EE6CBC07F870E031B2EC120DDED7014A3C05607BE6EC1720744F782AFE6502FF376EEE1FE6A15921746390C
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......l..(..(..(..6......6...<..6.........-..(.._..6...)..6...)..6...)..Rich(..................PE..L....C.b............................G........ ....@...........................".....v/.......................................J..<......../........................................................................... ...............................text............................... ..`.rdata..x5... ...6..................@..@.data....e...`...$...>..............@....wasubiy.............b..............@....rsrc............0...d..............@..@................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q8X2NUFH\230CPX5Q.htm

Download File

Process:	C:\Users\user\AppData\Local\Temp\InstallSetup9.exe
File Type:	HTML document, Unicode text, UTF-8 text, with very long lines (24599), with CRLF, LF line terminators
Category:	dropped
Size (bytes):	367823
Entropy (8bit):	5.411385062194152
Encrypted:	false
SSDEEP:	3072:cSZsSfsF8jJMI7P6s4pD/pgSI+HK7soFgRtyc3IM:czI7P6nKix3v
MD5:	4033A9BF7D3EF16EAB7E540C53451B2F
SHA1:	C4294441D98EAAB69220BE33697AA88CCA277134
SHA-256:	E1FC1EF74DDD53E195B2A6C23151AB85861141A01024B03062096489350845E2
SHA-512:	99685B04BAF3061CB83F9259931B3CF31886A14DA6ABF5754578D98B496B3165C00BBBC4B296325442A7A46A871E5C7D388AA1E5BD595CA840F690760269B599
Malicious:	false
Preview:	<!DOCTYPE html><html lang="en" data-promo-id="cf92eff" data-domain="usa" data-no-gtm="false" data-no-maxymiser="false" data-no-omniture="false" dir="ltr"><head><meta charSet="utf-8"/><meta name="viewport" content="width=device-width"/><meta name="next-head-count" content="2"/><title data-react-helmet="true">Kaspersky Cyber Security Solutions for Home and Business \| Kaspersky</title><meta data-react-helmet="true" name="description" content="A Global Leader in Next Generation Cybersecurity Solutions and Services, Kaspersky Offers Premium Protection Against All Cyber Threats for Your Home and Business."/><meta data-react-helmet="true" name="DocId" content="/"/><meta data-react-helmet="true" name="DocType" content="Marketing-B2C"/><meta data-react-helmet="true" name="PublishDate" content="2023-12-28"/><meta data-react-helmet="true" name="PubLang" content="en"/><meta data-react-helmet="true" name="PubCountry" content="us"/><meta data-react-helmet="true" name="Breadcrumb" content=""/><meta d

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q8X2NUFH\XTKIPRPQ.txt

Download File

Process:	C:\Users\user\AppData\Local\Temp\InstallSetup9.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	12
Entropy (8bit):	2.1258145836939115
Encrypted:	false
SSDEEP:	3:XOj:Xe
MD5:	416B4BAB4CCD524D0B3EB958E5486867
SHA1:	E5E94B6F9F22E9FCD96613544935E9948B523E55
SHA-256:	BE4EFD67A84F76F86829B7CE4AE4F0E2C091C778D2E2AF9D6A3BC4EA6AB7D396
SHA-512:	306BFF69AC28C25504276FC96CFFB620F38D9127244E20078E4D44805B87DDA541E51D2246CA9BDE0D48BCFE79DB94402CC735F89BF6679B917985596A9FC956
Malicious:	false
Preview:	212.102.41.2

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	2224
Entropy (8bit):	5.354902188542171
Encrypted:	false
SSDEEP:	48:CWSU4y4RQmFoUeWmfgZ9tK8NPdMs7u1iMuge//8aOUyu0lhV:CLHyIFKL3IZ2KlDOugg01
MD5:	80EA35E6235366285D62F286CDAE9652
SHA1:	D92475BA18044F955224B9F524F6848F76D1F89B
SHA-256:	5E0126B3E9570F2BA3024C6F332DE08DCE09F1BF0B516132E5E417CDE6BB459F
SHA-512:	9C478D0C78D2B84F6AE98B7D01DF861D00D1A8CC135CC39ABE0219FACA9D44D0B71B756BB91C56FAB99DF1DA0095F2BB084BF31F152CA64DFC7B328CA18F315D
Malicious:	false
Preview:	@...e...........................................................P................1]...E.....m.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...\|...........System.ConfigurationH................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\9561.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4425080
Entropy (8bit):	7.981464738248495
Encrypted:	false
SSDEEP:	98304:LF6mYe92yaRlXabps7m9EsVfXWt3CTqFMQM/avj:4mYE1aR9alsi5xGxXFcm
MD5:	1894F7AA0F57BEC640F13E2EC87840E1
SHA1:	87A64FDDCF3A792F5C07F1E940A654E12792F780
SHA-256:	7E196845E76B541A54944C07C6C65913F86715BD5E0F87943C109AA4B4BF1362
SHA-512:	C232A0FBB57532384D217C034B466E179C7D4DBE688BF6E630AE34BAA2259EAAD0616D359A32799BDF03723C0D8AC904626888B4F677E8519346F41C32A316A9
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 91%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.....................................P............Y.......................Rich...................PE..L...2*.b..................A..........!........A...@.................................u.D.....................................,.B.P.....B.h7...........zC.x.............................................................A.$............................text.....A.......A................. ..`.rdata...9....A..:....A.............@..@.data....h...0B..&....B.............@....viji...A.....B......>B.............@....rsrc...h.O...B..8...BB.............@..@................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\3205.exe

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	5742432
Entropy (8bit):	7.9642772566149125
Encrypted:	false
SSDEEP:	98304:ggembPsSmS/lUqZInvyBaXI83SqudSIB6SWZC9EVTbEe3e9VYxGNxR/ujA5+J0T+:ggfItuUqzCIqfg6SWZC4f3mYEr9wJ0T+
MD5:	4E9FEA144C7EEF4B54BB9B2882C5A498
SHA1:	3EAF196366FEA24B586127198ED42C3FC9F53360
SHA-256:	56492651EDC770BC3F05A940AD343B65CFEFF75DA8BBED6219014557F8543C1F
SHA-512:	EA851239F7BFAB9ACB7887F740569FC4F92AFA73A8A3C6A43A8E7FF769BDA7A2FC7EEF9EDA3C18AAE6CC9BDCD243EA4C3FB279E146B821B21D22ED7125426B20
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 57%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...HH.e.................,............i...........@...................................X...@........................................................tW.`+......T....................................................0K.t............................text...g+.......................... ..`.rdata...6...@......................@..@.data...,...........................@....AVI;.............................`..`.AVI;.. ....0......................`..`.vmp..y....0<..................... ..`.vmp.......0K.....................@....vmp...IU..@K..JU................. ..`.reloc..T............PU.............@..@.rsrc................lU.............@..@........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\4KPV6A~1\cached-certs (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\83BC.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	20852
Entropy (8bit):	6.05147791645295
Encrypted:	false
SSDEEP:	384:t2q48XVd91hMByd24ZFtVf1hc1xtMY4QkV6icO1hMtq/ea4igBVA1hrqf/40VVqp:nnX9862M1uxRBkoicOaq2a9gBSyHJiOG
MD5:	0A7599109FCA55CE2722AFF7DA1B9FB8
SHA1:	4E565C8216828B929E8018953F139068DC522BDD
SHA-256:	3D7E2B2F9C0C3DBF34DCDB579FCFADABEEB172E6071850EB1BD8A29285E4D0C7
SHA-512:	927209C620EC6862FE214C7D39B8291155C72C69E8348D89860A34D3520675E0F17DE786B0A29C1631DD798CEDBA4C51832AB94AF834CCC0B2FB5FCDE0DD3ABE
Malicious:	false
Preview:	dir-key-certificate-version 3..fingerprint 27102BC123E7AF1D4741AE047E160C91ADC76B21..dir-key-published 2023-08-14 16:19:36..dir-key-expires 2024-08-14 16:19:36..dir-identity-key..-----BEGIN RSA PUBLIC KEY-----..MIIBigKCAYEAuxgnMVH4vwBjMeGvrEODOYcjbCS4N+Wt0SZ6XA5I08HyMf5AbaaF..MDscJBRIUOp7DyLmUwK+jp+QI8pUjjKsB8S0ctb/J3Im2T6CXnP2KgEfVmpNVQmV..XdMm8cRZl1uIZDDBAXizSQ51f9A17TJh7pF/5khYp/SAzl6aO5ETn7ry0ITiJnNa..6cY+400F7ZBA8NuXnCHVGfmpFFsiJKFrS1Kve629eeaNEd3mynRviBXJy5a4NEGf..y42Ev8on6SxEnF9OG0NMJ081/+mP+j8Dsl3+Uehzr9B42MQQfDo4RdYGrt9XolBm..L4eay1ieZEsFeDy0TMfiGGbr90wo1fgGLHIRSfTNLhhPJ/f9cTZPe98rhSgGWiAd..RvK5SljoIOR4qdS9/aiZkj1P+etvh1rIQUcG4/xCOBnouEBK+DDHZFqyMtpMPtV0..Bxi20DVaMJcyhdfjVqcRSyuR8tlOnTid6QwBj6kgIIfMaC+4Ht6yO/SYquCWlaZl..y7Pu7li8WyW9AgMBAAE=..-----END RSA PUBLIC KEY-----..dir-signing-key..-----BEGIN RSA PUBLIC KEY-----..MIIBCgKCAQEAoHvoqHAko5sxqvdimQxWoRGlH9ImeXTXXLgpcStvKAPY9xsH+qMb..5Ge3CMVzIFoZ4E5GvtzICecFsOrtw6q6bBv3ZG4zbTm8uiPuR7RZdfZD0V+Ljoip..J47UXjA/zq4n45NRbQawxMGRTuuw

C:\Users\user\AppData\Local\Temp\4KPV6A~1\cached-microdesc-consensus (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\83BC.exe
File Type:	ASCII text, with very long lines (1006)
Category:	dropped
Size (bytes):	2847818
Entropy (8bit):	5.611510799450617
Encrypted:	false
SSDEEP:	12288:hWiHf7sXRcGWJSeswKD7o6suSUhilD8/yGq7xMpp7Zc4i2c4sV6K25wgAKX:h5jYGEeswKM/UUS8dMDqX65weX
MD5:	123B5717463FDFB01CE08044063E7FC5
SHA1:	D62DB52C33A47EE5751D8903A3069DDDB78ED59F
SHA-256:	97EF20879591004AF493B4F60968D57F5F800BA6B71A3317B915BCBC21A120ED
SHA-512:	E7801169B6556478A431366C9474F8AC48B8E751EE025CE6EA2121F3E8F3268EA2E1B7C5C345281B6BDE0F96766BE2317EC57A2EC3203013AE4BBAE776EF9020
Malicious:	false
Preview:	network-status-version 3 microdesc.vote-status consensus.consensus-method 33.valid-after 2023-12-28 16:00:00.fresh-until 2023-12-28 17:00:00.valid-until 2023-12-28 19:00:00.voting-delay 300 300.client-versions 0.4.7.7,0.4.7.8,0.4.7.10,0.4.7.11,0.4.7.12,0.4.7.13,0.4.7.14,0.4.7.15,0.4.7.16,0.4.8.1-alpha,0.4.8.2-alpha,0.4.8.3-rc,0.4.8.4,0.4.8.5,0.4.8.6,0.4.8.7,0.4.8.8,0.4.8.9,0.4.8.10.server-versions 0.4.7.7,0.4.7.8,0.4.7.10,0.4.7.11,0.4.7.12,0.4.7.13,0.4.7.14,0.4.7.15,0.4.7.16,0.4.8.1-alpha,0.4.8.2-alpha,0.4.8.3-rc,0.4.8.4,0.4.8.5,0.4.8.6,0.4.8.7,0.4.8.8,0.4.8.9,0.4.8.10.known-flags Authority BadExit Exit Fast Guard HSDir MiddleOnly NoEdConsensus Running Stable StaleDesc Sybil V2Dir Valid.recommended-client-protocols Cons=2 Desc=2 DirCache=2 HSDir=2 HSIntro=4 HSRend=2 Link=4-5 Microdesc=2 Relay=2.recommended-relay-protocols Cons=2 Desc=2 DirCache=2 HSDir=2 HSIntro=4 HSRend=2 Link=4-5 LinkAuth=3 Microdesc=2 Relay=2.required-client-protocols Cons=2 Desc=2 Link=4 Microdesc=2 Relay=2.require

C:\Users\user\AppData\Local\Temp\4KPV6A~1\state (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\83BC.exe
File Type:	ASCII text, with very long lines (372), with CRLF line terminators
Category:	dropped
Size (bytes):	4689
Entropy (8bit):	5.271321116498988
Encrypted:	false
SSDEEP:	96:NZgWUGe0qlWTHNjmoO3rLdDGEnbpPMXyZEEakq:3UGabzX9Xb2yy
MD5:	4C8A74CECB1D30ABD8C59E152A3235CF
SHA1:	F4B389D93AD9CB32CB664579FAF45AFA9BCBD247
SHA-256:	7338E658E425E9A2C2D51207511C5A4F06A796B8F733F4E67D85C4979B6CE5CF
SHA-512:	3B008C2901D8544994527873C228B885C91764B6FDF479CE9E91E0D63494DB86AF251E0A1FCCF320A2CAF342F99CF514787D37A76F8E3C6D4D72B24D6D7E1FCC
Malicious:	false
Preview:	# Tor state file last generated on 2023-12-28 17:45:55 local time..# Other times below are in UTC..# You do not need to edit this file.....CircuitBuildTimeBin 1075 1..CircuitBuildTimeBin 1125 1..CircuitBuildTimeBin 1175 7..CircuitBuildTimeBin 1275 2..CircuitBuildTimeBin 1325 1..CircuitBuildTimeBin 1425 2..CircuitBuildTimeBin 1475 2..CircuitBuildTimeBin 1525 1..CircuitBuildTimeBin 1575 3..CircuitBuildTimeBin 1675 1..CircuitBuildTimeBin 1725 2..CircuitBuildTimeBin 1825 1..CircuitBuildTimeBin 1875 1..CircuitBuildTimeBin 2075 1..CircuitBuildTimeBin 2125 2..CircuitBuildTimeBin 2325 1..CircuitBuildTimeBin 2575 1..CircuitBuildTimeBin 2775 1..CircuitBuildTimeBin 3525 1..CircuitBuildTimeBin 15925 2..CircuitBuildTimeBin 16175 1..CircuitBuildTimeBin 16475 1..CircuitBuildTimeBin 16675 1..CircuitBuildTimeBin 16825 1..CircuitBuildTimeBin 17075 1..CircuitBuildTimeBin 17625 1..CircuitBuildTimeBin 17675 1..CircuitBuildTimeBin 17725 1..CircuitBuildTimeBin 18425 1..CircuitBuildTimeBin 41875 1..Dormant

C:\Users\user\AppData\Local\Temp\4KPV6A~1\unverified-microdesc-consensus (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\83BC.exe
File Type:	ASCII text, with very long lines (1006)
Category:	dropped
Size (bytes):	2847818
Entropy (8bit):	5.611510799450617
Encrypted:	false
SSDEEP:	12288:hWiHf7sXRcGWJSeswKD7o6suSUhilD8/yGq7xMpp7Zc4i2c4sV6K25wgAKX:h5jYGEeswKM/UUS8dMDqX65weX
MD5:	123B5717463FDFB01CE08044063E7FC5
SHA1:	D62DB52C33A47EE5751D8903A3069DDDB78ED59F
SHA-256:	97EF20879591004AF493B4F60968D57F5F800BA6B71A3317B915BCBC21A120ED
SHA-512:	E7801169B6556478A431366C9474F8AC48B8E751EE025CE6EA2121F3E8F3268EA2E1B7C5C345281B6BDE0F96766BE2317EC57A2EC3203013AE4BBAE776EF9020
Malicious:	false
Preview:	network-status-version 3 microdesc.vote-status consensus.consensus-method 33.valid-after 2023-12-28 16:00:00.fresh-until 2023-12-28 17:00:00.valid-until 2023-12-28 19:00:00.voting-delay 300 300.client-versions 0.4.7.7,0.4.7.8,0.4.7.10,0.4.7.11,0.4.7.12,0.4.7.13,0.4.7.14,0.4.7.15,0.4.7.16,0.4.8.1-alpha,0.4.8.2-alpha,0.4.8.3-rc,0.4.8.4,0.4.8.5,0.4.8.6,0.4.8.7,0.4.8.8,0.4.8.9,0.4.8.10.server-versions 0.4.7.7,0.4.7.8,0.4.7.10,0.4.7.11,0.4.7.12,0.4.7.13,0.4.7.14,0.4.7.15,0.4.7.16,0.4.8.1-alpha,0.4.8.2-alpha,0.4.8.3-rc,0.4.8.4,0.4.8.5,0.4.8.6,0.4.8.7,0.4.8.8,0.4.8.9,0.4.8.10.known-flags Authority BadExit Exit Fast Guard HSDir MiddleOnly NoEdConsensus Running Stable StaleDesc Sybil V2Dir Valid.recommended-client-protocols Cons=2 Desc=2 DirCache=2 HSDir=2 HSIntro=4 HSRend=2 Link=4-5 Microdesc=2 Relay=2.recommended-relay-protocols Cons=2 Desc=2 DirCache=2 HSDir=2 HSIntro=4 HSRend=2 Link=4-5 LinkAuth=3 Microdesc=2 Relay=2.required-client-protocols Cons=2 Desc=2 Link=4 Microdesc=2 Relay=2.require

C:\Users\user\AppData\Local\Temp\4kPv6aJG8e\cached-certs.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\83BC.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	20852
Entropy (8bit):	6.05147791645295
Encrypted:	false
SSDEEP:	384:t2q48XVd91hMByd24ZFtVf1hc1xtMY4QkV6icO1hMtq/ea4igBVA1hrqf/40VVqp:nnX9862M1uxRBkoicOaq2a9gBSyHJiOG
MD5:	0A7599109FCA55CE2722AFF7DA1B9FB8
SHA1:	4E565C8216828B929E8018953F139068DC522BDD
SHA-256:	3D7E2B2F9C0C3DBF34DCDB579FCFADABEEB172E6071850EB1BD8A29285E4D0C7
SHA-512:	927209C620EC6862FE214C7D39B8291155C72C69E8348D89860A34D3520675E0F17DE786B0A29C1631DD798CEDBA4C51832AB94AF834CCC0B2FB5FCDE0DD3ABE
Malicious:	false
Preview:	dir-key-certificate-version 3..fingerprint 27102BC123E7AF1D4741AE047E160C91ADC76B21..dir-key-published 2023-08-14 16:19:36..dir-key-expires 2024-08-14 16:19:36..dir-identity-key..-----BEGIN RSA PUBLIC KEY-----..MIIBigKCAYEAuxgnMVH4vwBjMeGvrEODOYcjbCS4N+Wt0SZ6XA5I08HyMf5AbaaF..MDscJBRIUOp7DyLmUwK+jp+QI8pUjjKsB8S0ctb/J3Im2T6CXnP2KgEfVmpNVQmV..XdMm8cRZl1uIZDDBAXizSQ51f9A17TJh7pF/5khYp/SAzl6aO5ETn7ry0ITiJnNa..6cY+400F7ZBA8NuXnCHVGfmpFFsiJKFrS1Kve629eeaNEd3mynRviBXJy5a4NEGf..y42Ev8on6SxEnF9OG0NMJ081/+mP+j8Dsl3+Uehzr9B42MQQfDo4RdYGrt9XolBm..L4eay1ieZEsFeDy0TMfiGGbr90wo1fgGLHIRSfTNLhhPJ/f9cTZPe98rhSgGWiAd..RvK5SljoIOR4qdS9/aiZkj1P+etvh1rIQUcG4/xCOBnouEBK+DDHZFqyMtpMPtV0..Bxi20DVaMJcyhdfjVqcRSyuR8tlOnTid6QwBj6kgIIfMaC+4Ht6yO/SYquCWlaZl..y7Pu7li8WyW9AgMBAAE=..-----END RSA PUBLIC KEY-----..dir-signing-key..-----BEGIN RSA PUBLIC KEY-----..MIIBCgKCAQEAoHvoqHAko5sxqvdimQxWoRGlH9ImeXTXXLgpcStvKAPY9xsH+qMb..5Ge3CMVzIFoZ4E5GvtzICecFsOrtw6q6bBv3ZG4zbTm8uiPuR7RZdfZD0V+Ljoip..J47UXjA/zq4n45NRbQawxMGRTuuw

C:\Users\user\AppData\Local\Temp\4kPv6aJG8e\cached-microdesc-consensus.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\83BC.exe
File Type:	ASCII text, with very long lines (1006)
Category:	dropped
Size (bytes):	2847818
Entropy (8bit):	5.611510799450617
Encrypted:	false
SSDEEP:	12288:hWiHf7sXRcGWJSeswKD7o6suSUhilD8/yGq7xMpp7Zc4i2c4sV6K25wgAKX:h5jYGEeswKM/UUS8dMDqX65weX
MD5:	123B5717463FDFB01CE08044063E7FC5
SHA1:	D62DB52C33A47EE5751D8903A3069DDDB78ED59F
SHA-256:	97EF20879591004AF493B4F60968D57F5F800BA6B71A3317B915BCBC21A120ED
SHA-512:	E7801169B6556478A431366C9474F8AC48B8E751EE025CE6EA2121F3E8F3268EA2E1B7C5C345281B6BDE0F96766BE2317EC57A2EC3203013AE4BBAE776EF9020
Malicious:	false
Preview:	network-status-version 3 microdesc.vote-status consensus.consensus-method 33.valid-after 2023-12-28 16:00:00.fresh-until 2023-12-28 17:00:00.valid-until 2023-12-28 19:00:00.voting-delay 300 300.client-versions 0.4.7.7,0.4.7.8,0.4.7.10,0.4.7.11,0.4.7.12,0.4.7.13,0.4.7.14,0.4.7.15,0.4.7.16,0.4.8.1-alpha,0.4.8.2-alpha,0.4.8.3-rc,0.4.8.4,0.4.8.5,0.4.8.6,0.4.8.7,0.4.8.8,0.4.8.9,0.4.8.10.server-versions 0.4.7.7,0.4.7.8,0.4.7.10,0.4.7.11,0.4.7.12,0.4.7.13,0.4.7.14,0.4.7.15,0.4.7.16,0.4.8.1-alpha,0.4.8.2-alpha,0.4.8.3-rc,0.4.8.4,0.4.8.5,0.4.8.6,0.4.8.7,0.4.8.8,0.4.8.9,0.4.8.10.known-flags Authority BadExit Exit Fast Guard HSDir MiddleOnly NoEdConsensus Running Stable StaleDesc Sybil V2Dir Valid.recommended-client-protocols Cons=2 Desc=2 DirCache=2 HSDir=2 HSIntro=4 HSRend=2 Link=4-5 Microdesc=2 Relay=2.recommended-relay-protocols Cons=2 Desc=2 DirCache=2 HSDir=2 HSIntro=4 HSRend=2 Link=4-5 LinkAuth=3 Microdesc=2 Relay=2.required-client-protocols Cons=2 Desc=2 Link=4 Microdesc=2 Relay=2.require

C:\Users\user\AppData\Local\Temp\4kPv6aJG8e\cached-microdescs.new

Download File

Process:	C:\Users\user\AppData\Local\Temp\83BC.exe
File Type:	ASCII text, with very long lines (16386)
Category:	modified
Size (bytes):	22255493
Entropy (8bit):	4.8101361872421196
Encrypted:	false
SSDEEP:	24576:7tku65rYIzOfDnVJFUP1kU8uftwY3EVkOS6PE28f4VpHXisuoNQvFwSPJ03vbSpP:KBp4YmAspKZ6ZFuci6Sw9o
MD5:	D12162877D3A76E616CB6E85BA18EDA4
SHA1:	F2F05E82726F38C2F324A9F02F26381A29825CC6
SHA-256:	E7F7F8773CE85161E47FE10A534C201E464DBD5411533EAF3D198537BA16284D
SHA-512:	256B736D4648DBCB9087DBFA43B5214146CD8E294FBF592DFEC4D2987A07FCAE09410F0566272B25C1D991EAA78A43B9BF3BB1EE95E6E8CF088EA53D78954D5C
Malicious:	false
Preview:	@last-listed 2023-12-28 16:38:36.onion-key.-----BEGIN RSA PUBLIC KEY-----.MIGJAoGBANS9Xw3aOp9s2HroRjI+Z50q5H6jddMe/qZwpubdj7hPtA8ksELzcSY+.JoyBk/qW10u1IkAhM4yS3OWM6JEVEgtXG64qcRPfFF1MbcOAgwNnwwrRvWfDcgRX.t7whttd5qGtDjhv3eDaHSuwJ5cJLJvhWGXmwGL+jIW4W0e8RD96rAgMBAAE=.-----END RSA PUBLIC KEY-----.ntor-onion-key FvT4elrn8viopUqj8JweTjuZOi8WC8kQflKhPYlzlzU.family $547E6E68ADE1B6F492C44443588A939610401DFB $861BCFDD148973985E7FE97C7455C9E4AC4E13BE $892A827BF67DB270E303677A33FE577069DDE558 $C0DAAAE5EE461BBE13945FE4B52F32ABDC6BC376.id ed25519 MuaxcQ7uCMXw7A1Tf4YYQSRLK34+jj71dVNkFX272n8.@last-listed 2023-12-28 16:38:36.onion-key.-----BEGIN RSA PUBLIC KEY-----.MIGJAoGBAM5ENZof+Mz7Ar2KEC/uf6KtoUd9AO9jgej0NL8VvL4broqbr/0t3Fa4.yUS8ywrJavkLEJOY6c1+QSnNCP7y54ye1WGJRs7hFfVShtBl9UKlDwzdIs1UeSSA.auFbwqmrA5kE91hNl8CQHA91y0rY/DGY4f96NCaf1D/9bJZmLMm9AgMBAAE=.-----END RSA PUBLIC KEY-----.ntor-onion-key YCBvdUBv0askuNvowj0Q0VjEMth+j/9jZtOk3tsZqiY.family $188673CF3937442517301800F383BE53D4A17732 $69122296D37FC7

C:\Users\user\AppData\Local\Temp\4kPv6aJG8e\state.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\83BC.exe
File Type:	ASCII text, with very long lines (372), with CRLF line terminators
Category:	dropped
Size (bytes):	4689
Entropy (8bit):	5.271321116498988
Encrypted:	false
SSDEEP:	96:NZgWUGe0qlWTHNjmoO3rLdDGEnbpPMXyZEEakq:3UGabzX9Xb2yy
MD5:	4C8A74CECB1D30ABD8C59E152A3235CF
SHA1:	F4B389D93AD9CB32CB664579FAF45AFA9BCBD247
SHA-256:	7338E658E425E9A2C2D51207511C5A4F06A796B8F733F4E67D85C4979B6CE5CF
SHA-512:	3B008C2901D8544994527873C228B885C91764B6FDF479CE9E91E0D63494DB86AF251E0A1FCCF320A2CAF342F99CF514787D37A76F8E3C6D4D72B24D6D7E1FCC
Malicious:	false
Preview:	# Tor state file last generated on 2023-12-28 17:45:55 local time..# Other times below are in UTC..# You do not need to edit this file.....CircuitBuildTimeBin 1075 1..CircuitBuildTimeBin 1125 1..CircuitBuildTimeBin 1175 7..CircuitBuildTimeBin 1275 2..CircuitBuildTimeBin 1325 1..CircuitBuildTimeBin 1425 2..CircuitBuildTimeBin 1475 2..CircuitBuildTimeBin 1525 1..CircuitBuildTimeBin 1575 3..CircuitBuildTimeBin 1675 1..CircuitBuildTimeBin 1725 2..CircuitBuildTimeBin 1825 1..CircuitBuildTimeBin 1875 1..CircuitBuildTimeBin 2075 1..CircuitBuildTimeBin 2125 2..CircuitBuildTimeBin 2325 1..CircuitBuildTimeBin 2575 1..CircuitBuildTimeBin 2775 1..CircuitBuildTimeBin 3525 1..CircuitBuildTimeBin 15925 2..CircuitBuildTimeBin 16175 1..CircuitBuildTimeBin 16475 1..CircuitBuildTimeBin 16675 1..CircuitBuildTimeBin 16825 1..CircuitBuildTimeBin 17075 1..CircuitBuildTimeBin 17625 1..CircuitBuildTimeBin 17675 1..CircuitBuildTimeBin 17725 1..CircuitBuildTimeBin 18425 1..CircuitBuildTimeBin 41875 1..Dormant

C:\Users\user\AppData\Local\Temp\4kPv6aJG8e\unverified-microdesc-consensus.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\83BC.exe
File Type:	ASCII text, with very long lines (1006)
Category:	dropped
Size (bytes):	2847818
Entropy (8bit):	5.611510799450617
Encrypted:	false
SSDEEP:	12288:hWiHf7sXRcGWJSeswKD7o6suSUhilD8/yGq7xMpp7Zc4i2c4sV6K25wgAKX:h5jYGEeswKM/UUS8dMDqX65weX
MD5:	123B5717463FDFB01CE08044063E7FC5
SHA1:	D62DB52C33A47EE5751D8903A3069DDDB78ED59F
SHA-256:	97EF20879591004AF493B4F60968D57F5F800BA6B71A3317B915BCBC21A120ED
SHA-512:	E7801169B6556478A431366C9474F8AC48B8E751EE025CE6EA2121F3E8F3268EA2E1B7C5C345281B6BDE0F96766BE2317EC57A2EC3203013AE4BBAE776EF9020
Malicious:	false
Preview:	network-status-version 3 microdesc.vote-status consensus.consensus-method 33.valid-after 2023-12-28 16:00:00.fresh-until 2023-12-28 17:00:00.valid-until 2023-12-28 19:00:00.voting-delay 300 300.client-versions 0.4.7.7,0.4.7.8,0.4.7.10,0.4.7.11,0.4.7.12,0.4.7.13,0.4.7.14,0.4.7.15,0.4.7.16,0.4.8.1-alpha,0.4.8.2-alpha,0.4.8.3-rc,0.4.8.4,0.4.8.5,0.4.8.6,0.4.8.7,0.4.8.8,0.4.8.9,0.4.8.10.server-versions 0.4.7.7,0.4.7.8,0.4.7.10,0.4.7.11,0.4.7.12,0.4.7.13,0.4.7.14,0.4.7.15,0.4.7.16,0.4.8.1-alpha,0.4.8.2-alpha,0.4.8.3-rc,0.4.8.4,0.4.8.5,0.4.8.6,0.4.8.7,0.4.8.8,0.4.8.9,0.4.8.10.known-flags Authority BadExit Exit Fast Guard HSDir MiddleOnly NoEdConsensus Running Stable StaleDesc Sybil V2Dir Valid.recommended-client-protocols Cons=2 Desc=2 DirCache=2 HSDir=2 HSIntro=4 HSRend=2 Link=4-5 Microdesc=2 Relay=2.recommended-relay-protocols Cons=2 Desc=2 DirCache=2 HSDir=2 HSIntro=4 HSRend=2 Link=4-5 LinkAuth=3 Microdesc=2 Relay=2.required-client-protocols Cons=2 Desc=2 Link=4 Microdesc=2 Relay=2.require

C:\Users\user\AppData\Local\Temp\7584.bat

Download File

Process:	C:\Windows\explorer.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	77
Entropy (8bit):	4.90323175550411
Encrypted:	false
SSDEEP:	3:u3Pvrmwqp2YR3sGJMGP5Rg5XQiKyMhF7n:uPzmg83JMuBi67
MD5:	55CC761BF3429324E5A0095CAB002113
SHA1:	2CC1EF4542A4E92D4158AB3978425D517FAFD16D
SHA-256:	D6CCEB3C71B80403364BF142F2FA4624EE0BE36A49BAC25ED45A497CF1CE9C3A
SHA-512:	33F9F5CAD22D291077787C7DF510806E4AC31F453D288712595AF6DEBE579FABED6CDF4662E46E6FA94DE135B161E739F55CFAE05C36C87AF85ED6A6AD1C9155
Malicious:	false
Preview:	reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Users\user\AppData\Local\Temp\83BC.exe

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2029056
Entropy (8bit):	7.944729497213148
Encrypted:	false
SSDEEP:	49152:S3fAWuVHSdrO+tzwZHkr+8d3OCWwhdGshy5N7gQwgY9P:S3fAWubyzn7+3whNw7wg
MD5:	15184ED11B2354EDA1F1787DCBBCF04A
SHA1:	F21CFDFDB3D6BE8054CD9B5F21AC39EF2EC28011
SHA-256:	C4F00AD34B1347583B292ACACBCA0EE00E9DD594519E26F22DA895ECF6002B9A
SHA-512:	1FA8BFB44652654CB0FC72C793DDD4431A1EE293B326FAE7D4095BDE00CD4717CD5CDCFFAABA8CDCCB43E5BCEAE19574661CACA4E8011B0D22C67AB34CE761AB
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 74%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........o].s<].s<].s<C..<{.s<C..<G.s<C..<..s<z2.<X.s<].r<!.s<C..<\.s<C..<\.s<C..<\.s<Rich].s<........PE..L......b..........................................@..........................p..................................................<...................................................................0...@............................................text.............................. ..`.rdata...4.......6..................@..@.data....h.......&..................@....venowe.\|............ ..............@....rsrc................"..............@..@........................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\8469.bat

Download File

Process:	C:\Windows\explorer.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	77
Entropy (8bit):	4.90323175550411
Encrypted:	false
SSDEEP:	3:u3Pvrmwqp2YR3sGJMGP5Rg5XQiKyMhF7n:uPzmg83JMuBi67
MD5:	55CC761BF3429324E5A0095CAB002113
SHA1:	2CC1EF4542A4E92D4158AB3978425D517FAFD16D
SHA-256:	D6CCEB3C71B80403364BF142F2FA4624EE0BE36A49BAC25ED45A497CF1CE9C3A
SHA-512:	33F9F5CAD22D291077787C7DF510806E4AC31F453D288712595AF6DEBE579FABED6CDF4662E46E6FA94DE135B161E739F55CFAE05C36C87AF85ED6A6AD1C9155
Malicious:	false
Preview:	reg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 1

C:\Users\user\AppData\Local\Temp\9561.exe

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	7079936
Entropy (8bit):	7.9831682035345874
Encrypted:	false
SSDEEP:	196608:tvt0kQnhCtKZSqNcg7xAtipQrBiS9cWzAY5do:trmhCfqNDtAtUQdiS9cWzDK
MD5:	3954CC01C26D1962284F3B95602F2367
SHA1:	6C9B061C4971E9C925D1303C42241A629DA7BE93
SHA-256:	8C887835F3B1861776B4D88A9C47DBE945DCADFD881B4AE9909488C022924CF6
SHA-512:	F0A43268C0B7C30B030DB0789D699452D2829C6CA3CB9523CE2302EE78C02FB4CE634D136F8EBA2409A227D4111B59DB5C1A3B2ED8C5FA6D97D118A23430DD45
Malicious:	true
Yara Hits:	Rule: MALWARE_Win_DLInjector04, Description: Detects downloader / injector, Source: C:\Users\user\AppData\Local\Temp\9561.exe, Author: ditekSHen
Antivirus:	Antivirus: ReversingLabs, Detection: 91%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......e..................k...........l.. ... l...@.. .......................`l...........@.................................T.l.W.... l.H....................@l...................................................... ............... ..H............text.....k.. ....k................. ..`.rsrc...H.... l.......l.............@..@.reloc.......@l.......l.............@..B..................l.....H.......\|.l..............'....k..........................................0.._.......~....,.(....,..(....~....,.(....,..(....~....,.(....,..(....~....,.(....,..(....~....,.~.... ....Z(....~....,.r...pr...p.(....&..8....~.....o.....~.....o.....~.....o.....~.....o.......(......~....,...(......~....r...p(....,.(....r...po......(......+)~....r1..p(....,...(....r...po....(..........(....(..........(.......(......X..~....o....?....~....&*..0../........s.....s.......s.......o.......,

C:\Users\user\AppData\Local\Temp\973D.exe

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5577568
Entropy (8bit):	7.9906233283344505
Encrypted:	true
SSDEEP:	98304:f35SAxtZgV34EmYc0mT8c6YdEXaolOTNRw8KfbApsmIH9Sbx63F4iVd2GrF8:PgmtGF4XF8c6YKa2t8qcqm763yiB8
MD5:	12EAD7753C24FECCC1E04C9CF9B900C8
SHA1:	F38BE9C651A330D2D5CB3CE1343F07A6FE12AC18
SHA-256:	3B6C70209CDF14416B88878295FFDD315B137DF710C826C1D8F264DBE9BF7786
SHA-512:	93CBAE0F785FC26886AD8656718C68E3E6F2D9D073DB310AA3519B77EE7053C47268929892DDFF1279D939DBF326D83308119A9F79931BD500E69540B193E151
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 51%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...HH.e.................,...X...................@..........................@.......YU...@...................................7.x....@................T.`+... ..d....................................................04.<............................text...g+.......................... ..`.rdata...6...@......................@..@.data...,...........................@....vmp.............................. ..`.vmp.......04.....................@....vmp....R..@4...R................. ..`.reloc..d.... ........R.............@..@.rsrc........@........R.............@..@........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\B137.exe

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4438660
Entropy (8bit):	7.998541974677346
Encrypted:	true
SSDEEP:	98304:QVs9YmyoMLk2MmY7yDfWnsPw7+gJQPH2Bv4dm8:ws9YgMnQyD/wq9W14dD
MD5:	54CD75DEB7E9DBE5151324D48EF485A0
SHA1:	1B7ACF3DB87D53B4110861417B8A59038571D6E9
SHA-256:	7FA38D69997067A5B046D6ACE9B5F17D3FCA53BB868634731FB3FEFD322BA1EF
SHA-512:	E33CA8F830102C30E1425633BB568D136B2277EDF0DE9515B64FC3940B69F6EACCD8AC3B82762B853F80CF4829CAF1EC24BA13815A35DEBAD36CA42CC08AB994
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................F......@.............@..........................@...................@..............................P........,..........................................................................................................CODE....d........................... ..`DATA....L...........................@...BSS.....L................................idata..P...........................@....tls.....................................rdata..............................@..P.reloc..............................@..P.rsrc....,.......,..................@..P.............@......................@..P........................................................................................................................................

C:\Users\user\AppData\Local\Temp\BroomSetup.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\InstallSetup9.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5515264
Entropy (8bit):	6.479505821994318
Encrypted:	false
SSDEEP:	98304:X4zVE2GO5za356R7mgdqMhW8hQjqb0It:gl7mg1WO
MD5:	00E93456AA5BCF9F60F84B0C0760A212
SHA1:	6096890893116E75BD46FEA0B8C3921CEB33F57D
SHA-256:	FF3025F9CF19323C5972D14F00F01296D6D7A71547ECA7E4016BFD0E1F27B504
SHA-512:	ABD2BE819C7D93BD6097155CF84EAF803E3133A7E0CA71F9D9CBC3C65E4E4A26415D2523A36ADAFDD19B0751E25EA1A99B8D060CAD61CDFD1F79ADF9CD4B4ECA
Malicious:	true
Yara Hits:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exe, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 30%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......^..................?..........1?......@?...@..........................PV..................@...................0B.......A.@<...0G......................`B.t............................PB.....................p.A.D.... B......................text...\.>.......>................. ..`.itext...A....>..B....>............. ..`.data...d....@?.......?.............@....bss........ @..........................idata..@<....A..>....?.............@....didata...... B......:@.............@....edata.......0B......F@.............@..@.tls....T....@B..........................rdata..]....PB......H@.............@..@.reloc..t....`B......J@.............@..B.rsrc........0G.......E.............@..@.............PV......(T.............@..@................

C:\Users\user\AppData\Local\Temp\C1C2.dll

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2064384
Entropy (8bit):	7.931732976218936
Encrypted:	false
SSDEEP:	49152:LvfB4U38JL7xiYFE2w2ac6ZoOMcIC7H9QDKqGwUA:7fB8JUYFEz2K+OhzL9QGe
MD5:	A199819E14BA9AD265E80531B400B6CC
SHA1:	84D637B69958ED62636593A0E7D9671C6A9C3C45
SHA-256:	4EAC6FC23776623DED4A91FD2CD6D570D11C270703FE11EF8852DD8FF30A61F0
SHA-512:	5CAC2A9366E502820A240A339985A5E8CFDBA6D3430FCEB89D862609E79BCF33975166D609E1F9F6C4E8E48A23515782FD3812A6BCE5ABDD5A5D2EB15CA1AA53
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 30%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......g/..#N@.#N@.#N@.6.4N@.#NA.7N@.#N@."N@.6."N@.6."N@.6."N@.Rich#N@.........PE..L...C'.e...........!..............%........................................................@........................@................0.......................@...0......................................................\|............................text...f..............................`.rdata..j...........................@..@.data....!....... ..................@...b=W\|.........0....... ..............@...Lny6jo2......0....... ..............@..@.reloc...C...@...P...0..............@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\CDAA.exe

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5597024
Entropy (8bit):	7.98382287377833
Encrypted:	false
SSDEEP:	98304:F6PsU26Sdku25hRFDYex/IEZWlM3+dlj+qCjA5lSlfm9937Wi1g2s7AQNe9cPsgG:eSd8HRFDZxyuqNck3xAM95qJI
MD5:	BD21400B49D3C712466E20A9C4422C60
SHA1:	2B7B3F123AB07A588A2A8C55311A36DBBEFEC053
SHA-256:	D918F70EAD523616C754CDAFC3045D7575CB6B7403D5DFFCB17574074933829A
SHA-512:	75B9D1DBCD633AD9DDBBED8B9326F3F44E8BF99ACA058E0B5790A2C4F72F9F47B5A27A485D7641CCEBF7574067241819E127CF6A1E5908F2B94020C29BFE43B9
Malicious:	true
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L...HH.e.................,...j......E.h...........@.................................XOV...@...................................q......... m...........<U.`+...........................................................`K.t............................text...g+.......................... ..`.rdata...6...@......................@..@.data...,...........................@....AVI;..............................`..`.AVI;.......0......................`..`.EXE..+,...0<..................... ..`.EXE.......`K.....................@....EXE....T..pK...T................. ..`.reloc................T.............@..@.rsrc... m...........*T.............@..@........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\D0C3.tmp

Download File

Process:	C:\Windows\SysWOW64\explorer.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\D0C3.tmp-shm

Download File

Process:	C:\Windows\SysWOW64\explorer.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\DA78.tmp

Download File

Process:	C:\Windows\SysWOW64\explorer.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\DDA7.tmp

Download File

Process:	C:\Windows\SysWOW64\explorer.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\DF4E.tmp

Download File

Process:	C:\Windows\SysWOW64\explorer.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.8517407251719497
Encrypted:	false
SSDEEP:	24:TLyAF1kwNbXYFpFNYcw+6UwcQVXH5fBO4wxeHChWEE1:TeAFawNLopFgU10XJBOaT3
MD5:	D0962B221779A756754334848DCFF184
SHA1:	22CD3B9D687216E6921553F55958449CE7ABF05D
SHA-256:	7BA5110096912E6B352060FFF79B07EA95CA114A13D3994D7814831DFAA649B8
SHA-512:	05AFC25BA53913F0685075B6EC27A2A416168CB7A6D5C869D2F3DBA06AAD88633F1A709DD51AA1EDC946FF74E6271D9D3A5652FE4E0B8F226A452FDF6BAED36F
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\E21D.tmp

Download File

Process:	C:\Windows\SysWOW64\explorer.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.1368932887859682
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cF/k4:MnlyfnGtxnfVuSVumEHFs4
MD5:	9A534FD57BED1D3E9815232E05CCF696
SHA1:	916474D7D073A4EB52A2EF8F7D9EF9549C0808A1
SHA-256:	7BB87D8BC8D49EECAB122B7F5BCD9E77F77B36C6DB173CB41E83A2CCA3AC391B
SHA-512:	ADE77FBBDE6882EF458A43F301AD84B12B42D82E222FC647A78E5709554754714DB886523A639C78D05BC221D608F0F99266D89165E78F76B21083002BE8AEFF
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\E297.exe

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	837120
Entropy (8bit):	7.759278936094509
Encrypted:	false
SSDEEP:	24576:K9WzVc3fXZxJkl6PoiPOw8OhI4nRSC/pzp9ysbp:K9lvvJkuTNrnIezp
MD5:	459DAC9D27EAE3400F00E228E409EE1B
SHA1:	B6748D40799F9B3EE18B01FBEE4F5CD8836D1C02
SHA-256:	3D7ACC48E1F072F24FEEFCEFF6712A1A5973FF4F5B5913D2E94F845BDDC6AAD1
SHA-512:	7AD48F231C512CBF5591683715990D6C6088E9DA476F0EF541CA159C7E54903067182AE22F107C6E4CC33FD6465541ACAFCB86F924B737D52BE7D646091F1824
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......l..(..(..(..6......6...<..6.........-..(.._..6...)..6...)..6...)..Rich(..................PE..L...f..c.................6..........G........P....@..........................@..............................................z..<......../.......................................................... s..@............P...............................text....5.......6.................. ..`.rdata..x5...P...6...:..............@..@.data....e.......$...p..............@....corugim............................@....rsrc..../.......0..................@..@................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\E470.tmp

Download File

Process:	C:\Windows\SysWOW64\explorer.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	0.8746135976761988
Encrypted:	false
SSDEEP:	96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
MD5:	9E68EA772705B5EC0C83C2A97BB26324
SHA1:	243128040256A9112CEAC269D56AD6B21061FF80
SHA-256:	17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
SHA-512:	312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\E721.tmp

Download File

Process:	C:\Windows\SysWOW64\explorer.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6732424250451717
Encrypted:	false
SSDEEP:	24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
MD5:	CFFF4E2B77FC5A18AB6323AF9BF95339
SHA1:	3AA2C2115A8EB4516049600E8832E9BFFE0C2412
SHA-256:	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
SHA-512:	0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\EA00.tmp

Download File

Process:	C:\Windows\SysWOW64\explorer.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.1211596417522893
Encrypted:	false
SSDEEP:	192:r2qAdB9TbTbuDDsnxCkvSAE+WslKOMq+8wH0hL3kWieF:r2qOB1nxCkvSAELyKOMq+8wH0hLUZs
MD5:	0AB67F0950F46216D5590A6A41A267C7
SHA1:	3E0DD57E2D4141A54B1C42DD8803C2C4FD26CB69
SHA-256:	4AE2FD6D1BEDB54610134C1E58D875AF3589EDA511F439CDCCF230096C1BEB00
SHA-512:	D19D99A54E7C7C85782D166A3010ABB620B32C7CD6C43B783B2F236492621FDD29B93A52C23B1F4EFC9BF998E1EF1DFEE953E78B28DF1B06C24BADAD750E6DF7
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\InstallSetup9.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\9561.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	2349777
Entropy (8bit):	7.989512105352851
Encrypted:	false
SSDEEP:	49152:Ioruw2s5FXQ4EmojLjCRELVf7Avil+dHIsLp1thIikN+6u2hs7:IoruwzX71oDCRAZUviAHImDqia7hs7
MD5:	B244F23C876D3F9A81F2C2B395408E70
SHA1:	B5CB85B38E0035113BC837CB330F48ECFAA8A922
SHA-256:	EE2F89AC8B23D35330A44B6B53B0AFED4B4A908EE16B844E4EDB0FAADF494A3A
SHA-512:	790357661F412EFC3F07928A832E36F141AFD06D8DCCE32082561EB8DFAE89A4C70A81E7756BB3687C5E42298389C0C882A6E489ED51F99CD1374E3795B6415D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 87%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1 ..PN..PN..PN._...PN..PO.JPN._...PN.s~..PN..VH..PN.Rich.PN.........................PE..L...l.d.................j..........25............@..........................@............@..........................................P..`............................................................................................................text....h.......j.................. ..`.rdata..d............n..............@..@.data...............................@....ndata.......P...........................rsrc...`....P......................@..@................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3aug1k50.mkm.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_3e5dobtc.100.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nqfmw4m2.bfu.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_psxsvoj1.obc.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\is-3QNR8.tmp\B137.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\B137.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	704512
Entropy (8bit):	6.496956945559699
Encrypted:	false
SSDEEP:	12288:ERObekMSkfohrPUs37uzHnA6zg5cIsalHERjUrNN/RQ9wgUT5EDExyc:2ObekrkfohrP337uzHnA6cHswHE/6gU3
MD5:	A7662827ECAEB4FC68334F6B8791B917
SHA1:	F93151DD228D680AA2910280E51F0A84D0CAD105
SHA-256:	05F159722D6905719D2D6F340981A293F40AB8A0D2D4A282C948066809D4AF6D
SHA-512:	E9880B3F3EC9201E59114850E9C570D0AD6D3B0E04C60929A03CF983C62C505FCB6BB9DC3ADEEE88C78D43BD484159626B4A2F000A34B8883164C263F21E6F4A
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................f...........q............@..............................................@...............................%..................................................................................................................CODE....(d.......f.................. ..`DATA.................j..............@...BSS..................\|...................idata...%.......&...\|..............@....tls.....................................rdata..............................@..P.reloc.............................@..P.rsrc...............................@..P.....................J..............@..P........................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-5KKD2.tmp\_isetup\_RegDLL.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.026670007889822
Encrypted:	false
SSDEEP:	48:ivuz1hEU3FR/pmqBl8/QMCBaquEMx5BC+SS4k+bkguj0KHc:bz1eEFNcqBC/Qrex5iSKDkc
MD5:	0EE914C6F0BB93996C75941E1AD629C6
SHA1:	12E2CB05506EE3E82046C41510F39A258A5E5549
SHA-256:	4DC09BAC0613590F1FAC8771D18AF5BE25A1E1CB8FDBF4031AA364F3057E74A2
SHA-512:	A899519E78125C69DC40F7E371310516CF8FAA69E3B3FF747E0DDF461F34E50A9FF331AB53B4D07BB45465039E8EBA2EE4684B3EE56987977AE8C7721751F5F9
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.....................H................\|.......\|.......\|......Rich............PE..L....M;J..................................... ....@..........................@..............................................l ..P....0..@............................................................................ ..D............................text............................... ..`.rdata....... ......................@..@.rsrc...@....0......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-5KKD2.tmp\_isetup\_iscrypt.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2560
Entropy (8bit):	2.8818118453929262
Encrypted:	false
SSDEEP:	24:e1GSgDIX566lIB6SXvVmMPUjvhBrDsqZ:SgDKRlVImgUNBsG
MD5:	A69559718AB506675E907FE49DEB71E9
SHA1:	BC8F404FFDB1960B50C12FF9413C893B56F2E36F
SHA-256:	2F6294F9AA09F59A574B5DCD33BE54E16B39377984F3D5658CDA44950FA0F8FC
SHA-512:	E52E0AA7FE3F79E36330C455D944653D449BA05B2F9ABEE0914A0910C3452CFA679A40441F9AC696B3CCF9445CBB85095747E86153402FC362BB30AC08249A63
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........W.c.W.c.W.c...>.T.c.W.b.V.c.R.<.V.c.R.?.V.c.R.9.V.c.RichW.c.........................PE..L....b.@...........!......................... ...............................@......................................p ..}.... ..(............................0....................................................... ...............................text............................... ..`.rdata....... ......................@..@.reloc.......0......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-5KKD2.tmp\_isetup\_setup64.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6144
Entropy (8bit):	4.215994423157539
Encrypted:	false
SSDEEP:	96:sfkcXegaJ/ZAYNzcld1xaX12pS5SKvkc:sfJEVYlvxaX12EF
MD5:	4FF75F505FDDCC6A9AE62216446205D9
SHA1:	EFE32D504CE72F32E92DCF01AA2752B04D81A342
SHA-256:	A4C86FC4836AC728D7BD96E7915090FD59521A9E74F1D06EF8E5A47C8695FD81
SHA-512:	BA0469851438212D19906D6DA8C4AE95FF1C0711A095D9F21F13530A6B8B21C3ACBB0FF55EDB8A35B41C1A9A342F5D3421C00BA395BC13BB1EF5902B979CE824
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d...XW:J..........#............................@.............................`..............................................................<!.......P..@....@..0.................................................................... ...............................text............................... ..`.rdata..\|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...@....P......................@..@................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-5KKD2.tmp\_isetup\_shfoldr.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	23312
Entropy (8bit):	4.596242908851566
Encrypted:	false
SSDEEP:	384:+Vm08QoKkiWZ76UJuP71W55iWHHoSHigH2euwsHTGHVb+VHHmnH+aHjHqLHxmoq1:2m08QotiCjJuPGw4
MD5:	92DC6EF532FBB4A5C3201469A5B5EB63
SHA1:	3E89FF837147C16B4E41C30D6C796374E0B8E62C
SHA-256:	9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87
SHA-512:	9908E573921D5DBC3454A1C0A6C969AB8A81CC2E8B5385391D46B1A738FB06A76AA3282E0E58D0D2FFA6F27C85668CD5178E1500B8A39B1BBAE04366AE6A86D3
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......IzJ^..$...$...$...%.".$.T87...$.[."...$...$...$.Rich..$.........................PE..L.....\;...........#..... ...4.......'.......0.....q....................................................................k...l)..<....@.../...................p..T....................................................................................text...{........ .................. ..`.data...\....0.......&..............@....rsrc..../...@...0...(..............@..@.reloc.......p.......X..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\B137.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	704512
Entropy (8bit):	6.496956945559699
Encrypted:	false
SSDEEP:	12288:ERObekMSkfohrPUs37uzHnA6zg5cIsalHERjUrNN/RQ9wgUT5EDExyc:2ObekrkfohrP337uzHnA6cHswHE/6gU3
MD5:	A7662827ECAEB4FC68334F6B8791B917
SHA1:	F93151DD228D680AA2910280E51F0A84D0CAD105
SHA-256:	05F159722D6905719D2D6F340981A293F40AB8A0D2D4A282C948066809D4AF6D
SHA-512:	E9880B3F3EC9201E59114850E9C570D0AD6D3B0E04C60929A03CF983C62C505FCB6BB9DC3ADEEE88C78D43BD484159626B4A2F000A34B8883164C263F21E6F4A
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................f...........q............@..............................................@...............................%..................................................................................................................CODE....(d.......f.................. ..`DATA.................j..............@...BSS..................\|...................idata...%.......&...\|..............@....tls.....................................rdata..............................@..P.reloc.............................@..P.rsrc...............................@..P.....................J..............@..P........................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsbA38A.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\InstallSetup9.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	12
Entropy (8bit):	2.1258145836939115
Encrypted:	false
SSDEEP:	3:XOj:Xe
MD5:	416B4BAB4CCD524D0B3EB958E5486867
SHA1:	E5E94B6F9F22E9FCD96613544935E9948B523E55
SHA-256:	BE4EFD67A84F76F86829B7CE4AE4F0E2C091C778D2E2AF9D6A3BC4EA6AB7D396
SHA-512:	306BFF69AC28C25504276FC96CFFB620F38D9127244E20078E4D44805B87DDA541E51D2246CA9BDE0D48BCFE79DB94402CC735F89BF6679B917985596A9FC956
Malicious:	false
Preview:	212.102.41.2

C:\Users\user\AppData\Local\Temp\nsbA38B.tmp\INetC.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\InstallSetup9.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	25600
Entropy (8bit):	5.391050633650523
Encrypted:	false
SSDEEP:	384:pjj9e9dE95XD+iTx58Y5oMM3O9MEoLr1VcQZ/ZwcSyekMRlZ4L4:dAvE90GuY2tO93oLrJRM7Z4E
MD5:	40D7ECA32B2F4D29DB98715DD45BFAC5
SHA1:	124DF3F617F562E46095776454E1C0C7BB791CC7
SHA-256:	85E03805F90F72257DD41BFDAA186237218BBB0EC410AD3B6576A88EA11DCCB9
SHA-512:	5FD4F516CE23FB7E705E150D5C1C93FC7133694BA495FB73101674A528883A013A34AB258083AA7CE6072973B067A605158316A4C9159C1B4D765761F91C513D
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'9<.cXR.cXR.cXR.D.).jXR.cXS.6XR.D. .`XR.D.(.bXR.D...bXR.D.*.bXR.RichcXR.........................PE..L....T.[...........!.....@...j.......E.......P.......................................................................M..l...\F..d.......(.......................\.......................................................d............................text...\>.......@.................. ..`.data...dW...P.......D..............@....rsrc...(............R..............@..@.reloc..\............\..............@..B................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsuAC75.tmp.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\InstallSetup9.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	300032
Entropy (8bit):	6.866758361796511
Encrypted:	false
SSDEEP:	6144:uecWWVV0YLY6TUIXxCelOvOZfKi76bRXMA:ucWVGYc6TUIXevCKiebph
MD5:	8D7509943A544938231EAF3A6BE9332E
SHA1:	4813C94230AE01377C4166D8C312C4409FB52D64
SHA-256:	6EBDBC0B9B3A3D8EFB3BD29076241EC71C6C2E7D39C93409EB5B1D06FC9B70A8
SHA-512:	03981CBD08217DDE1F9D584AEF7F426B924179961EE6CBC07F870E031B2EC120DDED7014A3C05607BE6EC1720744F782AFE6502FF376EEE1FE6A15921746390C
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......l..(..(..(..6......6...<..6.........-..(.._..6...)..6...)..6...)..Rich(..................PE..L....C.b............................G........ ....@...........................".....v/.......................................J..<......../........................................................................... ...............................text............................... ..`.rdata..x5... ...6..................@..@.data....e...`...$...>..............@....wasubiy.............b..............@....rsrc............0...d..............@..@................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\toolspub2.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\9561.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	294400
Entropy (8bit):	6.737599818680579
Encrypted:	false
SSDEEP:	6144:EeJDc1xNSLKxX1ZfSrw6o6f1DffsD9W2fEutV:EaDcdS8ZfgxbsBlfEMV
MD5:	85E39A9EF8C8F1BEEF408EFC12256FF4
SHA1:	DF2F4AE304B6F7AB41E2906D1A790BAA2BB48F11
SHA-256:	DAC1CB9F826E0B64FA0FDF4CF8568D4D746F7401A31DDB534EE3E57D8541FE2C
SHA-512:	7E98F4441C9B1BE569BB7C134E7C80719BA532CED69904C84650881242B02175CBE7456802A51C09C1F77E75D6EBEE1B91F8AC0AB95F7D713BCAD8AB62360367
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.....................................P............Y.......................Rich...................PE..L...hr.d.............................!............@.........................................................................,...P.......h7..............................................................@...............$............................text............................... ..`.rdata...9.......:..................@..@.data....h...0...&..................@....zona...A............B..............@....rsrc...h7.......8...F..............@..@................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\cookies.sqlite-shm

Download File

Process:	C:\Users\user\AppData\Local\Temp\nsuAC75.tmp.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\091tobv5.default-release\places.sqlite-shm

Download File

Process:	C:\Users\user\AppData\Local\Temp\nsuAC75.tmp.exe
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\gferuhf

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	296960
Entropy (8bit):	6.850440274603176
Encrypted:	false
SSDEEP:	6144:Eec43GFV0FLNzEw8Y6Eeq7fvueRu/6wmbRXMA:Eu3GFmFpzEmeWueK6Nbph
MD5:	B8324ACAAFAF40CEBFE3C91FF01A33B6
SHA1:	FE686866BB58AE8C4C72EDD1686CA2FA5BDA16C0
SHA-256:	8FCA1F9021A9CED5F64038DFD78E59A5AA1250758D1455064A752FD142DA4A14
SHA-512:	BCD5799FB37CBAC22B8963B80966C421831CAA53CF95C50F1A5564BDAF41D2E1F99329E01F6A371093874F31ADC8E122E875BE6FE6A04FE44304C4E8601B6CB5
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......l..(..(..(..6......6...<..6.........-..(.._..6...)..6...)..6...)..Rich(..................PE..L...E..c............................G.............@..........................................................................:..<......../...........................................................................................................text............................... ..`.rdata..x5.......6..................@..@.data....e...P...$...2..............@....jiwe................V..............@....rsrc..../.......0...X..............@..@................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\gferuhf:Zone.Identifier

Download File

Process:	C:\Windows\explorer.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Roaming\jesviwu

Download File

Process:	C:\Windows\explorer.exe
File Type:	data
Category:	dropped
Size (bytes):	248887
Entropy (8bit):	7.99935013900087
Encrypted:	true
SSDEEP:	6144:z0kbxQMN5j3kX04Jqur+rY2MXfS9gR4a3ZPaL:JbxQs5j3kxUur9v14a3i
MD5:	2E956F04AD2ACE10F21BD6581C02CBD7
SHA1:	66C13E10CD7E2EE2B2EB1F821A0E380BD9015599
SHA-256:	4F28F3B060BEB44F49DFAD097E08EB139F39514F58B845D37EA2AD4F82B9E6F6
SHA-512:	E8AABB442EB3BCBDEE83C3FC289A61672FA9F53CB719262102558C1525320D0C3ABB5F04A4A34715EBB2180EC28EF0E8B35DBF72FD2B48EB4B9811794D7506F5
Malicious:	false
Preview:	....g0a.t.v.j.K\|...w....V......r.4/...7#.7P..D......o...eM..}..Yu(..9....R.....>..y]O...........R..G.6+.....L...]..J.XcL..'...".lI..t...Uv.m......8[..8rN.G....GDV@o.. g.oqu.....r]. _Dp[.y..".P.`4..!...;y.nV.....!.......F....&u.......h..RP\.6.2t.`...3'....:.7t.m.........e.I^.+.8.../M....U..@..8`.!.y...<cXy.v......o.._..L.]...k+.(...].vh.R;.@...._..VT.lD....>..5LVM..+...PR..n.../..,.LV......}....v..:&......:...VN...x.j<..\|.V...n..X.Q6\|...\r`.....{...c.)T.+'..H...?....1.fq.n.Rh.....<.pc.....dd.....c..{ M8.( ./....:.S8....P.s......zBObA....A.TW.B....s....!.....KB.S...G..Z<.N...).....7l.<.K...?..4.t.h....@.{.%..o..O....'......c.jh>g.-.v=...~O...#..v\..)#[(..C .<......a.".c.zt(4..B..h.".c.....S...I.t^.[l^./u...y.....=!)....:.'%.hW.....=..O.:#A.gu....n-.@....R.....y1..=..><.QD..E....@.?R)..5'L...*7\.^]V.x.f"w(...o.....(.\|.4...,..FR.............+.n...I.o........u......f?..d.2.... G...........X..m.....g.v.&.Si...^[J5.1@.hk..x.T.o.Enp..{

C:\Users\user\AppData\Roaming\tieruhf

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	294400
Entropy (8bit):	6.737599818680579
Encrypted:	false
SSDEEP:	6144:EeJDc1xNSLKxX1ZfSrw6o6f1DffsD9W2fEutV:EaDcdS8ZfgxbsBlfEMV
MD5:	85E39A9EF8C8F1BEEF408EFC12256FF4
SHA1:	DF2F4AE304B6F7AB41E2906D1A790BAA2BB48F11
SHA-256:	DAC1CB9F826E0B64FA0FDF4CF8568D4D746F7401A31DDB534EE3E57D8541FE2C
SHA-512:	7E98F4441C9B1BE569BB7C134E7C80719BA532CED69904C84650881242B02175CBE7456802A51C09C1F77E75D6EBEE1B91F8AC0AB95F7D713BCAD8AB62360367
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.....................................P............Y.......................Rich...................PE..L...hr.d.............................!............@.........................................................................,...P.......h7..............................................................@...............$............................text............................... ..`.rdata...9.......:..................@..@.data....h...0...&..................@....zona...A............B..............@....rsrc...h7.......8...F..............@..@................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.850440274603176
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	296'960 bytes
MD5:	b8324acaafaf40cebfe3c91ff01a33b6
SHA1:	fe686866bb58ae8c4c72edd1686ca2fa5bda16c0
SHA256:	8fca1f9021a9ced5f64038dfd78e59a5aa1250758d1455064a752fd142da4a14
SHA512:	bcd5799fb37cbac22b8963b80966c421831caa53cf95c50f1a5564bdaf41d2e1f99329e01f6a371093874f31adc8e122e875be6fe6a04fe44304c4e8601b6cb5
SSDEEP:	6144:Eec43GFV0FLNzEw8Y6Eeq7fvueRu/6wmbRXMA:Eu3GFmFpzEmeWueK6Nbph
TLSH:	93548C1132E8D431E2F31A354634C7F50A7BB8726825546FABD42A795E60FE2DA30737
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......l...(...(...(...6.......6...<...6...........-...(..._...6...)...6...)...6...)...Rich(...................PE..L...E..c...........

File Icon


Icon Hash:	0b31646465311f46

Static PE Info

General

Entrypoint:	0x401d47
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x6314C045 [Sun Sep 4 15:12:05 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	d3be11f6df42332786a4c0379b6f9121

Entrypoint Preview

Instruction
call 00007F07C4814C55h
jmp 00007F07C480A89Eh
mov edi, edi
push ebp
mov ebp, esp
sub esp, 00000328h
mov dword ptr [004371D8h], eax
mov dword ptr [004371D4h], ecx
mov dword ptr [004371D0h], edx
mov dword ptr [004371CCh], ebx
mov dword ptr [004371C8h], esi
mov dword ptr [004371C4h], edi
mov word ptr [004371F0h], ss
mov word ptr [004371E4h], cs
mov word ptr [004371C0h], ds
mov word ptr [004371BCh], es
mov word ptr [004371B8h], fs
mov word ptr [004371B4h], gs
pushfd
pop dword ptr [004371E8h]
mov eax, dword ptr [ebp+00h]
mov dword ptr [004371DCh], eax
mov eax, dword ptr [ebp+04h]
mov dword ptr [004371E0h], eax
lea eax, dword ptr [ebp+08h]
mov dword ptr [004371ECh], eax
mov eax, dword ptr [ebp-00000320h]
mov dword ptr [00437128h], 00010001h
mov eax, dword ptr [004371E0h]
mov dword ptr [004370DCh], eax
mov dword ptr [004370D0h], C0000409h
mov dword ptr [004370D4h], 00000001h
mov eax, dword ptr [00435004h]
mov dword ptr [ebp-00000328h], eax
mov eax, dword ptr [00435008h]
mov dword ptr [ebp-00000324h], eax
call dword ptr [000000D0h]

Rich Headers

Programming Language:

[C++] VS2008 build 21022
[ASM] VS2008 build 21022
[ C ] VS2008 build 21022
[IMP] VS2005 build 50727
[RES] VS2008 build 21022
[LNK] VS2008 build 21022

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x33a8c	0x3c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x3d000	0x12fe0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x31000	0x1e4	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x2f714	0x2f800	False	0.6591796875	data	7.200967703562425	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x31000	0x3578	0x3600	False	0.39228877314814814	data	5.418909280918201	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x35000	0x65a8	0x2400	False	0.19596354166666666	data	2.087347201920266	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.jiwe	0x3c000	0xc	0x200	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x3d000	0x12fe0	0x13000	False	0.5572702508223685	data	5.752507674562828	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_CURSOR	0x4a900	0x134	Targa image data - Map 64 x 65536 x 1 +32 "\001"	Setsuana	South Africa	0.43506493506493504
RT_CURSOR	0x4aa50	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Setsuana	South Africa	0.30810234541577824
RT_CURSOR	0x4b8f8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Setsuana	South Africa	0.48014440433212996
RT_ICON	0x3d850	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Setsuana	South Africa	0.7964352720450282
RT_ICON	0x3e910	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Setsuana	South Africa	0.4554904051172708
RT_ICON	0x3f7b8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Setsuana	South Africa	0.598826714801444
RT_ICON	0x40060	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	Setsuana	South Africa	0.6745391705069125
RT_ICON	0x40728	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Setsuana	South Africa	0.759393063583815
RT_ICON	0x40c90	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Setsuana	South Africa	0.5871369294605809
RT_ICON	0x43238	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	Setsuana	South Africa	0.6444652908067542
RT_ICON	0x442e0	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	Setsuana	South Africa	0.7385245901639345
RT_ICON	0x44c68	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Setsuana	South Africa	0.7898936170212766
RT_ICON	0x45148	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	Setsuana	South Africa	0.46748400852878463
RT_ICON	0x45ff0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	Setsuana	South Africa	0.6416967509025271
RT_ICON	0x46898	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	Setsuana	South Africa	0.7171658986175116
RT_ICON	0x46f60	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	Setsuana	South Africa	0.7810693641618497
RT_ICON	0x474c8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	Setsuana	South Africa	0.6453319502074689
RT_ICON	0x49a70	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	Setsuana	South Africa	0.7598360655737705
RT_ICON	0x4a3f8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	Setsuana	South Africa	0.8430851063829787
RT_DIALOG	0x4c3a8	0x98	data	Setsuana	South Africa	0.75
RT_STRING	0x4c440	0x53c	data	Setsuana	South Africa	0.4246268656716418
RT_STRING	0x4c980	0x616	data	Setsuana	South Africa	0.43324775353016687
RT_STRING	0x4cf98	0x66c	data	Setsuana	South Africa	0.4367396593673966
RT_STRING	0x4d608	0x806	data	Setsuana	South Africa	0.4133398247322298
RT_STRING	0x4de10	0x540	data	Setsuana	South Africa	0.4419642857142857
RT_STRING	0x4e350	0x1a8	data	Setsuana	South Africa	0.49056603773584906
RT_STRING	0x4e4f8	0x6d8	data	Setsuana	South Africa	0.4223744292237443
RT_STRING	0x4ebd0	0xcc	data	Setsuana	South Africa	0.5588235294117647
RT_STRING	0x4eca0	0x816	data	Setsuana	South Africa	0.41594202898550725
RT_STRING	0x4f4b8	0x5a0	data	Setsuana	South Africa	0.4479166666666667
RT_STRING	0x4fa58	0x446	data	Setsuana	South Africa	0.4570383912248629
RT_STRING	0x4fea0	0xa0	data	Setsuana	South Africa	0.63125
RT_STRING	0x4ff40	0x9c	data	Setsuana	South Africa	0.5897435897435898
RT_ACCELERATOR	0x4a8c8	0x38	data	Setsuana	South Africa	0.9107142857142857
RT_GROUP_CURSOR	0x4aa38	0x14	Lotus unknown worksheet or configuration, revision 0x1	Setsuana	South Africa	1.3
RT_GROUP_CURSOR	0x4c1a0	0x22	data	Setsuana	South Africa	1.0294117647058822
RT_GROUP_ICON	0x3e8f8	0x14	data	Setsuana	South Africa	1.1
RT_GROUP_ICON	0x450d0	0x76	data	Setsuana	South Africa	0.6694915254237288
RT_GROUP_ICON	0x4a860	0x68	data	Setsuana	South Africa	0.7019230769230769
RT_VERSION	0x4c1c8	0x1dc	data	Setsuana	South Africa	0.5819327731092437

Imports

DLL

Import

KERNEL32.dll

SetDefaultCommConfigA, GlobalDeleteAtom, GetConsoleAliasesLengthW, EnumDateFormatsExW, MoveFileExA, SetEndOfFile, CreateJobObjectW, HeapFree, CreateNamedPipeW, GetCompressedFileSizeW, GlobalAlloc, LoadLibraryW, ReadConsoleOutputW, DnsHostnameToComputerNameW, GetTimeFormatW, LocalHandle, GetModuleFileNameW, lstrcatA, CompareStringW, MultiByteToWideChar, VirtualUnlock, GetConsoleOutputCP, FreeLibraryAndExitThread, GetLastError, GetLongPathNameA, HeapSize, SetVolumeLabelW, EnterCriticalSection, GetTempFileNameA, GetAtomNameA, LoadLibraryA, OpenWaitableTimerW, SetConsoleTitleW, GetModuleHandleA, FreeEnvironmentStringsW, BuildCommDCBA, VirtualProtect, QueryPerformanceFrequency, DeleteCriticalSection, DeleteTimerQueueTimer, LocalFree, SetFileAttributesW, LCMapStringW, CopyFileExA, SetEnvironmentVariableA, CompareStringA, GetTimeZoneInformation, GetStartupInfoW, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, HeapAlloc, LeaveCriticalSection, WriteFile, WideCharToMultiByte, GetConsoleCP, GetConsoleMode, FlushFileBuffers, FatalAppExitA, GetModuleHandleW, Sleep, GetProcAddress, ExitProcess, GetStdHandle, GetModuleFileNameA, GetEnvironmentStringsW, GetCommandLineW, SetHandleCount, GetFileType, GetStartupInfoA, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, SetLastError, GetCurrentThreadId, InterlockedDecrement, GetCurrentThread, HeapCreate, HeapDestroy, VirtualFree, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, SetFilePointer, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, VirtualAlloc, HeapReAlloc, RtlUnwind, WriteConsoleA, WriteConsoleW, SetStdHandle, InitializeCriticalSectionAndSpinCount, SetConsoleCtrlHandler, FreeLibrary, InterlockedExchange, LCMapStringA, GetStringTypeA, GetStringTypeW, GetTimeFormatA, GetDateFormatA, GetUserDefaultLCID, GetLocaleInfoA, EnumSystemLocalesA, IsValidLocale, ReadFile, CreateFileA, CloseHandle, GetLocaleInfoW, RaiseException

USER32.dll

GetMonitorInfoW, GetDesktopWindow

Possible Origin

Language of compilation system	Country where language is spoken	Map
Setsuana	South Africa

Target ID:	0
Start time:	17:32:06
Start date:	28/12/2023
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\file.exe
Imagebase:	0x400000
File size:	296'960 bytes
MD5 hash:	B8324ACAAFAF40CEBFE3C91FF01A33B6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000000.00000003.1346186233.00000000005E0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000000.00000002.1414909359.00000000020A1000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000000.00000002.1414909359.00000000020A1000.00000004.10000000.00040000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.1414773059.0000000000609000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000000.00000002.1414691831.00000000005E0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000000.00000002.1414691831.00000000005E0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.1414674284.00000000005D0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	17:32:12
Start date:	28/12/2023
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff609fd0000
File size:	5'141'208 bytes
MD5 hash:	662F4F92FDE3557E86D110526BB578D5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	17:32:33
Start date:	28/12/2023
Path:	C:\Users\user\AppData\Roaming\gferuhf
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\gferuhf
Imagebase:	0x400000
File size:	296'960 bytes
MD5 hash:	B8324ACAAFAF40CEBFE3C91FF01A33B6
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000004.00000002.1677531544.00000000020A1000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000004.00000002.1677531544.00000000020A1000.00000004.10000000.00040000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000004.00000002.1677336992.0000000000498000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000004.00000003.1614832570.0000000000580000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000004.00000002.1677390187.0000000000580000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000004.00000002.1677390187.0000000000580000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000004.00000002.1677220887.0000000000470000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	17:32:42
Start date:	28/12/2023
Path:	C:\Users\user\AppData\Local\Temp\83BC.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\83BC.exe
Imagebase:	0x400000
File size:	2'029'056 bytes
MD5 hash:	15184ED11B2354EDA1F1787DCBBCF04A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000005.00000002.1708502854.0000000002318000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 74%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	17:32:43
Start date:	28/12/2023
Path:	C:\Users\user\AppData\Local\Temp\83BC.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\83BC.exe
Imagebase:	0x400000
File size:	2'029'056 bytes
MD5 hash:	15184ED11B2354EDA1F1787DCBBCF04A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	17:32:47
Start date:	28/12/2023
Path:	C:\Users\user\AppData\Local\Temp\9561.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\9561.exe
Imagebase:	0x580000
File size:	7'079'936 bytes
MD5 hash:	3954CC01C26D1962284F3B95602F2367
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: MALWARE_Win_DLInjector04, Description: Detects downloader / injector, Source: C:\Users\user\AppData\Local\Temp\9561.exe, Author: ditekSHen
Antivirus matches:	Detection: 91%, ReversingLabs
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	17:32:48
Start date:	28/12/2023
Path:	C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"
Imagebase:	0x400000
File size:	4'425'080 bytes
MD5 hash:	1894F7AA0F57BEC640F13E2EC87840E1
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Glupteba, Description: Yara detected Glupteba, Source: 00000008.00000002.4075648542.0000000000843000.00000040.00000001.01000000.0000000A.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000008.00000002.4107945303.00000000030F0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Glupteba, Description: Yara detected Glupteba, Source: 00000008.00000002.4107945303.0000000003533000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000008.00000002.4107329248.0000000002CF4000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Glupteba, Description: Yara detected Glupteba, Source: 00000008.00000003.1763762171.0000000003E22000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 91%, ReversingLabs
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	17:32:48
Start date:	28/12/2023
Path:	C:\Users\user\AppData\Local\Temp\InstallSetup9.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Temp\InstallSetup9.exe"
Imagebase:	0x400000
File size:	2'349'777 bytes
MD5 hash:	B244F23C876D3F9A81F2C2B395408E70
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 87%, ReversingLabs
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	17:32:49
Start date:	28/12/2023
Path:	C:\Users\user\AppData\Local\Temp\InstallSetup9.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\InstallSetup9.exe"
Imagebase:	0x400000
File size:	2'349'777 bytes
MD5 hash:	B244F23C876D3F9A81F2C2B395408E70
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	17:32:49
Start date:	28/12/2023
Path:	C:\Users\user\AppData\Local\Temp\toolspub2.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\toolspub2.exe"
Imagebase:	0x400000
File size:	294'400 bytes
MD5 hash:	85E39A9EF8C8F1BEEF408EFC12256FF4
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 0000000D.00000002.1778201107.000000000084C000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	17:32:49
Start date:	28/12/2023
Path:	C:\Users\user\AppData\Local\Temp\BroomSetup.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\BroomSetup.exe
Imagebase:	0x400000
File size:	5'515'264 bytes
MD5 hash:	00E93456AA5BCF9F60F84B0C0760A212
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 0000000E.00000000.1772834822.0000000000401000.00000020.00000001.01000000.0000000D.sdmp, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exe, Author: Joe Security
Antivirus matches:	Detection: 30%, ReversingLabs
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	15
Start time:	17:32:50
Start date:	28/12/2023
Path:	C:\Users\user\AppData\Local\Temp\toolspub2.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\toolspub2.exe"
Imagebase:	0x400000
File size:	294'400 bytes
MD5 hash:	85E39A9EF8C8F1BEEF408EFC12256FF4
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 0000000F.00000002.1876773105.0000000001F61000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 0000000F.00000002.1876773105.0000000001F61000.00000004.10000000.00040000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 0000000F.00000002.1863090998.0000000000470000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 0000000F.00000002.1863090998.0000000000470000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	17:32:52
Start date:	28/12/2023
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Sysnative\cmd.exe /C fodhelper
Imagebase:	0x7ff62f350000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	17:32:52
Start date:	28/12/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff620390000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	17:32:52
Start date:	28/12/2023
Path:	C:\Windows\System32\fodhelper.exe
Wow64 process (32bit):	false
Commandline:	fodhelper
Imagebase:	0x7ff60d9e0000
File size:	49'664 bytes
MD5 hash:	85018BE1FD913656BC9FF541F017EACD
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	17:32:52
Start date:	28/12/2023
Path:	C:\Windows\System32\fodhelper.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\fodhelper.exe"
Imagebase:	0x7ff60d9e0000
File size:	49'664 bytes
MD5 hash:	85018BE1FD913656BC9FF541F017EACD
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	17:32:53
Start date:	28/12/2023
Path:	C:\Windows\System32\fodhelper.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\fodhelper.exe"
Imagebase:	0x7ff60d9e0000
File size:	49'664 bytes
MD5 hash:	85018BE1FD913656BC9FF541F017EACD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	17:32:54
Start date:	28/12/2023
Path:	C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"
Imagebase:	0x400000
File size:	4'425'080 bytes
MD5 hash:	1894F7AA0F57BEC640F13E2EC87840E1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Glupteba, Description: Yara detected Glupteba, Source: 00000017.00000002.4084338772.0000000000843000.00000040.00000001.01000000.0000000A.sdmp, Author: Joe Security Rule: JoeSecurity_Glupteba, Description: Yara detected Glupteba, Source: 00000017.00000002.4106141741.0000000003353000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000017.00000002.4106141741.0000000002F10000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000017.00000002.4104489388.0000000002B0C000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
Has exited:	false

Show Windows behavior

Target ID:	24
Start time:	17:32:54
Start date:	28/12/2023
Path:	C:\Users\user\AppData\Local\Temp\B137.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\B137.exe
Imagebase:	0x400000
File size:	4'438'660 bytes
MD5 hash:	54CD75DEB7E9DBE5151324D48EF485A0
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	25
Start time:	17:32:54
Start date:	28/12/2023
Path:	C:\Users\user\AppData\Local\Temp\is-3QNR8.tmp\B137.tmp
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\is-3QNR8.tmp\B137.tmp" /SL5="$30510,4192226,54272,C:\Users\user\AppData\Local\Temp\B137.exe"
Imagebase:	0x400000
File size:	704'512 bytes
MD5 hash:	A7662827ECAEB4FC68334F6B8791B917
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	26
Start time:	17:32:54
Start date:	28/12/2023
Path:	C:\Users\user\AppData\Local\Temp\nsuAC75.tmp.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\nsuAC75.tmp.exe
Imagebase:	0x400000
File size:	300'032 bytes
MD5 hash:	8D7509943A544938231EAF3A6BE9332E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 0000001A.00000002.2605092891.0000000002250000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 0000001A.00000002.2605092891.0000000002250000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 0000001A.00000002.2604104518.0000000000400000.00000040.00000001.01000000.00000011.sdmp, Author: Joe Security Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 0000001A.00000002.2604597299.0000000000728000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 0000001A.00000003.1852497320.0000000002270000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 0000001A.00000002.2605183067.00000000022D5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	17:32:58
Start date:	28/12/2023
Path:	C:\Windows\System32\regsvr32.exe
Wow64 process (32bit):	false
Commandline:	regsvr32 /s C:\Users\user\AppData\Local\Temp\C1C2.dll
Imagebase:	0x7ff782c80000
File size:	25'088 bytes
MD5 hash:	B0C2FA35D14A9FAD919E99D9D75E1B9E
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	17:32:58
Start date:	28/12/2023
Path:	C:\Windows\SysWOW64\regsvr32.exe
Wow64 process (32bit):	true
Commandline:	/s C:\Users\user\AppData\Local\Temp\C1C2.dll
Imagebase:	0x4a0000
File size:	20'992 bytes
MD5 hash:	878E47C8656E53AE8A8A21E927C6F7E0
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	17:32:58
Start date:	28/12/2023
Path:	C:\Windows\System32\rundll32.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Imagebase:	0x7ff6ec5c0000
File size:	71'680 bytes
MD5 hash:	EF3179D498793BF4234F708D3BE28633
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	17:33:00
Start date:	28/12/2023
Path:	C:\Users\user\AppData\Local\Temp\B137.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\B137.exe" /SPAWNWND=$404C0 /NOTIFYWND=$30510
Imagebase:	0x400000
File size:	4'438'660 bytes
MD5 hash:	54CD75DEB7E9DBE5151324D48EF485A0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	34
Start time:	17:33:00
Start date:	28/12/2023
Path:	C:\Users\user\AppData\Local\Temp\CDAA.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\CDAA.exe
Imagebase:	0x60000
File size:	5'597'024 bytes
MD5 hash:	BD21400B49D3C712466E20A9C4422C60
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000022.00000003.2128321951.000000000137A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000022.00000003.2077254246.000000000137A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000022.00000003.2096984534.000000000137A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000022.00000003.2137389333.000000000137A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000022.00000003.2120331383.000000000137A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000022.00000003.2112222291.000000000137A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000022.00000003.2087024904.000000000137A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	17:33:01
Start date:	28/12/2023
Path:	C:\Windows\SysWOW64\explorer.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\explorer.exe
Imagebase:	0x3c0000
File size:	4'514'184 bytes
MD5 hash:	DD6597597673F72E10C9DE7901FBA0A8
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	17:33:01
Start date:	28/12/2023
Path:	C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\is-ADVE0.tmp\B137.tmp" /SL5="$205C2,4192226,54272,C:\Users\user\AppData\Local\Temp\B137.exe" /SPAWNWND=$404C0 /NOTIFYWND=$30510
Imagebase:	0x400000
File size:	704'512 bytes
MD5 hash:	A7662827ECAEB4FC68334F6B8791B917
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	38
Start time:	17:33:03
Start date:	28/12/2023
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\explorer.exe
Imagebase:	0x7ff609fd0000
File size:	5'141'208 bytes
MD5 hash:	662F4F92FDE3557E86D110526BB578D5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	39
Start time:	17:33:03
Start date:	28/12/2023
Path:	C:\Windows\SysWOW64\net.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\system32\net.exe" helpmsg 28
Imagebase:	0x7f0000
File size:	47'104 bytes
MD5 hash:	31890A7DE89936F922D44D677F681A7F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	40
Start time:	17:33:03
Start date:	28/12/2023
Path:	C:\Program Files (x86)\CPointASP\cpointasp.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\CPointASP\cpointasp.exe" -i
Imagebase:	0x400000
File size:	1'642'495 bytes
MD5 hash:	9DCE8CBCB90200F461757260260F7FB7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	41
Start time:	17:33:03
Start date:	28/12/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff620390000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	42
Start time:	17:33:05
Start date:	28/12/2023
Path:	C:\Windows\SysWOW64\net1.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\net1 helpmsg 28
Imagebase:	0x790000
File size:	139'776 bytes
MD5 hash:	2EFE6ED4C294AB8A39EB59C80813FEC1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	43
Start time:	17:33:05
Start date:	28/12/2023
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	powershell -nologo -noprofile
Imagebase:	0x8a0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Has exited:	true

Show Windows behavior

Target ID:	44
Start time:	17:33:05
Start date:	28/12/2023
Path:	C:\Program Files (x86)\CPointASP\cpointasp.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\CPointASP\cpointasp.exe" -s
Imagebase:	0x400000
File size:	1'642'495 bytes
MD5 hash:	9DCE8CBCB90200F461757260260F7FB7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Socks5Systemz, Description: Yara detected Socks5Systemz, Source: 0000002C.00000002.4100878154.0000000002A54000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Socks5Systemz, Description: Yara detected Socks5Systemz, Source: 0000002C.00000002.4101862181.0000000002B01000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	45
Start time:	17:33:05
Start date:	28/12/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff620390000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	2.8%
Dynamic/Decrypted Code Coverage:	17%
Signature Coverage:	14.4%
Total number of Nodes:	153
Total number of Limit Nodes:	9

Executed Functions

Function 00401590 Relevance: 10.7, APIs: 7, Instructions: 203
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401648
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401675
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401698
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016B6
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016F7
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401728
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 0040174A

Memory Dump Source

Source File: 00000000.00000002.1414453150.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 569c601533bfa5fc76acd0aceccd82dced2ec0ba9158162e35254d0d933d7b6e
Instruction ID: d6964195f2ae178c179c3b7a32e304a619fe45f2cb2dcf097c8130f3d204b23e
Opcode Fuzzy Hash: 569c601533bfa5fc76acd0aceccd82dced2ec0ba9158162e35254d0d933d7b6e
Instruction Fuzzy Hash: 64616FB0904205FFEB208F91CC58FAF7BB8EF81710F10416AFA12BA1E5D6749941DB65

Uniqueness

Uniqueness Score: -1.00%

Function 0040159B Relevance: 10.7, APIs: 7, Instructions: 173
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401648
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401675
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401698
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016B6
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016F7
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401728
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 0040174A

Memory Dump Source

Source File: 00000000.00000002.1414453150.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: bae20a228bd41bc7813985564ad54ad8a6399e0ad18c72377fec9941621639a0
Instruction ID: ff81ed2e81490e93a7bfe721f9c6a4d9304ec08e35c355afa89281eda0ffd623
Opcode Fuzzy Hash: bae20a228bd41bc7813985564ad54ad8a6399e0ad18c72377fec9941621639a0
Instruction Fuzzy Hash: 3E5109B5900249BFEB208F91CC49FAB7BB8FF85710F144169FA11BA2E5D6749941CB24

Uniqueness

Uniqueness Score: -1.00%

Function 004015B0 Relevance: 10.7, APIs: 7, Instructions: 169
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401648
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401675
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401698
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016B6
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016F7
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401728
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 0040174A

Memory Dump Source

Source File: 00000000.00000002.1414453150.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 6c4736dca5741fb18473fdef31891e556f9b158cac04651ef2a3a7cb79a50736
Instruction ID: af686ae4933c2f6004de28669cc23aaadd0110c3f88d1b974755b8c34b4799b2
Opcode Fuzzy Hash: 6c4736dca5741fb18473fdef31891e556f9b158cac04651ef2a3a7cb79a50736
Instruction Fuzzy Hash: 0E51F9B5900249BFEB208F91CC48FAF7BB8FF85B10F104169FA11BA2E5D6749941CB24

Uniqueness

Uniqueness Score: -1.00%

Function 004015BC Relevance: 10.7, APIs: 7, Instructions: 168
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401648
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401675
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401698
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016B6
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016F7
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401728
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 0040174A

Memory Dump Source

Source File: 00000000.00000002.1414453150.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 72661907227a9452eb25ab953c02bdcf5a827517e06e297a0d085dc110f4c5bf
Instruction ID: 765dedf92b6036aea99e2596c7c6646b0bcbba97602321f23575c560d9e65fb8
Opcode Fuzzy Hash: 72661907227a9452eb25ab953c02bdcf5a827517e06e297a0d085dc110f4c5bf
Instruction Fuzzy Hash: 1451E8B5900249BFEF208F91CC48FDF7BB8FF85B10F104169FA11AA2A5D6749945CB64

Uniqueness

Uniqueness Score: -1.00%

Function 004015CB Relevance: 10.7, APIs: 7, Instructions: 164
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401648
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401675
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401698
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016B6
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016F7
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401728
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 0040174A

Memory Dump Source

Source File: 00000000.00000002.1414453150.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 004f83838c091370c792dd4fcb680897e20f1790ca1ffba750393c7614aa26f8
Instruction ID: 60f1a669064b898f2f8cfe764b4cdaf5e199705ebcb5ef48edc51869d28594cd
Opcode Fuzzy Hash: 004f83838c091370c792dd4fcb680897e20f1790ca1ffba750393c7614aa26f8
Instruction Fuzzy Hash: 2C51FAB1900249BFEF208F91CC48F9FBBB8FF85B10F104169FA11AA2A5D7749941CB24

Uniqueness

Uniqueness Score: -1.00%

Function 0060CAFF Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 0060CB27
Module32First.KERNEL32(00000000,00000224), ref: 0060CB47

Memory Dump Source

Source File: 00000000.00000002.1414773059.0000000000609000.00000040.00000020.00020000.00000000.sdmp, Offset: 00609000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_609000_file.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: 972308e84e796bf541c3c3ec71bd08cb8fd5a651e968f442dfbc2bbb6c27cb93
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: D4F0F6326403106BD7243BF8A88EBAF73EDAF48334F100268E642921C0DB70EC054A60

Uniqueness

Uniqueness Score: -1.00%

Function 004029BA Relevance: 1.6, APIs: 1, Instructions: 60
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00402A18

Memory Dump Source

Source File: 00000000.00000002.1414453150.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 8b4368bb53e1649655da800b8e3771367f61da053ffbe47dde7c34dc5595736a
Instruction ID: ddfd821467dba8d9e3be05996510f596060048204c77d2b9bdf6330f9e046059
Opcode Fuzzy Hash: 8b4368bb53e1649655da800b8e3771367f61da053ffbe47dde7c34dc5595736a
Instruction Fuzzy Hash: 5C11E571708104E7D6209A449B4EF6B3724AB50B00F308077E5077A1C0D9FD9A07BBAF

Uniqueness

Uniqueness Score: -1.00%

Function 0042A1EA Relevance: 56.3, APIs: 31, Strings: 1, Instructions: 284
timelibrarymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteTimerQueueTimer.KERNEL32(00000000,00000000,00000000), ref: 0042A22F
GetLastError.KERNEL32 ref: 0042A235
GetCompressedFileSizeW.KERNEL32(00432E64,?), ref: 0042A256
GetAtomNameA.KERNEL32(00000000,?,00000000), ref: 0042A2A3
_memset.LIBCMT ref: 0042A2BB
SetDefaultCommConfigA.KERNEL32(00432E6C,?,00000000), ref: 0042A2D1
CopyFileExA.KERNEL32(00432E98,00432E88,00000000,00000000,00000000,00000000), ref: 0042A2E9
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0042A2F1
GetModuleHandleA.KERNEL32(00000000), ref: 0042A2F9
EnumDateFormatsExW.KERNEL32(00000000,00000000,00000000), ref: 0042A305
RtlDeleteCriticalSection.NTDLL(?), ref: 0042A31B
LoadLibraryW.KERNEL32(00000000), ref: 0042A32C
FreeLibraryAndExitThread.KERNEL32(00000000,00000000), ref: 0042A389
SetConsoleTitleW.KERNEL32(00000000), ref: 0042A391
LocalFree.KERNEL32(00000000), ref: 0042A399
GetConsoleAliasesLengthW.KERNEL32(00000000), ref: 0042A3AB
DnsHostnameToComputerNameW.KERNEL32(00432EA4,?,?), ref: 0042A3C4
MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042A3D6
GetTempFileNameA.KERNEL32(00000000,00000000,00000000,?), ref: 0042A3E9
MoveFileExA.KERNEL32(00000000,00000000,00000000), ref: 0042A3F5
OpenWaitableTimerW.KERNEL32(00000000,00000000,00432ED0), ref: 0042A404
CompareStringW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042A416
GetLongPathNameA.KERNEL32(00432F7C,?,00000000), ref: 0042A42A
RtlSizeHeap.NTDLL(00000000,00000000,00000000), ref: 0042A436
_memset.LIBCMT ref: 0042A48D
__vsnprintf.LIBCMT ref: 0042A4B8
BuildCommDCBA.KERNEL32(00432FD0,?), ref: 0042A55D
VirtualUnlock.KERNEL32(00000000,00000000), ref: 0042A567
GetConsoleOutputCP.KERNEL32 ref: 0042A5F1
SetFileAttributesW.KERNEL32(00432FE0,00000000), ref: 0042A614
OpenWaitableTimerW.KERNEL32(00000000,00000000,00000000), ref: 0042A620

Strings

tl_, xrefs: 0042A26D

Memory Dump Source

Source File: 00000000.00000002.1414471091.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_file.jbxd

Similarity

API ID: File$NameTimer$ConsoleFree$CommDeleteLibraryOpenSizeWaitable_memset$AliasesAtomAttributesBuildByteCharCompareCompressedComputerConfigCopyCriticalDateDefaultEnumEnvironmentErrorExitFormatsHandleHeapHostnameLastLengthLoadLocalLongModuleMoveMultiOutputPathQueueSectionStringStringsTempThreadTitleUnlockVirtualWide__vsnprintf
String ID: tl_
API String ID: 3427034380-2653253968
Opcode ID: 018e87cee8a55491dcdffeecc48db2ec871ace006ee9b4c9d1f5dcbb67ccde01
Instruction ID: e2162f32b396281d88f433798dcedd938f4ec2cdc448f5dc72e2e59d8e3ab766
Opcode Fuzzy Hash: 018e87cee8a55491dcdffeecc48db2ec871ace006ee9b4c9d1f5dcbb67ccde01
Instruction Fuzzy Hash: 19B1B631A44314EFEB249B90ED4AB9973B4FB04706F10507AF649A61E1D7B819C4CF6E

Uniqueness

Uniqueness Score: -1.00%

Function 005D003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 005D024D

Strings

cess, xrefs: 005D018D
kernel32.dll, xrefs: 005D008F, 005D0095

Memory Dump Source

Source File: 00000000.00000002.1414674284.00000000005D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: fc9b128c1f50d28fefb36c0545add9695854d6336b218cbceaeb3d9a397e2676
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: 7D526A74A01229DFDB64CF58C985BA8BBB1BF09314F1480DAE94DAB351DB30AE85DF14

Uniqueness

Uniqueness Score: -1.00%

Function 00429EA8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37
librarymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(00437C30), ref: 00429F27
VirtualProtect.KERNELBASE(00000040,?), ref: 00429F3F

Strings

, xrefs: 00429EC3

Memory Dump Source

Source File: 00000000.00000002.1414471091.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_file.jbxd

Similarity

API ID: LibraryLoadProtectVirtual
String ID:
API String ID: 3279857687-3916222277
Opcode ID: c2b798b6f0af85355c2251563f1212d6bf79805c320912dc16ddd5c0e38b8d04
Instruction ID: 7666921c887b1d492d6c80e39b0c21d02e5a913eeac477f45812a49e2ea272a2
Opcode Fuzzy Hash: c2b798b6f0af85355c2251563f1212d6bf79805c320912dc16ddd5c0e38b8d04
Instruction Fuzzy Hash: E4012DA140C2D8D9F7328768EC88B5D7E966322708F0430B8D5C0562A2CBFE0959C7FD

Uniqueness

Uniqueness Score: -1.00%

Function 0040B515 Relevance: 4.5, APIs: 3, Instructions: 45
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0040B518
__malloc_crt.LIBCMT ref: 0040B546
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0040B553

Memory Dump Source

Source File: 00000000.00000002.1414471091.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_file.jbxd

Similarity

API ID: EnvironmentStrings$Free__malloc_crt
String ID:
API String ID: 237123855-0
Opcode ID: c4eb010729db78f418548124b7bff9562c8d732c56e44f452c96cb059b469357
Instruction ID: 57c9c94ab1490bbeef973e5c6d01f713e60640f858daec3ee0792fff5fb8643d
Opcode Fuzzy Hash: c4eb010729db78f418548124b7bff9562c8d732c56e44f452c96cb059b469357
Instruction Fuzzy Hash: E8F0823A9052207ADA257B397C484B71638DAC732E31154BBF452D3290F7384D8242ED

Uniqueness

Uniqueness Score: -1.00%

Function 005D0E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00000400,?,?,005D0223,?,?), ref: 005D0E19
SetErrorMode.KERNELBASE(00000000,?,?,005D0223,?,?), ref: 005D0E1E

Memory Dump Source

Source File: 00000000.00000002.1414674284.00000000005D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: c5d6d6fa0513ea3056317b239f3eb2f6e5cae715dba88dd75ef451771bbf1679
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: 47D0123114512877D7102A94DC09BCD7F1CDF05B62F008412FB0DD9180C770994046E5

Uniqueness

Uniqueness Score: -1.00%

Function 004029C5 Relevance: 1.6, APIs: 1, Instructions: 55
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00402A18

Memory Dump Source

Source File: 00000000.00000002.1414453150.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 630f67e63f4c9d6cadc1f4ef28869250e9dd95ac73f78134dda1cef590dfe083
Instruction ID: eda82e36109819710fc28ef01b941f30aa1b457bd77d6c907d6690057fca41fa
Opcode Fuzzy Hash: 630f67e63f4c9d6cadc1f4ef28869250e9dd95ac73f78134dda1cef590dfe083
Instruction Fuzzy Hash: 3C01C471708205E7DA60DA949A4EB6B7710AB51B10F308077E5037A1C4DAFD9A07FB6B

Uniqueness

Uniqueness Score: -1.00%

Function 004029D1 Relevance: 1.6, APIs: 1, Instructions: 54
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00402A18

Memory Dump Source

Source File: 00000000.00000002.1414453150.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 8aebd7c2dfb35844096bdf04bcf18f9291abc38b44631a4f8f553a04b448b611
Instruction ID: 27f311fed6bd4bb195386d6e886048742e5b6b48a655c0a394e70793ed6bf28f
Opcode Fuzzy Hash: 8aebd7c2dfb35844096bdf04bcf18f9291abc38b44631a4f8f553a04b448b611
Instruction Fuzzy Hash: E0018071708105E7DA609A449B4EB6B7324BB50B10F308477E5077A1C4DAFD9A07BB6F

Uniqueness

Uniqueness Score: -1.00%

Function 004029D5 Relevance: 1.6, APIs: 1, Instructions: 51
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00402A18

Memory Dump Source

Source File: 00000000.00000002.1414453150.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 14f9d75437b26c4e33ab762a249f6d4a6897a4cf10a17b4738070ea496484bd2
Instruction ID: 6c082c2f6db60d75b034223dafbed04b71575a1e0537fab93527f59567f6cb96
Opcode Fuzzy Hash: 14f9d75437b26c4e33ab762a249f6d4a6897a4cf10a17b4738070ea496484bd2
Instruction Fuzzy Hash: DB01B531708105E7DB60DA409A4DF5F7720BB50B10F208577E5077A1C4DAF99A17EB9B

Uniqueness

Uniqueness Score: -1.00%

Function 004029E2 Relevance: 1.5, APIs: 1, Instructions: 47libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00402A18

Memory Dump Source

Source File: 00000000.00000002.1414453150.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: b2d371f82e3e545a267ab12f2e2f0a58ec4b54f775fd64736b106f9591d7a7c3
Instruction ID: daf8977218c418413866257df5c9087131837fd98e0c4230724de407841e0162
Opcode Fuzzy Hash: b2d371f82e3e545a267ab12f2e2f0a58ec4b54f775fd64736b106f9591d7a7c3
Instruction Fuzzy Hash: 3801DF31708104E7DB209A848A4DB5E7320AB40B10F208577E507BA1C0DAF9AA07AFAB

Uniqueness

Uniqueness Score: -1.00%

Function 004029E9 Relevance: 1.5, APIs: 1, Instructions: 47libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00402A18

Memory Dump Source

Source File: 00000000.00000002.1414453150.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 9850a57f899f03cbeedeed8d531e786c982b6ed5f0a372be87f463e87495e5bd
Instruction ID: 5524fd7572365f35614fa46947343296b9db081daee3b4d0816b59f029c0b045
Opcode Fuzzy Hash: 9850a57f899f03cbeedeed8d531e786c982b6ed5f0a372be87f463e87495e5bd
Instruction Fuzzy Hash: 2101A731704104E7D7209A448A4EB5E7720AB40704F208477E5067A1C4DAB9EA07AB6B

Uniqueness

Uniqueness Score: -1.00%

Function 004029F9 Relevance: 1.5, APIs: 1, Instructions: 45libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00402A18

Memory Dump Source

Source File: 00000000.00000002.1414453150.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 83fdb88ab79b739a001a2e8c05ea2e4136fbf27434a3016a2f3de2c8c28590ed
Instruction ID: 2a527b723104a8d4642483acce18f9de5ed6d5a74c4e47f32731208c7d716ef4
Opcode Fuzzy Hash: 83fdb88ab79b739a001a2e8c05ea2e4136fbf27434a3016a2f3de2c8c28590ed
Instruction Fuzzy Hash: 1801A231708104E7DB209A849A4DF9F7720AB40B14F208477E5027A1C0DAF9AA07AFAB

Uniqueness

Uniqueness Score: -1.00%

Function 0040BED2 Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000), ref: 0040BEE7

Memory Dump Source

Source File: 00000000.00000002.1414471091.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_file.jbxd

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: 7141b54344356c25003b81cb57760395943c656c9518405707bdc638f2929ebd
Instruction ID: 9c2fc4f2f639ba88fe29b4510eb2aedc0fe5d1a91e073b8e996e579887af2452
Opcode Fuzzy Hash: 7141b54344356c25003b81cb57760395943c656c9518405707bdc638f2929ebd
Instruction Fuzzy Hash: E7D0A7735983099EDB105F75BC08BA73BDCD384799F104436B95DC6590FB74C941DA48

Uniqueness

Uniqueness Score: -1.00%

Function 00429F55 Relevance: 1.5, APIs: 1, Instructions: 15libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(00437C30,0042A574), ref: 00429FAE

Memory Dump Source

Source File: 00000000.00000002.1414471091.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_file.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: e18fff7e849d1c29842ef951126ff08263ec5c699704ab89a84bcbfd76dff6e4
Instruction ID: adbb2f8345eb5fd1f1cc19e7b4d04a687ac24fc833a4ea8b6e56afb847f62d6e
Opcode Fuzzy Hash: e18fff7e849d1c29842ef951126ff08263ec5c699704ab89a84bcbfd76dff6e4
Instruction Fuzzy Hash: E3F0C29094C2C8C9F7328738B9D87192E961322648F4830A981C40A6A2CAEF0169D7FE

Uniqueness

Uniqueness Score: -1.00%

Function 00401969 Relevance: 1.3, APIs: 1, Instructions: 62sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00001388), ref: 004019B4

Part of subcall function 00401590: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401648
Part of subcall function 00401590: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401675
Part of subcall function 00401590: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401698

Memory Dump Source

Source File: 00000000.00000002.1414453150.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: b8285f967374eae4a3c51efe3ce59b098afe428af0dcb557450618fb68c9c18d
Instruction ID: 1276e484f00ba66cbffb4616bb4d5d076efec51046982770477825c9afbd6400
Opcode Fuzzy Hash: b8285f967374eae4a3c51efe3ce59b098afe428af0dcb557450618fb68c9c18d
Instruction Fuzzy Hash: 0F01D2B6708205FADB005A949C62EBB3618AB41755F300637BA13B80F1C57D8513FA6F

Uniqueness

Uniqueness Score: -1.00%

Function 00401975 Relevance: 1.3, APIs: 1, Instructions: 55sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00001388), ref: 004019B4

Part of subcall function 00401590: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401648
Part of subcall function 00401590: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401675
Part of subcall function 00401590: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401698

Memory Dump Source

Source File: 00000000.00000002.1414453150.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: 9a4c6db62cce5b151e284cc19e63a433146ff3755d8681b35f1a2b6972971a8e
Instruction ID: 0230620869f43b82b90ed4dddf49477c9f5c6c73dade890abd4ec4b7d4a8195a
Opcode Fuzzy Hash: 9a4c6db62cce5b151e284cc19e63a433146ff3755d8681b35f1a2b6972971a8e
Instruction Fuzzy Hash: 4801BCB6308205FADB005A949C62FBA3219AB84751F30053BB613BC0F1C53D8513FA2F

Uniqueness

Uniqueness Score: -1.00%

Function 0040197F Relevance: 1.3, APIs: 1, Instructions: 54sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00001388), ref: 004019B4

Part of subcall function 00401590: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401648
Part of subcall function 00401590: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401675
Part of subcall function 00401590: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401698

Memory Dump Source

Source File: 00000000.00000002.1414453150.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: 25088a1f844088f741a859eeb607afc94706ffd20a91742bc3d9f24c23efa0b5
Instruction ID: 9a4b4ffd5ca22a672d673467c452b15ea5c40039b4ea8ded510267d200494456
Opcode Fuzzy Hash: 25088a1f844088f741a859eeb607afc94706ffd20a91742bc3d9f24c23efa0b5
Instruction Fuzzy Hash: 3A01B1B6308205FADB115A949C61A7A3319AB45711F30053BB613B80F2C53D8512FA1F

Uniqueness

Uniqueness Score: -1.00%

Function 00401986 Relevance: 1.3, APIs: 1, Instructions: 53sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00001388), ref: 004019B4

Part of subcall function 00401590: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401648
Part of subcall function 00401590: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401675
Part of subcall function 00401590: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401698

Memory Dump Source

Source File: 00000000.00000002.1414453150.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: f146987f8c0bf49c3ef7592727f3e0a51ae856d021a330616d03f7304a9c3b71
Instruction ID: 5a2bb716a64f0a1f1a6e426f0b200f3e6862a670896c4db1e76ea4af0659c5ba
Opcode Fuzzy Hash: f146987f8c0bf49c3ef7592727f3e0a51ae856d021a330616d03f7304a9c3b71
Instruction Fuzzy Hash: 3101DFB2308205FADB005AD49C62F7A3219AB85715F30453BB623B80F1C63D8512FB2F

Uniqueness

Uniqueness Score: -1.00%

Function 0060C7BE Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 0060C80F

Memory Dump Source

Source File: 00000000.00000002.1414773059.0000000000609000.00000040.00000020.00020000.00000000.sdmp, Offset: 00609000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_609000_file.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: 57b3bfba42334dcf1a54053adc0738125282fc8fc782608b6ab4a62f5ab68788
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: 93112B79A40208EFDB01DF98C985E99BFF5AF08350F0580A4F9489B362D371EA50DB84

Uniqueness

Uniqueness Score: -1.00%

Function 004019A2 Relevance: 1.3, APIs: 1, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00001388), ref: 004019B4

Part of subcall function 00401590: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401648
Part of subcall function 00401590: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401675
Part of subcall function 00401590: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401698

Memory Dump Source

Source File: 00000000.00000002.1414453150.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: a8f77c5b0aafc3a83b6e9a89fc0125d54fce9978fbcf9d902b8238b221feffd7
Instruction ID: 689da8ed0bf63c85a60a16fbbe407e4b0918199af58fa2149c0a58fdfe32668e
Opcode Fuzzy Hash: a8f77c5b0aafc3a83b6e9a89fc0125d54fce9978fbcf9d902b8238b221feffd7
Instruction Fuzzy Hash: 0E0181B6308105FADB115AD49D52FBA3719AB45751F30453BB613B80F2C53D8512FB2B

Uniqueness

Uniqueness Score: -1.00%

Function 00401992 Relevance: 1.3, APIs: 1, Instructions: 46sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00001388), ref: 004019B4

Part of subcall function 00401590: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401648
Part of subcall function 00401590: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401675
Part of subcall function 00401590: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401698

Memory Dump Source

Source File: 00000000.00000002.1414453150.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: 994369af4d0fa0c447a21c659804c9e18bb6abd6db9e85dcf8f049b878b9c4ba
Instruction ID: 9477092311c163758adf26378a137d016a4cc75b4861da4fd192d9fcf75081b0
Opcode Fuzzy Hash: 994369af4d0fa0c447a21c659804c9e18bb6abd6db9e85dcf8f049b878b9c4ba
Instruction Fuzzy Hash: 25016D72304105FADB119AD09C52EAA3729AB48355F30457BB613BD0F2C63D8552EB2B

Uniqueness

Uniqueness Score: -1.00%

Function 0042A699 Relevance: 1.3, APIs: 1, Instructions: 30stringCOMMON

Download Yara Rule

APIs

lstrcat.KERNEL32(004330B8,004330B8), ref: 0042A6DD

Memory Dump Source

Source File: 00000000.00000002.1414471091.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_file.jbxd

Similarity

API ID: lstrcat
String ID:
API String ID: 4038537762-0
Opcode ID: d8ce828ddb3e3b89c7e14f01459909c768321fc3c32f4d8f787e6f127de201d3
Instruction ID: 776012faca387447a5f2d116b52a4949e0788a177b6d09e56cc1489330ce0eec
Opcode Fuzzy Hash: d8ce828ddb3e3b89c7e14f01459909c768321fc3c32f4d8f787e6f127de201d3
Instruction Fuzzy Hash: BAF0F6B1A002608BC724AF68EC4669677E0F714314F40553EEB91D71B1D77C4856CB8E

Uniqueness

Uniqueness Score: -1.00%

Function 00429E93 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNELBASE(00000000,0042A4F0), ref: 00429E9B

Memory Dump Source

Source File: 00000000.00000002.1414471091.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_file.jbxd

Similarity

API ID: AllocGlobal
String ID:
API String ID: 3761449716-0
Opcode ID: 0450ee71e49467bda65135f7e85c9d97833a4e9fbeb7e76893f2a804db42827a
Instruction ID: 983349b6d94ecb4474befcd3d41227a4f0d523b782bb3c5fcab19225c91a152e
Opcode Fuzzy Hash: 0450ee71e49467bda65135f7e85c9d97833a4e9fbeb7e76893f2a804db42827a
Instruction Fuzzy Hash: 32B012744043008BCB000F50AC447443AF0B308312F002035F54441270CBB000839F18

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 005D092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON

Download Yara Rule

Strings

l, xrefs: 005D0966
., xrefs: 005D095F
GetProcAddress., xrefs: 005D09DC, 005D09DF, 005D09E4

Memory Dump Source

Source File: 00000000.00000002.1414674284.00000000005D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Yara matches

Similarity

API ID:
String ID: .$GetProcAddress.$l
API String ID: 0-2784972518
Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction ID: f1d2a22214cb9c96db2cb5e2ffd4a563243a465545b93e2a2a3d4146318cd5f1
Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction Fuzzy Hash: D33117B6900609DFDB20CF99C884BAEBBF5FB48324F25504BD441A7351D771AA45CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00415B47 Relevance: 3.0, APIs: 2, Instructions: 14COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00415B47
EnumSystemLocalesA.KERNEL32(Function_0000A7A5,00000001), ref: 00415B5F

Memory Dump Source

Source File: 00000000.00000002.1414471091.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_file.jbxd

Similarity

API ID: EnumLocalesSystem_strlen
String ID:
API String ID: 216762292-0
Opcode ID: 5fbdfd944edfc9c4ab2ae3019b290749894b28c472c1c0a9d62db397e67e1d54
Instruction ID: bdbf5b86c2eb259632c50b612d2782604680efe6db51b4aa2462224b237597c1
Opcode Fuzzy Hash: 5fbdfd944edfc9c4ab2ae3019b290749894b28c472c1c0a9d62db397e67e1d54
Instruction Fuzzy Hash: 56D0A7B09207068AEB108F34C509BA177D0DB40F05F54961DD957C04D0C7BC90848108

Uniqueness

Uniqueness Score: -1.00%

Function 0041A73D Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,?,?,?), ref: 0041A74E

Memory Dump Source

Source File: 00000000.00000002.1414471091.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_file.jbxd

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 7f1d30bf1cace75e41e2f02c8cd2e97c3756c5d9d11c345424d145a4b26bd24a
Instruction ID: ac1e20b46efd54604dd6ce164acddd650fb10fc0e74db3512119a69da8af4651
Opcode Fuzzy Hash: 7f1d30bf1cace75e41e2f02c8cd2e97c3756c5d9d11c345424d145a4b26bd24a
Instruction Fuzzy Hash: A4C0013600028EBB8F025F82EC0889A7F6AEB89760B048020FA28050318B339931AB95

Uniqueness

Uniqueness Score: -1.00%

Function 0041844F Relevance: .4, Instructions: 384COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1414471091.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0666e2c6603716d584354562bcf590181c980fb8da26174d951f804026303a75
Instruction ID: 3f389b74755fc8b566f27a858c6006089faeb7c9ac75043fc74b914c0cb45dcb
Opcode Fuzzy Hash: 0666e2c6603716d584354562bcf590181c980fb8da26174d951f804026303a75
Instruction Fuzzy Hash: FCD18073C5E9B30A8736812D845826FEE626FD174032EC3E69CD43F389DA2A5D80D6D4

Uniqueness

Uniqueness Score: -1.00%

Function 0041802F Relevance: .4, Instructions: 378COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1414471091.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c40bcf876c129f9393d32ca3cb7471e4bcf7a4352579634fb414d11934eaa4f2
Instruction ID: 6d11bb0573dfe30372dcb9a8f0d679dd0c45a675beddb2cdb836e96292e52f64
Opcode Fuzzy Hash: c40bcf876c129f9393d32ca3cb7471e4bcf7a4352579634fb414d11934eaa4f2
Instruction Fuzzy Hash: E8D17E73C5E9B30A8736812D80582AFEE626FD165031FC3E69CE03F389D62A5D85D6D4

Uniqueness

Uniqueness Score: -1.00%

Function 00417C23 Relevance: .4, Instructions: 361COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1414471091.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8709e21481f65d4d57cc4b3952fb3adbcebd3cc8b64ff3d20fdf858c0bfd14a0
Instruction ID: 42d20231b6872b211cb141a2946e7442286a39ba3f2639015f582647041793ab
Opcode Fuzzy Hash: 8709e21481f65d4d57cc4b3952fb3adbcebd3cc8b64ff3d20fdf858c0bfd14a0
Instruction Fuzzy Hash: EAC16E73C5E9B3068736812D80582AFEE726FC165031EC7E29CD43F389D62A5D81C6D4

Uniqueness

Uniqueness Score: -1.00%

Function 0041784F Relevance: .4, Instructions: 351COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1414471091.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6a9d25a147ba64f4d06249d12fe21364a5b6889ab238d0ba2e949acfc497403
Instruction ID: 423ea95528c611f50d3538ff1d63731cddf98dde4aba927d145a506b7155d377
Opcode Fuzzy Hash: a6a9d25a147ba64f4d06249d12fe21364a5b6889ab238d0ba2e949acfc497403
Instruction Fuzzy Hash: 3FC16F73D5E9B30A8736812D80582AFEE726FD174031EC7A28CD43F389D62A9D85D6D4

Uniqueness

Uniqueness Score: -1.00%

Function 00403383 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1414453150.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92699fe28aeb30674df7c6871e0a874285451ae8aa663ad412d4ee49bbfe7345
Instruction ID: caa7eeee9c10932885a9f800341ee0304ff2e022e4962b41fb858d95b14d8567
Opcode Fuzzy Hash: 92699fe28aeb30674df7c6871e0a874285451ae8aa663ad412d4ee49bbfe7345
Instruction Fuzzy Hash: BB3148A240D3C1AFDB236E3408A6587BFA8AA1371270D61EBC591AB5D3D53C4A06C75E

Uniqueness

Uniqueness Score: -1.00%

Function 0060C3DC Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1414773059.0000000000609000.00000040.00000020.00020000.00000000.sdmp, Offset: 00609000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_609000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction ID: 8401da551a2170aa9ad0bcc9697475bd848cf3140f5f0a40c1f7c8ed95ef1b16
Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction Fuzzy Hash: 59115A72380100AFD748DF59DCA1EA773EAFB89330B298169E905CB352D675EC02C760

Uniqueness

Uniqueness Score: -1.00%

Function 005D0D90 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1414674284.00000000005D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 005D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5d0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction ID: 33b62e3fa8d9d576bc60db09173d9c203964da0be1d618487df522382980e989
Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction Fuzzy Hash: 8D01A7766006048FDF31DF68C804BAB37FAFB85316F4544ABD506973C2E774A9418B90

Uniqueness

Uniqueness Score: -1.00%

Function 0040D9BC Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 0040D9D5

Part of subcall function 0040DD5B: Sleep.KERNEL32(00000000), ref: 0040DD83

__calloc_crt.LIBCMT ref: 0040D9F9
__calloc_crt.LIBCMT ref: 0040DA15
__copytlocinfo_nolock.LIBCMT ref: 0040DA3A
__setlocale_nolock.LIBCMT ref: 0040DA47
___removelocaleref.LIBCMT ref: 0040DA53
___freetlocinfo.LIBCMT ref: 0040DA5A
___removelocaleref.LIBCMT ref: 0040DA87
___freetlocinfo.LIBCMT ref: 0040DA8E

Strings

x[C, xrefs: 0040DA35

Memory Dump Source

Source File: 00000000.00000002.1414471091.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_file.jbxd

Similarity

API ID: __calloc_crt$___freetlocinfo___removelocaleref$Sleep__copytlocinfo_nolock__setlocale_nolock
String ID: x[C
API String ID: 1483262949-322532431
Opcode ID: 543030fe5b8f91601b8bfc8b0ba4f19657f3808c7138c3b744e39bf72de2ec7e
Instruction ID: 62c006b0238abe14bb557f2ee5b1993faebe0e3c8587781fe544ee2ff6898633
Opcode Fuzzy Hash: 543030fe5b8f91601b8bfc8b0ba4f19657f3808c7138c3b744e39bf72de2ec7e
Instruction Fuzzy Hash: 02210A35908600EBE7217FA6D94291BBBE5DF81714B20843FF445762E1DB3D9C09CA5C

Uniqueness

Uniqueness Score: -1.00%

Function 0040DABE Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 98COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 0040DAF2
__calloc_crt.LIBCMT ref: 0040DB0F
__copytlocinfo_nolock.LIBCMT ref: 0040DB37
__setlocale_nolock.LIBCMT ref: 0040DB4C
___removelocaleref.LIBCMT ref: 0040DB99
_sync_legacy_variables_lk.LIBCMT ref: 0040DBD2

Strings

x[C, xrefs: 0040DBB0, 0040DBBC, 0040DBC4

Memory Dump Source

Source File: 00000000.00000002.1414471091.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_file.jbxd

Similarity

API ID: ___removelocaleref__calloc_crt__copytlocinfo_nolock__getptd__setlocale_nolock_sync_legacy_variables_lk
String ID: x[C
API String ID: 1452248112-322532431
Opcode ID: d4ad7fb4daad22d2b79a8a8da4d834a6b1b4a31b7fc314773b6823dcc0c78172
Instruction ID: c9646a59e880011c3c2e4f65271d5dafb6fbdc375cff1f0918f01953bb45491e
Opcode Fuzzy Hash: d4ad7fb4daad22d2b79a8a8da4d834a6b1b4a31b7fc314773b6823dcc0c78172
Instruction Fuzzy Hash: EC315C71D08304ABEB10BFA6D882B9D77A0AF48318F20453FF405762C2DBBDA9459A5D

Uniqueness

Uniqueness Score: -1.00%

Function 0042A0AE Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 52timeCOMMON

Download Yara Rule

APIs

FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0042A0DA
LCMapStringW.KERNEL32(00000000,00000000,00000000,00000000,?,00000000), ref: 0042A0FF
GetTimeFormatW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042A10B

Strings

-, xrefs: 0042A0D4
-, xrefs: 0042A118

Memory Dump Source

Source File: 00000000.00000002.1414471091.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_file.jbxd

Similarity

API ID: EnvironmentFormatFreeStringStringsTime
String ID: -$-
API String ID: 4109882376-2078519666
Opcode ID: d8e2e6e5f3c72c4549d77319af0277c6416c4ab5c0e8a052b70efa061f87051d
Instruction ID: a41f706d3d3aa3d6e368c7f4894c9cda70089640796c0b40099bc4779e4bcbff
Opcode Fuzzy Hash: d8e2e6e5f3c72c4549d77319af0277c6416c4ab5c0e8a052b70efa061f87051d
Instruction Fuzzy Hash: 8001B130601124ABC7249F29EC859AF7BF8EF49364F41006AF845D6151CA3849CACBD9

Uniqueness

Uniqueness Score: -1.00%

Function 0040CC29 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

___addlocaleref.LIBCMT ref: 0040CC3B
___removelocaleref.LIBCMT ref: 0040CC46
___freetlocinfo.LIBCMT ref: 0040CC5A

Part of subcall function 0040C992: ___free_lconv_mon.LIBCMT ref: 0040C9D8
Part of subcall function 0040C992: ___free_lconv_num.LIBCMT ref: 0040C9F9
Part of subcall function 0040C992: ___free_lc_time.LIBCMT ref: 0040CA7E

Strings

x[C, xrefs: 0040CC38
x[C, xrefs: 0040CC51

Memory Dump Source

Source File: 00000000.00000002.1414471091.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_file.jbxd

Similarity

API ID: ___addlocaleref___free_lc_time___free_lconv_mon___free_lconv_num___freetlocinfo___removelocaleref
String ID: x[C$x[C
API String ID: 4212647719-4174974635
Opcode ID: 461ce3d863efb26039261430713ae1b185fe4c1eef677bc329c274e69040f3a5
Instruction ID: 2458e6a79b1a0b8ef7f660e2147fd06bcdccf9ad2305b01a30ad798f5209568e
Opcode Fuzzy Hash: 461ce3d863efb26039261430713ae1b185fe4c1eef677bc329c274e69040f3a5
Instruction Fuzzy Hash: D3E04F36A09A25D5EA35673DE6C436BA2944F81F14B1A037BF888B73C4DB7C6C8140AD

Uniqueness

Uniqueness Score: -1.00%

Function 0040CE5C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59COMMON

Download Yara Rule

APIs

InterlockedDecrement.KERNEL32(00000000), ref: 0040CDC5

Part of subcall function 0040DC2C: ___sbh_find_block.LIBCMT ref: 0040DC55
Part of subcall function 0040DC2C: ___sbh_free_block.LIBCMT ref: 0040DC64
Part of subcall function 0040DC2C: HeapFree.KERNEL32(00000000,?,?,?,0040B070), ref: 0040DC94
Part of subcall function 0040DC2C: GetLastError.KERNEL32(?,?,0040B070), ref: 0040DCA5

___removelocaleref.LIBCMT ref: 0040CE02
___freetlocinfo.LIBCMT ref: 0040CE1B

Strings

x[C, xrefs: 0040CE13

Memory Dump Source

Source File: 00000000.00000002.1414471091.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_file.jbxd

Similarity

API ID: DecrementErrorFreeHeapInterlockedLast___freetlocinfo___removelocaleref___sbh_find_block___sbh_free_block
String ID: x[C
API String ID: 1994049539-322532431
Opcode ID: 0f21478117fafbb969637c1e16e9349181b9c84cc8b8b5991245fc3939fefabf
Instruction ID: f3445b3713d8c415cb6917acfe491b897e74a8d3f9b2a442867ece798adebe25
Opcode Fuzzy Hash: 0f21478117fafbb969637c1e16e9349181b9c84cc8b8b5991245fc3939fefabf
Instruction Fuzzy Hash: 6A116A71901600E6DB206FA9D98675EB6A49F04754F204A3FF098BB2D0CB7CA980D69D

Uniqueness

Uniqueness Score: -1.00%

Function 0040C48B Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 0040C497

Part of subcall function 0040BB7E: __getptd_noexit.LIBCMT ref: 0040BB81

InterlockedDecrement.KERNEL32(?), ref: 0040C4E4
InterlockedIncrement.KERNEL32(00435A70), ref: 0040C50F

Strings

HVC, xrefs: 0040C4EE

Memory Dump Source

Source File: 00000000.00000002.1414471091.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_file.jbxd

Similarity

API ID: Interlocked$DecrementIncrement__getptd__getptd_noexit
String ID: HVC
API String ID: 1082005941-2197614482
Opcode ID: 264f0bb8e575a079a5fe93f0d94f119bef7b3ab1b02446141038922046e5cca5
Instruction ID: 0d4105488366e49ea7db6960d46a2987e9f2bab405e8e055567e10f0fb7bc84f
Opcode Fuzzy Hash: 264f0bb8e575a079a5fe93f0d94f119bef7b3ab1b02446141038922046e5cca5
Instruction Fuzzy Hash: 8B015E32E01A21E7DB11AF65988676E77A0BB04754F14523BE800776D0CB3CB942EBDE

Uniqueness

Uniqueness Score: -1.00%

Function 004119CA Relevance: 6.1, APIs: 4, Instructions: 71COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32(?), ref: 004119FE
GetLastError.KERNEL32 ref: 00411A08
__alloc_osfhnd.LIBCMT ref: 00411A30
__set_osfhnd.LIBCMT ref: 00411A5A

Memory Dump Source

Source File: 00000000.00000002.1414471091.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_file.jbxd

Similarity

API ID: ErrorFileLastType__alloc_osfhnd__set_osfhnd
String ID:
API String ID: 1633174738-0
Opcode ID: 80568a016660d15a258a59685d58af6edb54c7183ad09c0226f7f96b2749771e
Instruction ID: fa6c7a7013c04da09d3a715d218d1b9d18c7e4ee19b65d319f4f449c4adfb514
Opcode Fuzzy Hash: 80568a016660d15a258a59685d58af6edb54c7183ad09c0226f7f96b2749771e
Instruction Fuzzy Hash: A02133705562059ACB119F75C8013DA7F60AF42368F28825AE6609B2F3C77C89C2DF8D

Uniqueness

Uniqueness Score: -1.00%

Function 0042B379 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 0042B39F

Part of subcall function 0042B187: __fltout2.LIBCMT ref: 0042B1B3

__cftog_l.LIBCMT ref: 0042B3C5
__cftoe_l.LIBCMT ref: 0042B3F7

Memory Dump Source

Source File: 00000000.00000002.1414471091.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_file.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: afc8384d7de5dc81d749eb2ef2e502e72940c946d5071aaa17129bf9d5fb4602
Instruction ID: 57d662215bfaa0e961a77bd5bf1e3f909260be19f709e1fdb8e6ed64a10772f6
Opcode Fuzzy Hash: afc8384d7de5dc81d749eb2ef2e502e72940c946d5071aaa17129bf9d5fb4602
Instruction Fuzzy Hash: 3C11403214015AFBCF129E85EC41CEE3F62FF18358B998416FE1859131C73AC9B2AB85

Uniqueness

Uniqueness Score: -1.00%

Function 0040DC2C Relevance: 6.0, APIs: 4, Instructions: 44memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

___sbh_find_block.LIBCMT ref: 0040DC55
___sbh_free_block.LIBCMT ref: 0040DC64
HeapFree.KERNEL32(00000000,?,?,?,0040B070), ref: 0040DC94
GetLastError.KERNEL32(?,?,0040B070), ref: 0040DCA5

Memory Dump Source

Source File: 00000000.00000002.1414471091.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_file.jbxd

Similarity

API ID: ErrorFreeHeapLast___sbh_find_block___sbh_free_block
String ID:
API String ID: 2661975262-0
Opcode ID: 7b3818cb6e09b4c686c59fa898ba8a14df44b59efef8621b32d4633bdcdb734b
Instruction ID: 8c80c960a9e627696f7390d88baa305bf8c9c8b3f63785e072a8af8e409ccc5f
Opcode Fuzzy Hash: 7b3818cb6e09b4c686c59fa898ba8a14df44b59efef8621b32d4633bdcdb734b
Instruction Fuzzy Hash: 16014471C0D202AAEB246FF29D0AB5F7A649F00729F20513FF450765D2CBBC9945CA5D

Uniqueness

Uniqueness Score: -1.00%

Function 0040CE67 Relevance: 6.0, APIs: 4, Instructions: 44COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 0040CE73

Part of subcall function 0040BB7E: __getptd_noexit.LIBCMT ref: 0040BB81

__calloc_crt.LIBCMT ref: 0040CE7E

Part of subcall function 0040DD5B: Sleep.KERNEL32(00000000), ref: 0040DD83

___addlocaleref.LIBCMT ref: 0040CEC0
InterlockedIncrement.KERNEL32(?), ref: 0040CEE4

Memory Dump Source

Source File: 00000000.00000002.1414471091.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_file.jbxd

Similarity

API ID: IncrementInterlockedSleep___addlocaleref__calloc_crt__getptd__getptd_noexit
String ID:
API String ID: 517392906-0
Opcode ID: 26be395ccae4c0d3af98ad6e00ac8468b42ac93834289bba34231fdc640f5d54
Instruction ID: 34c39c5f68fbdb14419bfc2cf1162389da59d9f25ce69aa87c237285b1b75e74
Opcode Fuzzy Hash: 26be395ccae4c0d3af98ad6e00ac8468b42ac93834289bba34231fdc640f5d54
Instruction Fuzzy Hash: 18019E71944301EBE720BFB6D88270C76A0AF04B28F20462FF454BB6D1CB7C59418B9E

Uniqueness

Uniqueness Score: -1.00%

Function 0040CC67 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 0040CC73

Part of subcall function 0040BB7E: __getptd_noexit.LIBCMT ref: 0040BB81

__getptd.LIBCMT ref: 0040CC8A

Strings

x[C, xrefs: 0040CCB5

Memory Dump Source

Source File: 00000000.00000002.1414471091.000000000040B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_40b000_file.jbxd

Similarity

API ID: __getptd$__getptd_noexit
String ID: x[C
API String ID: 989085358-322532431
Opcode ID: 78f73c5a8add5469d15dfe0212debd3cc396fcc4181ce23a58301c9834664f24
Instruction ID: b589b27d6c7a0deb32288ccddcaf34e1d8821bd18b9988cd748bef53a64da315
Opcode Fuzzy Hash: 78f73c5a8add5469d15dfe0212debd3cc396fcc4181ce23a58301c9834664f24
Instruction Fuzzy Hash: 49F01D72948700DBE621BBB6D446B4A73A0AF04728F14567FE444B76D1CB3CA9009B5E

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: gferuhfPID: 7520, Parent PID: 1040COMMON

Execution Graph

Execution Coverage:	2.8%
Dynamic/Decrypted Code Coverage:	17%
Signature Coverage:	0%
Total number of Nodes:	153
Total number of Limit Nodes:	9

Executed Functions

Function 00401590 Relevance: 10.7, APIs: 7, Instructions: 203
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401648
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401675
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401698
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016B6
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016F7
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401728
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 0040174A

Memory Dump Source

Source File: 00000004.00000002.1676970546.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_gferuhf.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 569c601533bfa5fc76acd0aceccd82dced2ec0ba9158162e35254d0d933d7b6e
Instruction ID: d6964195f2ae178c179c3b7a32e304a619fe45f2cb2dcf097c8130f3d204b23e
Opcode Fuzzy Hash: 569c601533bfa5fc76acd0aceccd82dced2ec0ba9158162e35254d0d933d7b6e
Instruction Fuzzy Hash: 64616FB0904205FFEB208F91CC58FAF7BB8EF81710F10416AFA12BA1E5D6749941DB65

Uniqueness

Uniqueness Score: -1.00%

Function 0040159B Relevance: 10.7, APIs: 7, Instructions: 173
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401648
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401675
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401698
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016B6
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016F7
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401728
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 0040174A

Memory Dump Source

Source File: 00000004.00000002.1676970546.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_gferuhf.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: bae20a228bd41bc7813985564ad54ad8a6399e0ad18c72377fec9941621639a0
Instruction ID: ff81ed2e81490e93a7bfe721f9c6a4d9304ec08e35c355afa89281eda0ffd623
Opcode Fuzzy Hash: bae20a228bd41bc7813985564ad54ad8a6399e0ad18c72377fec9941621639a0
Instruction Fuzzy Hash: 3E5109B5900249BFEB208F91CC49FAB7BB8FF85710F144169FA11BA2E5D6749941CB24

Uniqueness

Uniqueness Score: -1.00%

Function 004015B0 Relevance: 10.7, APIs: 7, Instructions: 169
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401648
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401675
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401698
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016B6
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016F7
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401728
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 0040174A

Memory Dump Source

Source File: 00000004.00000002.1676970546.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_gferuhf.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 6c4736dca5741fb18473fdef31891e556f9b158cac04651ef2a3a7cb79a50736
Instruction ID: af686ae4933c2f6004de28669cc23aaadd0110c3f88d1b974755b8c34b4799b2
Opcode Fuzzy Hash: 6c4736dca5741fb18473fdef31891e556f9b158cac04651ef2a3a7cb79a50736
Instruction Fuzzy Hash: 0E51F9B5900249BFEB208F91CC48FAF7BB8FF85B10F104169FA11BA2E5D6749941CB24

Uniqueness

Uniqueness Score: -1.00%

Function 004015BC Relevance: 10.7, APIs: 7, Instructions: 168
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401648
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401675
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401698
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016B6
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016F7
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401728
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 0040174A

Memory Dump Source

Source File: 00000004.00000002.1676970546.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_gferuhf.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 72661907227a9452eb25ab953c02bdcf5a827517e06e297a0d085dc110f4c5bf
Instruction ID: 765dedf92b6036aea99e2596c7c6646b0bcbba97602321f23575c560d9e65fb8
Opcode Fuzzy Hash: 72661907227a9452eb25ab953c02bdcf5a827517e06e297a0d085dc110f4c5bf
Instruction Fuzzy Hash: 1451E8B5900249BFEF208F91CC48FDF7BB8FF85B10F104169FA11AA2A5D6749945CB64

Uniqueness

Uniqueness Score: -1.00%

Function 004015CB Relevance: 10.7, APIs: 7, Instructions: 164
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401648
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401675
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401698
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016B6
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016F7
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401728
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 0040174A

Memory Dump Source

Source File: 00000004.00000002.1676970546.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_gferuhf.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 004f83838c091370c792dd4fcb680897e20f1790ca1ffba750393c7614aa26f8
Instruction ID: 60f1a669064b898f2f8cfe764b4cdaf5e199705ebcb5ef48edc51869d28594cd
Opcode Fuzzy Hash: 004f83838c091370c792dd4fcb680897e20f1790ca1ffba750393c7614aa26f8
Instruction Fuzzy Hash: 2C51FAB1900249BFEF208F91CC48F9FBBB8FF85B10F104169FA11AA2A5D7749941CB24

Uniqueness

Uniqueness Score: -1.00%

Function 0042A1EA Relevance: 56.3, APIs: 31, Strings: 1, Instructions: 284
timelibrarymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteTimerQueueTimer.KERNEL32(00000000,00000000,00000000), ref: 0042A22F
GetLastError.KERNEL32 ref: 0042A235
GetCompressedFileSizeW.KERNEL32(00432E64,?), ref: 0042A256
GetAtomNameA.KERNEL32(00000000,?,00000000), ref: 0042A2A3
_memset.LIBCMT ref: 0042A2BB
SetDefaultCommConfigA.KERNEL32(00432E6C,?,00000000), ref: 0042A2D1
CopyFileExA.KERNEL32(00432E98,00432E88,00000000,00000000,00000000,00000000), ref: 0042A2E9
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0042A2F1
GetModuleHandleA.KERNEL32(00000000), ref: 0042A2F9
EnumDateFormatsExW.KERNEL32(00000000,00000000,00000000), ref: 0042A305
RtlDeleteCriticalSection.NTDLL(?), ref: 0042A31B
LoadLibraryW.KERNEL32(00000000), ref: 0042A32C
FreeLibraryAndExitThread.KERNEL32(00000000,00000000), ref: 0042A389
SetConsoleTitleW.KERNEL32(00000000), ref: 0042A391
LocalFree.KERNEL32(00000000), ref: 0042A399
GetConsoleAliasesLengthW.KERNEL32(00000000), ref: 0042A3AB
DnsHostnameToComputerNameW.KERNEL32(00432EA4,?,?), ref: 0042A3C4
MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042A3D6
GetTempFileNameA.KERNEL32(00000000,00000000,00000000,?), ref: 0042A3E9
MoveFileExA.KERNEL32(00000000,00000000,00000000), ref: 0042A3F5
OpenWaitableTimerW.KERNEL32(00000000,00000000,00432ED0), ref: 0042A404
CompareStringW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042A416
GetLongPathNameA.KERNEL32(00432F7C,?,00000000), ref: 0042A42A
RtlSizeHeap.NTDLL(00000000,00000000,00000000), ref: 0042A436
_memset.LIBCMT ref: 0042A48D
__vsnprintf.LIBCMT ref: 0042A4B8
BuildCommDCBA.KERNEL32(00432FD0,?), ref: 0042A55D
VirtualUnlock.KERNEL32(00000000,00000000), ref: 0042A567
GetConsoleOutputCP.KERNEL32 ref: 0042A5F1
SetFileAttributesW.KERNEL32(00432FE0,00000000), ref: 0042A614
OpenWaitableTimerW.KERNEL32(00000000,00000000,00000000), ref: 0042A620

Strings

tl_, xrefs: 0042A26D

Memory Dump Source

Source File: 00000004.00000002.1676990570.000000000040B000.00000020.00000001.01000000.00000005.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_40b000_gferuhf.jbxd

Similarity

API ID: File$NameTimer$ConsoleFree$CommDeleteLibraryOpenSizeWaitable_memset$AliasesAtomAttributesBuildByteCharCompareCompressedComputerConfigCopyCriticalDateDefaultEnumEnvironmentErrorExitFormatsHandleHeapHostnameLastLengthLoadLocalLongModuleMoveMultiOutputPathQueueSectionStringStringsTempThreadTitleUnlockVirtualWide__vsnprintf
String ID: tl_
API String ID: 3427034380-2653253968
Opcode ID: 018e87cee8a55491dcdffeecc48db2ec871ace006ee9b4c9d1f5dcbb67ccde01
Instruction ID: e2162f32b396281d88f433798dcedd938f4ec2cdc448f5dc72e2e59d8e3ab766
Opcode Fuzzy Hash: 018e87cee8a55491dcdffeecc48db2ec871ace006ee9b4c9d1f5dcbb67ccde01
Instruction Fuzzy Hash: 19B1B631A44314EFEB249B90ED4AB9973B4FB04706F10507AF649A61E1D7B819C4CF6E

Uniqueness

Uniqueness Score: -1.00%

Function 0047003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 0047024D

Strings

cess, xrefs: 0047018D
kernel32.dll, xrefs: 0047008F, 00470095

Memory Dump Source

Source File: 00000004.00000002.1677220887.0000000000470000.00000040.00001000.00020000.00000000.sdmp, Offset: 00470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_470000_gferuhf.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: 16711ddd22fd0413336594a03f00dbfaf066cf36866d812deba6f11f0119f937
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: 8D527974A01229DFDB64CF68C984BA9BBB1BF09304F1480DAE50DAB351DB34AE85DF15

Uniqueness

Uniqueness Score: -1.00%

Function 00429EA8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37
librarymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(00437C30), ref: 00429F27
VirtualProtect.KERNELBASE(00000040,?), ref: 00429F3F

Strings

, xrefs: 00429EC3

Memory Dump Source

Source File: 00000004.00000002.1676990570.000000000040B000.00000020.00000001.01000000.00000005.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_40b000_gferuhf.jbxd

Similarity

API ID: LibraryLoadProtectVirtual
String ID:
API String ID: 3279857687-3916222277
Opcode ID: c2b798b6f0af85355c2251563f1212d6bf79805c320912dc16ddd5c0e38b8d04
Instruction ID: 7666921c887b1d492d6c80e39b0c21d02e5a913eeac477f45812a49e2ea272a2
Opcode Fuzzy Hash: c2b798b6f0af85355c2251563f1212d6bf79805c320912dc16ddd5c0e38b8d04
Instruction Fuzzy Hash: E4012DA140C2D8D9F7328768EC88B5D7E966322708F0430B8D5C0562A2CBFE0959C7FD

Uniqueness

Uniqueness Score: -1.00%

Function 0040B515 Relevance: 4.5, APIs: 3, Instructions: 45
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetEnvironmentStringsW.KERNEL32 ref: 0040B518
__malloc_crt.LIBCMT ref: 0040B546
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0040B553

Memory Dump Source

Source File: 00000004.00000002.1676990570.000000000040B000.00000020.00000001.01000000.00000005.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_40b000_gferuhf.jbxd

Similarity

API ID: EnvironmentStrings$Free__malloc_crt
String ID:
API String ID: 237123855-0
Opcode ID: c4eb010729db78f418548124b7bff9562c8d732c56e44f452c96cb059b469357
Instruction ID: 57c9c94ab1490bbeef973e5c6d01f713e60640f858daec3ee0792fff5fb8643d
Opcode Fuzzy Hash: c4eb010729db78f418548124b7bff9562c8d732c56e44f452c96cb059b469357
Instruction Fuzzy Hash: E8F0823A9052207ADA257B397C484B71638DAC732E31154BBF452D3290F7384D8242ED

Uniqueness

Uniqueness Score: -1.00%

Function 0049B247 Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 0049B26F
Module32First.KERNEL32(00000000,00000224), ref: 0049B28F

Memory Dump Source

Source File: 00000004.00000002.1677336992.0000000000498000.00000040.00000020.00020000.00000000.sdmp, Offset: 00498000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_498000_gferuhf.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: 379f56cf27489b76cf1fbca1f55c0b67ae4fb41eff95c3135c7cf299e2aaa01c
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: E5F0F631100710ABDB203BF5BA8DB6F7AE8EF49324F10057AF646911C0CB78EC0546A9

Uniqueness

Uniqueness Score: -1.00%

Function 00470E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00000400,?,?,00470223,?,?), ref: 00470E19
SetErrorMode.KERNELBASE(00000000,?,?,00470223,?,?), ref: 00470E1E

Memory Dump Source

Source File: 00000004.00000002.1677220887.0000000000470000.00000040.00001000.00020000.00000000.sdmp, Offset: 00470000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_470000_gferuhf.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: 6b214e80103007eca947940ca629b0f77f36c1fcc8e570edb97f76d7bdc3c18d
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: 28D01231145128B7D7002A94DC09BCE7B1CDF09B62F008411FB0DD9180C774994046E9

Uniqueness

Uniqueness Score: -1.00%

Function 004029BA Relevance: 1.6, APIs: 1, Instructions: 60
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00402A18

Memory Dump Source

Source File: 00000004.00000002.1676970546.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_gferuhf.jbxd

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 8b4368bb53e1649655da800b8e3771367f61da053ffbe47dde7c34dc5595736a
Instruction ID: ddfd821467dba8d9e3be05996510f596060048204c77d2b9bdf6330f9e046059
Opcode Fuzzy Hash: 8b4368bb53e1649655da800b8e3771367f61da053ffbe47dde7c34dc5595736a
Instruction Fuzzy Hash: 5C11E571708104E7D6209A449B4EF6B3724AB50B00F308077E5077A1C0D9FD9A07BBAF

Uniqueness

Uniqueness Score: -1.00%

Function 004029C5 Relevance: 1.6, APIs: 1, Instructions: 55
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00402A18

Memory Dump Source

Source File: 00000004.00000002.1676970546.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_gferuhf.jbxd

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 630f67e63f4c9d6cadc1f4ef28869250e9dd95ac73f78134dda1cef590dfe083
Instruction ID: eda82e36109819710fc28ef01b941f30aa1b457bd77d6c907d6690057fca41fa
Opcode Fuzzy Hash: 630f67e63f4c9d6cadc1f4ef28869250e9dd95ac73f78134dda1cef590dfe083
Instruction Fuzzy Hash: 3C01C471708205E7DA60DA949A4EB6B7710AB51B10F308077E5037A1C4DAFD9A07FB6B

Uniqueness

Uniqueness Score: -1.00%

Function 004029D1 Relevance: 1.6, APIs: 1, Instructions: 54
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00402A18

Memory Dump Source

Source File: 00000004.00000002.1676970546.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_gferuhf.jbxd

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 8aebd7c2dfb35844096bdf04bcf18f9291abc38b44631a4f8f553a04b448b611
Instruction ID: 27f311fed6bd4bb195386d6e886048742e5b6b48a655c0a394e70793ed6bf28f
Opcode Fuzzy Hash: 8aebd7c2dfb35844096bdf04bcf18f9291abc38b44631a4f8f553a04b448b611
Instruction Fuzzy Hash: E0018071708105E7DA609A449B4EB6B7324BB50B10F308477E5077A1C4DAFD9A07BB6F

Uniqueness

Uniqueness Score: -1.00%

Function 004029D5 Relevance: 1.6, APIs: 1, Instructions: 51
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00402A18

Memory Dump Source

Source File: 00000004.00000002.1676970546.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_gferuhf.jbxd

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 14f9d75437b26c4e33ab762a249f6d4a6897a4cf10a17b4738070ea496484bd2
Instruction ID: 6c082c2f6db60d75b034223dafbed04b71575a1e0537fab93527f59567f6cb96
Opcode Fuzzy Hash: 14f9d75437b26c4e33ab762a249f6d4a6897a4cf10a17b4738070ea496484bd2
Instruction Fuzzy Hash: DB01B531708105E7DB60DA409A4DF5F7720BB50B10F208577E5077A1C4DAF99A17EB9B

Uniqueness

Uniqueness Score: -1.00%

Function 004029E2 Relevance: 1.5, APIs: 1, Instructions: 47libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00402A18

Memory Dump Source

Source File: 00000004.00000002.1676970546.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_gferuhf.jbxd

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: b2d371f82e3e545a267ab12f2e2f0a58ec4b54f775fd64736b106f9591d7a7c3
Instruction ID: daf8977218c418413866257df5c9087131837fd98e0c4230724de407841e0162
Opcode Fuzzy Hash: b2d371f82e3e545a267ab12f2e2f0a58ec4b54f775fd64736b106f9591d7a7c3
Instruction Fuzzy Hash: 3801DF31708104E7DB209A848A4DB5E7320AB40B10F208577E507BA1C0DAF9AA07AFAB

Uniqueness

Uniqueness Score: -1.00%

Function 004029E9 Relevance: 1.5, APIs: 1, Instructions: 47libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00402A18

Memory Dump Source

Source File: 00000004.00000002.1676970546.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_gferuhf.jbxd

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 9850a57f899f03cbeedeed8d531e786c982b6ed5f0a372be87f463e87495e5bd
Instruction ID: 5524fd7572365f35614fa46947343296b9db081daee3b4d0816b59f029c0b045
Opcode Fuzzy Hash: 9850a57f899f03cbeedeed8d531e786c982b6ed5f0a372be87f463e87495e5bd
Instruction Fuzzy Hash: 2101A731704104E7D7209A448A4EB5E7720AB40704F208477E5067A1C4DAB9EA07AB6B

Uniqueness

Uniqueness Score: -1.00%

Function 004029F9 Relevance: 1.5, APIs: 1, Instructions: 45libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 00402A18

Memory Dump Source

Source File: 00000004.00000002.1676970546.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_gferuhf.jbxd

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 83fdb88ab79b739a001a2e8c05ea2e4136fbf27434a3016a2f3de2c8c28590ed
Instruction ID: 2a527b723104a8d4642483acce18f9de5ed6d5a74c4e47f32731208c7d716ef4
Opcode Fuzzy Hash: 83fdb88ab79b739a001a2e8c05ea2e4136fbf27434a3016a2f3de2c8c28590ed
Instruction Fuzzy Hash: 1801A231708104E7DB209A849A4DF9F7720AB40B14F208477E5027A1C0DAF9AA07AFAB

Uniqueness

Uniqueness Score: -1.00%

Function 0040BED2 Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000), ref: 0040BEE7

Memory Dump Source

Source File: 00000004.00000002.1676990570.000000000040B000.00000020.00000001.01000000.00000005.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_40b000_gferuhf.jbxd

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: 7141b54344356c25003b81cb57760395943c656c9518405707bdc638f2929ebd
Instruction ID: 9c2fc4f2f639ba88fe29b4510eb2aedc0fe5d1a91e073b8e996e579887af2452
Opcode Fuzzy Hash: 7141b54344356c25003b81cb57760395943c656c9518405707bdc638f2929ebd
Instruction Fuzzy Hash: E7D0A7735983099EDB105F75BC08BA73BDCD384799F104436B95DC6590FB74C941DA48

Uniqueness

Uniqueness Score: -1.00%

Function 00429F55 Relevance: 1.5, APIs: 1, Instructions: 15libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(00437C30,0042A574), ref: 00429FAE

Memory Dump Source

Source File: 00000004.00000002.1676990570.000000000040B000.00000020.00000001.01000000.00000005.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_40b000_gferuhf.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: e18fff7e849d1c29842ef951126ff08263ec5c699704ab89a84bcbfd76dff6e4
Instruction ID: adbb2f8345eb5fd1f1cc19e7b4d04a687ac24fc833a4ea8b6e56afb847f62d6e
Opcode Fuzzy Hash: e18fff7e849d1c29842ef951126ff08263ec5c699704ab89a84bcbfd76dff6e4
Instruction Fuzzy Hash: E3F0C29094C2C8C9F7328738B9D87192E961322648F4830A981C40A6A2CAEF0169D7FE

Uniqueness

Uniqueness Score: -1.00%

Function 00401969 Relevance: 1.3, APIs: 1, Instructions: 62sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00001388), ref: 004019B4

Part of subcall function 00401590: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401648
Part of subcall function 00401590: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401675
Part of subcall function 00401590: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401698

Memory Dump Source

Source File: 00000004.00000002.1676970546.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_gferuhf.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: b8285f967374eae4a3c51efe3ce59b098afe428af0dcb557450618fb68c9c18d
Instruction ID: 1276e484f00ba66cbffb4616bb4d5d076efec51046982770477825c9afbd6400
Opcode Fuzzy Hash: b8285f967374eae4a3c51efe3ce59b098afe428af0dcb557450618fb68c9c18d
Instruction Fuzzy Hash: 0F01D2B6708205FADB005A949C62EBB3618AB41755F300637BA13B80F1C57D8513FA6F

Uniqueness

Uniqueness Score: -1.00%

Function 00401975 Relevance: 1.3, APIs: 1, Instructions: 55sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00001388), ref: 004019B4

Part of subcall function 00401590: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401648
Part of subcall function 00401590: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401675
Part of subcall function 00401590: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401698

Memory Dump Source

Source File: 00000004.00000002.1676970546.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_gferuhf.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: 9a4c6db62cce5b151e284cc19e63a433146ff3755d8681b35f1a2b6972971a8e
Instruction ID: 0230620869f43b82b90ed4dddf49477c9f5c6c73dade890abd4ec4b7d4a8195a
Opcode Fuzzy Hash: 9a4c6db62cce5b151e284cc19e63a433146ff3755d8681b35f1a2b6972971a8e
Instruction Fuzzy Hash: 4801BCB6308205FADB005A949C62FBA3219AB84751F30053BB613BC0F1C53D8513FA2F

Uniqueness

Uniqueness Score: -1.00%

Function 0040197F Relevance: 1.3, APIs: 1, Instructions: 54sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00001388), ref: 004019B4

Part of subcall function 00401590: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401648
Part of subcall function 00401590: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401675
Part of subcall function 00401590: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401698

Memory Dump Source

Source File: 00000004.00000002.1676970546.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_gferuhf.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: 25088a1f844088f741a859eeb607afc94706ffd20a91742bc3d9f24c23efa0b5
Instruction ID: 9a4b4ffd5ca22a672d673467c452b15ea5c40039b4ea8ded510267d200494456
Opcode Fuzzy Hash: 25088a1f844088f741a859eeb607afc94706ffd20a91742bc3d9f24c23efa0b5
Instruction Fuzzy Hash: 3A01B1B6308205FADB115A949C61A7A3319AB45711F30053BB613B80F2C53D8512FA1F

Uniqueness

Uniqueness Score: -1.00%

Function 00401986 Relevance: 1.3, APIs: 1, Instructions: 53sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00001388), ref: 004019B4

Part of subcall function 00401590: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401648
Part of subcall function 00401590: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401675
Part of subcall function 00401590: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401698

Memory Dump Source

Source File: 00000004.00000002.1676970546.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_gferuhf.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: f146987f8c0bf49c3ef7592727f3e0a51ae856d021a330616d03f7304a9c3b71
Instruction ID: 5a2bb716a64f0a1f1a6e426f0b200f3e6862a670896c4db1e76ea4af0659c5ba
Opcode Fuzzy Hash: f146987f8c0bf49c3ef7592727f3e0a51ae856d021a330616d03f7304a9c3b71
Instruction Fuzzy Hash: 3101DFB2308205FADB005AD49C62F7A3219AB85715F30453BB623B80F1C63D8512FB2F

Uniqueness

Uniqueness Score: -1.00%

Function 0049AF06 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 0049AF57

Memory Dump Source

Source File: 00000004.00000002.1677336992.0000000000498000.00000040.00000020.00020000.00000000.sdmp, Offset: 00498000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_498000_gferuhf.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: fd8453d5184ab4e9efb4eeb20bc239c7fd41acee9c25a3a34b45a79205eb303e
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: E4112B79A40208EFDB01DF98CA85E99BFF5EF08350F0580A5F9489B362D375EA50DB85

Uniqueness

Uniqueness Score: -1.00%

Function 004019A2 Relevance: 1.3, APIs: 1, Instructions: 47sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00001388), ref: 004019B4

Part of subcall function 00401590: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401648
Part of subcall function 00401590: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401675
Part of subcall function 00401590: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401698

Memory Dump Source

Source File: 00000004.00000002.1676970546.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_gferuhf.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: a8f77c5b0aafc3a83b6e9a89fc0125d54fce9978fbcf9d902b8238b221feffd7
Instruction ID: 689da8ed0bf63c85a60a16fbbe407e4b0918199af58fa2149c0a58fdfe32668e
Opcode Fuzzy Hash: a8f77c5b0aafc3a83b6e9a89fc0125d54fce9978fbcf9d902b8238b221feffd7
Instruction Fuzzy Hash: 0E0181B6308105FADB115AD49D52FBA3719AB45751F30453BB613B80F2C53D8512FB2B

Uniqueness

Uniqueness Score: -1.00%

Function 00401992 Relevance: 1.3, APIs: 1, Instructions: 46sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00001388), ref: 004019B4

Part of subcall function 00401590: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401648
Part of subcall function 00401590: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401675
Part of subcall function 00401590: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401698

Memory Dump Source

Source File: 00000004.00000002.1676970546.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_gferuhf.jbxd

Similarity

API ID: Section$CreateDuplicateObjectSleepView
String ID:
API String ID: 1885482327-0
Opcode ID: 994369af4d0fa0c447a21c659804c9e18bb6abd6db9e85dcf8f049b878b9c4ba
Instruction ID: 9477092311c163758adf26378a137d016a4cc75b4861da4fd192d9fcf75081b0
Opcode Fuzzy Hash: 994369af4d0fa0c447a21c659804c9e18bb6abd6db9e85dcf8f049b878b9c4ba
Instruction Fuzzy Hash: 25016D72304105FADB119AD09C52EAA3729AB48355F30457BB613BD0F2C63D8552EB2B

Uniqueness

Uniqueness Score: -1.00%

Function 0042A699 Relevance: 1.3, APIs: 1, Instructions: 30stringCOMMON

Download Yara Rule

APIs

lstrcat.KERNEL32(004330B8,004330B8), ref: 0042A6DD

Memory Dump Source

Source File: 00000004.00000002.1676990570.000000000040B000.00000020.00000001.01000000.00000005.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_40b000_gferuhf.jbxd

Similarity

API ID: lstrcat
String ID:
API String ID: 4038537762-0
Opcode ID: d8ce828ddb3e3b89c7e14f01459909c768321fc3c32f4d8f787e6f127de201d3
Instruction ID: 776012faca387447a5f2d116b52a4949e0788a177b6d09e56cc1489330ce0eec
Opcode Fuzzy Hash: d8ce828ddb3e3b89c7e14f01459909c768321fc3c32f4d8f787e6f127de201d3
Instruction Fuzzy Hash: BAF0F6B1A002608BC724AF68EC4669677E0F714314F40553EEB91D71B1D77C4856CB8E

Uniqueness

Uniqueness Score: -1.00%

Function 00429E93 Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNELBASE(00000000,0042A4F0), ref: 00429E9B

Memory Dump Source

Source File: 00000004.00000002.1676990570.000000000040B000.00000020.00000001.01000000.00000005.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_40b000_gferuhf.jbxd

Similarity

API ID: AllocGlobal
String ID:
API String ID: 3761449716-0
Opcode ID: 0450ee71e49467bda65135f7e85c9d97833a4e9fbeb7e76893f2a804db42827a
Instruction ID: 983349b6d94ecb4474befcd3d41227a4f0d523b782bb3c5fcab19225c91a152e
Opcode Fuzzy Hash: 0450ee71e49467bda65135f7e85c9d97833a4e9fbeb7e76893f2a804db42827a
Instruction Fuzzy Hash: 32B012744043008BCB000F50AC447443AF0B308312F002035F54441270CBB000839F18

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0040D9BC Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 0040D9D5

Part of subcall function 0040DD5B: Sleep.KERNEL32(00000000), ref: 0040DD83

__calloc_crt.LIBCMT ref: 0040D9F9
__calloc_crt.LIBCMT ref: 0040DA15
__copytlocinfo_nolock.LIBCMT ref: 0040DA3A
__setlocale_nolock.LIBCMT ref: 0040DA47
___removelocaleref.LIBCMT ref: 0040DA53
___freetlocinfo.LIBCMT ref: 0040DA5A
___removelocaleref.LIBCMT ref: 0040DA87
___freetlocinfo.LIBCMT ref: 0040DA8E

Strings

x[C, xrefs: 0040DA35

Memory Dump Source

Source File: 00000004.00000002.1676990570.000000000040B000.00000020.00000001.01000000.00000005.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_40b000_gferuhf.jbxd

Similarity

API ID: __calloc_crt$___freetlocinfo___removelocaleref$Sleep__copytlocinfo_nolock__setlocale_nolock
String ID: x[C
API String ID: 1483262949-322532431
Opcode ID: 543030fe5b8f91601b8bfc8b0ba4f19657f3808c7138c3b744e39bf72de2ec7e
Instruction ID: 62c006b0238abe14bb557f2ee5b1993faebe0e3c8587781fe544ee2ff6898633
Opcode Fuzzy Hash: 543030fe5b8f91601b8bfc8b0ba4f19657f3808c7138c3b744e39bf72de2ec7e
Instruction Fuzzy Hash: 02210A35908600EBE7217FA6D94291BBBE5DF81714B20843FF445762E1DB3D9C09CA5C

Uniqueness

Uniqueness Score: -1.00%

Function 0040DABE Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 98COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 0040DAF2
__calloc_crt.LIBCMT ref: 0040DB0F
__copytlocinfo_nolock.LIBCMT ref: 0040DB37
__setlocale_nolock.LIBCMT ref: 0040DB4C
___removelocaleref.LIBCMT ref: 0040DB99
_sync_legacy_variables_lk.LIBCMT ref: 0040DBD2

Strings

x[C, xrefs: 0040DBB0, 0040DBBC, 0040DBC4

Memory Dump Source

Source File: 00000004.00000002.1676990570.000000000040B000.00000020.00000001.01000000.00000005.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_40b000_gferuhf.jbxd

Similarity

API ID: ___removelocaleref__calloc_crt__copytlocinfo_nolock__getptd__setlocale_nolock_sync_legacy_variables_lk
String ID: x[C
API String ID: 1452248112-322532431
Opcode ID: d4ad7fb4daad22d2b79a8a8da4d834a6b1b4a31b7fc314773b6823dcc0c78172
Instruction ID: c9646a59e880011c3c2e4f65271d5dafb6fbdc375cff1f0918f01953bb45491e
Opcode Fuzzy Hash: d4ad7fb4daad22d2b79a8a8da4d834a6b1b4a31b7fc314773b6823dcc0c78172
Instruction Fuzzy Hash: EC315C71D08304ABEB10BFA6D882B9D77A0AF48318F20453FF405762C2DBBDA9459A5D

Uniqueness

Uniqueness Score: -1.00%

Function 0042A0AE Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 52timeCOMMON

Download Yara Rule

APIs

FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0042A0DA
LCMapStringW.KERNEL32(00000000,00000000,00000000,00000000,?,00000000), ref: 0042A0FF
GetTimeFormatW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042A10B

Strings

-, xrefs: 0042A118
-, xrefs: 0042A0D4

Memory Dump Source

Source File: 00000004.00000002.1676990570.000000000040B000.00000020.00000001.01000000.00000005.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_40b000_gferuhf.jbxd

Similarity

API ID: EnvironmentFormatFreeStringStringsTime
String ID: -$-
API String ID: 4109882376-2078519666
Opcode ID: d8e2e6e5f3c72c4549d77319af0277c6416c4ab5c0e8a052b70efa061f87051d
Instruction ID: a41f706d3d3aa3d6e368c7f4894c9cda70089640796c0b40099bc4779e4bcbff
Opcode Fuzzy Hash: d8e2e6e5f3c72c4549d77319af0277c6416c4ab5c0e8a052b70efa061f87051d
Instruction Fuzzy Hash: 8001B130601124ABC7249F29EC859AF7BF8EF49364F41006AF845D6151CA3849CACBD9

Uniqueness

Uniqueness Score: -1.00%

Function 0040CC29 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29COMMONLIBRARYCODE

Download Yara Rule

APIs

___addlocaleref.LIBCMT ref: 0040CC3B
___removelocaleref.LIBCMT ref: 0040CC46
___freetlocinfo.LIBCMT ref: 0040CC5A

Part of subcall function 0040C992: ___free_lconv_mon.LIBCMT ref: 0040C9D8
Part of subcall function 0040C992: ___free_lconv_num.LIBCMT ref: 0040C9F9
Part of subcall function 0040C992: ___free_lc_time.LIBCMT ref: 0040CA7E

Strings

x[C, xrefs: 0040CC38
x[C, xrefs: 0040CC51

Memory Dump Source

Source File: 00000004.00000002.1676990570.000000000040B000.00000020.00000001.01000000.00000005.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_40b000_gferuhf.jbxd

Similarity

API ID: ___addlocaleref___free_lc_time___free_lconv_mon___free_lconv_num___freetlocinfo___removelocaleref
String ID: x[C$x[C
API String ID: 4212647719-4174974635
Opcode ID: 461ce3d863efb26039261430713ae1b185fe4c1eef677bc329c274e69040f3a5
Instruction ID: 2458e6a79b1a0b8ef7f660e2147fd06bcdccf9ad2305b01a30ad798f5209568e
Opcode Fuzzy Hash: 461ce3d863efb26039261430713ae1b185fe4c1eef677bc329c274e69040f3a5
Instruction Fuzzy Hash: D3E04F36A09A25D5EA35673DE6C436BA2944F81F14B1A037BF888B73C4DB7C6C8140AD

Uniqueness

Uniqueness Score: -1.00%

Function 0040CE5C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59COMMON

Download Yara Rule

APIs

InterlockedDecrement.KERNEL32(00000000), ref: 0040CDC5

Part of subcall function 0040DC2C: ___sbh_find_block.LIBCMT ref: 0040DC55
Part of subcall function 0040DC2C: ___sbh_free_block.LIBCMT ref: 0040DC64
Part of subcall function 0040DC2C: HeapFree.KERNEL32(00000000,?,?,?,0040B070), ref: 0040DC94
Part of subcall function 0040DC2C: GetLastError.KERNEL32(?,?,0040B070), ref: 0040DCA5

___removelocaleref.LIBCMT ref: 0040CE02
___freetlocinfo.LIBCMT ref: 0040CE1B

Strings

x[C, xrefs: 0040CE13

Memory Dump Source

Source File: 00000004.00000002.1676990570.000000000040B000.00000020.00000001.01000000.00000005.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_40b000_gferuhf.jbxd

Similarity

API ID: DecrementErrorFreeHeapInterlockedLast___freetlocinfo___removelocaleref___sbh_find_block___sbh_free_block
String ID: x[C
API String ID: 1994049539-322532431
Opcode ID: 0f21478117fafbb969637c1e16e9349181b9c84cc8b8b5991245fc3939fefabf
Instruction ID: f3445b3713d8c415cb6917acfe491b897e74a8d3f9b2a442867ece798adebe25
Opcode Fuzzy Hash: 0f21478117fafbb969637c1e16e9349181b9c84cc8b8b5991245fc3939fefabf
Instruction Fuzzy Hash: 6A116A71901600E6DB206FA9D98675EB6A49F04754F204A3FF098BB2D0CB7CA980D69D

Uniqueness

Uniqueness Score: -1.00%

Function 0040C48B Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 0040C497

Part of subcall function 0040BB7E: __getptd_noexit.LIBCMT ref: 0040BB81

InterlockedDecrement.KERNEL32(?), ref: 0040C4E4
InterlockedIncrement.KERNEL32(00435A70), ref: 0040C50F

Strings

HVC, xrefs: 0040C4EE

Memory Dump Source

Source File: 00000004.00000002.1676990570.000000000040B000.00000020.00000001.01000000.00000005.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_40b000_gferuhf.jbxd

Similarity

API ID: Interlocked$DecrementIncrement__getptd__getptd_noexit
String ID: HVC
API String ID: 1082005941-2197614482
Opcode ID: 264f0bb8e575a079a5fe93f0d94f119bef7b3ab1b02446141038922046e5cca5
Instruction ID: 0d4105488366e49ea7db6960d46a2987e9f2bab405e8e055567e10f0fb7bc84f
Opcode Fuzzy Hash: 264f0bb8e575a079a5fe93f0d94f119bef7b3ab1b02446141038922046e5cca5
Instruction Fuzzy Hash: 8B015E32E01A21E7DB11AF65988676E77A0BB04754F14523BE800776D0CB3CB942EBDE

Uniqueness

Uniqueness Score: -1.00%

Function 004119CA Relevance: 6.1, APIs: 4, Instructions: 71COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32(?), ref: 004119FE
GetLastError.KERNEL32 ref: 00411A08
__alloc_osfhnd.LIBCMT ref: 00411A30
__set_osfhnd.LIBCMT ref: 00411A5A

Memory Dump Source

Source File: 00000004.00000002.1676990570.000000000040B000.00000020.00000001.01000000.00000005.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_40b000_gferuhf.jbxd

Similarity

API ID: ErrorFileLastType__alloc_osfhnd__set_osfhnd
String ID:
API String ID: 1633174738-0
Opcode ID: 80568a016660d15a258a59685d58af6edb54c7183ad09c0226f7f96b2749771e
Instruction ID: fa6c7a7013c04da09d3a715d218d1b9d18c7e4ee19b65d319f4f449c4adfb514
Opcode Fuzzy Hash: 80568a016660d15a258a59685d58af6edb54c7183ad09c0226f7f96b2749771e
Instruction Fuzzy Hash: A02133705562059ACB119F75C8013DA7F60AF42368F28825AE6609B2F3C77C89C2DF8D

Uniqueness

Uniqueness Score: -1.00%

Function 0042B379 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 0042B39F

Part of subcall function 0042B187: __fltout2.LIBCMT ref: 0042B1B3

__cftog_l.LIBCMT ref: 0042B3C5
__cftoe_l.LIBCMT ref: 0042B3F7

Memory Dump Source

Source File: 00000004.00000002.1676990570.000000000040B000.00000020.00000001.01000000.00000005.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_40b000_gferuhf.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: afc8384d7de5dc81d749eb2ef2e502e72940c946d5071aaa17129bf9d5fb4602
Instruction ID: 57d662215bfaa0e961a77bd5bf1e3f909260be19f709e1fdb8e6ed64a10772f6
Opcode Fuzzy Hash: afc8384d7de5dc81d749eb2ef2e502e72940c946d5071aaa17129bf9d5fb4602
Instruction Fuzzy Hash: 3C11403214015AFBCF129E85EC41CEE3F62FF18358B998416FE1859131C73AC9B2AB85

Uniqueness

Uniqueness Score: -1.00%

Function 0040DC2C Relevance: 6.0, APIs: 4, Instructions: 44memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

___sbh_find_block.LIBCMT ref: 0040DC55
___sbh_free_block.LIBCMT ref: 0040DC64
HeapFree.KERNEL32(00000000,?,?,?,0040B070), ref: 0040DC94
GetLastError.KERNEL32(?,?,0040B070), ref: 0040DCA5

Memory Dump Source

Source File: 00000004.00000002.1676990570.000000000040B000.00000020.00000001.01000000.00000005.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_40b000_gferuhf.jbxd

Similarity

API ID: ErrorFreeHeapLast___sbh_find_block___sbh_free_block
String ID:
API String ID: 2661975262-0
Opcode ID: 7b3818cb6e09b4c686c59fa898ba8a14df44b59efef8621b32d4633bdcdb734b
Instruction ID: 8c80c960a9e627696f7390d88baa305bf8c9c8b3f63785e072a8af8e409ccc5f
Opcode Fuzzy Hash: 7b3818cb6e09b4c686c59fa898ba8a14df44b59efef8621b32d4633bdcdb734b
Instruction Fuzzy Hash: 16014471C0D202AAEB246FF29D0AB5F7A649F00729F20513FF450765D2CBBC9945CA5D

Uniqueness

Uniqueness Score: -1.00%

Function 0040CE67 Relevance: 6.0, APIs: 4, Instructions: 44COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 0040CE73

Part of subcall function 0040BB7E: __getptd_noexit.LIBCMT ref: 0040BB81

__calloc_crt.LIBCMT ref: 0040CE7E

Part of subcall function 0040DD5B: Sleep.KERNEL32(00000000), ref: 0040DD83

___addlocaleref.LIBCMT ref: 0040CEC0
InterlockedIncrement.KERNEL32(?), ref: 0040CEE4

Memory Dump Source

Source File: 00000004.00000002.1676990570.000000000040B000.00000020.00000001.01000000.00000005.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_40b000_gferuhf.jbxd

Similarity

API ID: IncrementInterlockedSleep___addlocaleref__calloc_crt__getptd__getptd_noexit
String ID:
API String ID: 517392906-0
Opcode ID: 26be395ccae4c0d3af98ad6e00ac8468b42ac93834289bba34231fdc640f5d54
Instruction ID: 34c39c5f68fbdb14419bfc2cf1162389da59d9f25ce69aa87c237285b1b75e74
Opcode Fuzzy Hash: 26be395ccae4c0d3af98ad6e00ac8468b42ac93834289bba34231fdc640f5d54
Instruction Fuzzy Hash: 18019E71944301EBE720BFB6D88270C76A0AF04B28F20462FF454BB6D1CB7C59418B9E

Uniqueness

Uniqueness Score: -1.00%

Function 0040CC67 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 0040CC73

Part of subcall function 0040BB7E: __getptd_noexit.LIBCMT ref: 0040BB81

__getptd.LIBCMT ref: 0040CC8A

Strings

x[C, xrefs: 0040CCB5

Memory Dump Source

Source File: 00000004.00000002.1676990570.000000000040B000.00000020.00000001.01000000.00000005.sdmp, Offset: 0040B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_40b000_gferuhf.jbxd

Similarity

API ID: __getptd$__getptd_noexit
String ID: x[C
API String ID: 989085358-322532431
Opcode ID: 78f73c5a8add5469d15dfe0212debd3cc396fcc4181ce23a58301c9834664f24
Instruction ID: b589b27d6c7a0deb32288ccddcaf34e1d8821bd18b9988cd748bef53a64da315
Opcode Fuzzy Hash: 78f73c5a8add5469d15dfe0212debd3cc396fcc4181ce23a58301c9834664f24
Instruction Fuzzy Hash: 49F01D72948700DBE621BBB6D446B4A73A0AF04728F14567FE444B76D1CB3CA9009B5E

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: 83BC.exePID: 2372, Parent PID: 3968COMMON

Execution Graph

Execution Coverage:	3.5%
Dynamic/Decrypted Code Coverage:	3%
Signature Coverage:	2.1%
Total number of Nodes:	1247
Total number of Limit Nodes:	34

Executed Functions

Function 024E0110 Relevance: 22.7, APIs: 15, Instructions: 248
memorynativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,00002800,00001000,00000004), ref: 024E0156
GetModuleFileNameA.KERNELBASE(00000000,?,00002800), ref: 024E016C
CreateProcessA.KERNELBASE(?,00000000), ref: 024E0255
VirtualFree.KERNELBASE(?,00000000,00008000), ref: 024E0270
VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 024E0283
Wow64GetThreadContext.KERNEL32(00000000,?), ref: 024E029F
ReadProcessMemory.KERNELBASE(00000000,?,?,00000004,00000000), ref: 024E02C8
NtUnmapViewOfSection.NTDLL(00000000,?), ref: 024E02E3
VirtualAllocEx.KERNELBASE(00000000,?,?,00003000,00000040), ref: 024E0304
NtWriteVirtualMemory.NTDLL(00000000,?,?,00000000,00000000), ref: 024E032A
NtWriteVirtualMemory.NTDLL(00000000,00000000,?,00000002,00000000), ref: 024E0399
WriteProcessMemory.KERNELBASE(00000000,?,?,00000004,00000000), ref: 024E03BF
Wow64SetThreadContext.KERNEL32(00000000,?), ref: 024E03E1
ResumeThread.KERNELBASE(00000000), ref: 024E03ED
ExitProcess.KERNEL32(00000000), ref: 024E0412

Memory Dump Source

Source File: 00000005.00000002.1708683414.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_24e0000_83BC.jbxd

Similarity

API ID: Virtual$MemoryProcess$AllocThreadWrite$ContextWow64$CreateExitFileFreeModuleNameReadResumeSectionUnmapView
String ID:
API String ID: 93872480-0
Opcode ID: ec80134effe49fee59cfb16798ca45a1398515b3278bf894a8b0bf22fdce02bc
Instruction ID: ef40bddb0e0e52f4b2d6ece654768be2858d65c6e5edcbeeff9ce99673deabbf
Opcode Fuzzy Hash: ec80134effe49fee59cfb16798ca45a1398515b3278bf894a8b0bf22fdce02bc
Instruction Fuzzy Hash: B3B1C874A00208AFDB44CF98C895F9EBBB5FF88314F248158E549AB395D771AE41CF94

Uniqueness

Uniqueness Score: -1.00%

Function 024E0420 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExA.USER32(00000200,saodkfnosa9uin,mfoaskdfnoa,00CF0000,80000000,80000000,000003E8,000003E8,00000000,00000000,00000000,00000000), ref: 024E0533

Strings

mfoaskdfnoa, xrefs: 024E0520, 024E0523
saodkfnosa9uin, xrefs: 024E04DA
0, xrefs: 024E0492
d, xrefs: 024E0584

Memory Dump Source

Source File: 00000005.00000002.1708683414.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_24e0000_83BC.jbxd

Similarity

API ID: CreateWindow
String ID: 0$d$mfoaskdfnoa$saodkfnosa9uin
API String ID: 716092398-2341455598
Opcode ID: bb9b397fb3b679a7694c33bc0dbf232ca5c2d59a4e09fc52e4db1d59d2773c33
Instruction ID: 1fcf72079ec5b5f14d2c417a6693855a09a89038595473fed65ef98df6a86904
Opcode Fuzzy Hash: bb9b397fb3b679a7694c33bc0dbf232ca5c2d59a4e09fc52e4db1d59d2773c33
Instruction Fuzzy Hash: 33511670D08388DAEF11CBA8C849B9EBFB2AF11708F144059D5957F286C3FA5659CB62

Uniqueness

Uniqueness Score: -1.00%

Function 024E05B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesA.KERNELBASE(apfHQ), ref: 024E05EC

Strings

o, xrefs: 024E0600
apfHQ, xrefs: 024E05E2, 024E05E5

Memory Dump Source

Source File: 00000005.00000002.1708683414.00000000024E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 024E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_24e0000_83BC.jbxd

Similarity

API ID: AttributesFile
String ID: apfHQ$o
API String ID: 3188754299-2999369273
Opcode ID: af0d3c0451304eea9a95bfbcf33a37b8699cda851cd8c30db079f59d0d7bd2d6
Instruction ID: f38d88102c85209cd0a37b9ef54c2fb3393304e083a29e66e4d20b8d5f56d2a5
Opcode Fuzzy Hash: af0d3c0451304eea9a95bfbcf33a37b8699cda851cd8c30db079f59d0d7bd2d6
Instruction Fuzzy Hash: CB011EB0C0425CEAEF11DBA8C5183AEBFB5AF41309F148199C4193B341D7B69B99CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 005D4720 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30
librarymemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(kernel32.dll), ref: 005D4788
VirtualProtect.KERNELBASE(?,?,00000040,?), ref: 005D47A3

Strings

kernel32.dll, xrefs: 005D473C

Memory Dump Source

Source File: 00000005.00000002.1707422272.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1707342730.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1707719225.00000000005DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1707751033.00000000005E1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1707830982.00000000005E2000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1707896520.00000000005E3000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1707971710.00000000005E9000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_83BC.jbxd

Similarity

API ID: LibraryLoadProtectVirtual
String ID: kernel32.dll
API String ID: 3279857687-1793498882
Opcode ID: 124ea4756a777e015341c52e0e474f8b507b1e74583efecf49db41c9394b6d5a
Instruction ID: 35afaccf6145183a4581f761758cd7b500360169f7c749375fea3f28d81ee408
Opcode Fuzzy Hash: 124ea4756a777e015341c52e0e474f8b507b1e74583efecf49db41c9394b6d5a
Instruction Fuzzy Hash: 9B01A5658093C0DED70A9B68E88D7553F695772604F4840CDD0C40F2A3D2E5875DFB72

Uniqueness

Uniqueness Score: -1.00%

Function 0040BF32 Relevance: 4.5, APIs: 3, Instructions: 45
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetEnvironmentStringsW.KERNEL32(00000000,00401DDB), ref: 0040BF35
__malloc_crt.LIBCMT ref: 0040BF63
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0040BF70

Memory Dump Source

Source File: 00000005.00000002.1707422272.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1707342730.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1707719225.00000000005DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1707751033.00000000005E1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1707830982.00000000005E2000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1707896520.00000000005E3000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1707971710.00000000005E9000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_83BC.jbxd

Similarity

API ID: EnvironmentStrings$Free__malloc_crt
String ID:
API String ID: 237123855-0
Opcode ID: c7b0dd9c8cc9b9f3cbf0b518065c292cfa395e92db4b1b90b342dd4ed4413532
Instruction ID: 308620e2afd9e6a9aca1e87afe73a23b85f1b334265c8b9adb625bd991f608a0
Opcode Fuzzy Hash: c7b0dd9c8cc9b9f3cbf0b518065c292cfa395e92db4b1b90b342dd4ed4413532
Instruction Fuzzy Hash: 69F027375050229ECA20B6353C08877163CDADA32931248BBF897D3380FB784C838AEC

Uniqueness

Uniqueness Score: -1.00%

Function 005D4FA0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 34
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatA.KERNEL32(?,Girewe jayuxijaneholof pawozah ruhomoziyupuj,000000FE,00000000), ref: 005D4FED

Strings

Girewe jayuxijaneholof pawozah ruhomoziyupuj, xrefs: 005D4FE3

Memory Dump Source

Source File: 00000005.00000002.1707422272.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1707342730.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1707719225.00000000005DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1707751033.00000000005E1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1707830982.00000000005E2000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1707896520.00000000005E3000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1707971710.00000000005E9000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_83BC.jbxd

Similarity

API ID: lstrcat
String ID: Girewe jayuxijaneholof pawozah ruhomoziyupuj
API String ID: 4038537762-620488407
Opcode ID: 1430bb6f4bb4727091b0f58e66b2578bb4d8ae06d6bb5a1259ca1ed87be113fb
Instruction ID: 47107355de78433d46da221cad6d1625c3b0335dc9fb6b0e87771668052e1dc7
Opcode Fuzzy Hash: 1430bb6f4bb4727091b0f58e66b2578bb4d8ae06d6bb5a1259ca1ed87be113fb
Instruction Fuzzy Hash: A2F0C8B26102404BCB289F7CEC8556977A5F7F4320F41062FD395DB3A0E734884ADB56

Uniqueness

Uniqueness Score: -1.00%

Function 005D47B0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 17
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(kernel32.dll,005D4E61), ref: 005D4807

Strings

kernel32.dll, xrefs: 005D47B4, 005D4802

Memory Dump Source

Source File: 00000005.00000002.1707422272.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1707342730.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1707719225.00000000005DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1707751033.00000000005E1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1707830982.00000000005E2000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1707896520.00000000005E3000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1707971710.00000000005E9000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_83BC.jbxd

Similarity

API ID: LibraryLoad
String ID: kernel32.dll
API String ID: 1029625771-1793498882
Opcode ID: 9a99f21f87bddc2ee8d459b6d36c3902de37869db1513cee59a2c594ebd57622
Instruction ID: a279afcd44f572f9344c3f6f2d505c09b3b43cc754a27176f585c2817a82b542
Opcode Fuzzy Hash: 9a99f21f87bddc2ee8d459b6d36c3902de37869db1513cee59a2c594ebd57622
Instruction Fuzzy Hash: 64F02B0194D2C0D9EB0A8729B89E7512F991772608F4C40CEC0C41F2A3D2EA831DFBB6

Uniqueness

Uniqueness Score: -1.00%

Function 023187C6 Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 023187EE
Module32First.KERNEL32(00000000,00000224), ref: 0231880E

Memory Dump Source

Source File: 00000005.00000002.1708502854.0000000002318000.00000040.00000020.00020000.00000000.sdmp, Offset: 02318000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2318000_83BC.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: 507b096daf25010b5fd1471d995773a633d5690645fe0a51a4df9a0298081639
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: BAF096312007106FE7243BF5A88DB6E76E8AF49729F100528E642910C0DB70E8454A65

Uniqueness

Uniqueness Score: -1.00%

Function 0040C281 Relevance: 1.5, APIs: 1, Instructions: 20
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000), ref: 0040C296

Memory Dump Source

Source File: 00000005.00000002.1707422272.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1707342730.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1707719225.00000000005DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1707751033.00000000005E1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1707830982.00000000005E2000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1707896520.00000000005E3000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1707971710.00000000005E9000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_83BC.jbxd

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: f524e7b691cf7870615d0a728dc128d6567aec2ef04d51908bd14e0101d29b41
Instruction ID: 277b81bc5244d1321664e390184a2a2fb0e66f27cd736e943959df1ecc0a189a
Opcode Fuzzy Hash: f524e7b691cf7870615d0a728dc128d6567aec2ef04d51908bd14e0101d29b41
Instruction Fuzzy Hash: 8ED05E369503849BDB105FB1AC497223BECD394795F104437F84CCA290F678C684EA44

Uniqueness

Uniqueness Score: -1.00%

Function 02318485 Relevance: 1.3, APIs: 1, Instructions: 48
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 023184D6

Memory Dump Source

Source File: 00000005.00000002.1708502854.0000000002318000.00000040.00000020.00020000.00000000.sdmp, Offset: 02318000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_2318000_83BC.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: 0d016e9fca8676a38ec3f0c48ba9e9a112180dc9783f39c06387a00aa515c448
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: EE113C79A00208EFDB01DF98C985E99BBF5EF08350F058094F9489B361D371EA90DF84

Uniqueness

Uniqueness Score: -1.00%

Function 005D46F0 Relevance: 1.3, APIs: 1, Instructions: 6
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalAlloc.KERNELBASE(00000000,?,005D4DD6), ref: 005D46F8

Memory Dump Source

Source File: 00000005.00000002.1707422272.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1707342730.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1707719225.00000000005DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1707751033.00000000005E1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1707830982.00000000005E2000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1707896520.00000000005E3000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1707971710.00000000005E9000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_83BC.jbxd

Similarity

API ID: AllocGlobal
String ID:
API String ID: 3761449716-0
Opcode ID: 8240eb294644b667f3b589701c5f7967df1957035b28f96c8ac9a08568ae5bf8
Instruction ID: 43da25c614098c48de0d899a6ac898b5b17fc27bc6c4ccb26356f52a6d34d6bf
Opcode Fuzzy Hash: 8240eb294644b667f3b589701c5f7967df1957035b28f96c8ac9a08568ae5bf8
Instruction Fuzzy Hash: 24B092B59026409BD7088F60AC88B243BA8B36C622F400046B544891A0E6201489BE20

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 005D49C0 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 56filepipeCOMMON

Download Yara Rule

APIs

LocalHandle.KERNEL32(00000000), ref: 005D49DB
ReadConsoleOutputW.KERNEL32(00000000,?,?,?,?), ref: 005D4A29
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 005D4A31
CreateNamedPipeW.KERNEL32(xamasu,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 005D4A4A
SetEndOfFile.KERNEL32(00000000), ref: 005D4A52
GlobalDeleteAtom.KERNEL32(00000000), ref: 005D4A6D

Strings

xamasu, xrefs: 005D4A45

Memory Dump Source

Source File: 00000005.00000002.1707422272.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1707342730.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1707719225.00000000005DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1707751033.00000000005E1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1707830982.00000000005E2000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1707896520.00000000005E3000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1707971710.00000000005E9000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_83BC.jbxd

Similarity

API ID: AtomConsoleCreateDeleteEnvironmentFileFreeGlobalHandleLocalNamedOutputPipeReadStrings
String ID: xamasu
API String ID: 1729102079-1455772093
Opcode ID: 9bf71cd07515cc7fcbd7d7feb6b45fd7e6423d35ec7dc9b8975417de75eaa5f9
Instruction ID: e20c367ecf7dd5886f7046f0daadd226b0525a4a49a31c352cca6ac3102ee74d
Opcode Fuzzy Hash: 9bf71cd07515cc7fcbd7d7feb6b45fd7e6423d35ec7dc9b8975417de75eaa5f9
Instruction Fuzzy Hash: 381133315492009BD724EF78EC89B1B77B5BFE8711F40842BF549C62A0E67095499F27

Uniqueness

Uniqueness Score: -1.00%

Function 0040114A Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 00401F64
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00401F79
UnhandledExceptionFilter.KERNEL32(03^), ref: 00401F84
GetCurrentProcess.KERNEL32(C0000409), ref: 00401FA0
TerminateProcess.KERNEL32(00000000), ref: 00401FA7

Strings

03^, xrefs: 00401F7F

Memory Dump Source

Source File: 00000005.00000002.1707422272.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1707342730.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1707719225.00000000005DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1707751033.00000000005E1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1707830982.00000000005E2000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1707896520.00000000005E3000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1707971710.00000000005E9000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_83BC.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID: 03^
API String ID: 2579439406-2744264001
Opcode ID: a6cd94176431d89345a9bb663dcd2bd193131ef603cd5538ea73b7305df91d71
Instruction ID: e64f45bb8adba3453280d5b28eb731c60f86941da571ba0885a4819d0d605e87
Opcode Fuzzy Hash: a6cd94176431d89345a9bb663dcd2bd193131ef603cd5538ea73b7305df91d71
Instruction Fuzzy Hash: D4210474401284DFCB1ADF25E8CCA547BB4BB28304F00546AE4889B3A1E7705A8DEB19

Uniqueness

Uniqueness Score: -1.00%

Function 005D4A80 Relevance: 96.5, APIs: 40, Strings: 15, Instructions: 286timelibrarymemoryCOMMON

Download Yara Rule

APIs

SetTimerQueueTimer.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 005D4AD3
GetLastError.KERNEL32 ref: 005D4AD9
GetCompressedFileSizeW.KERNEL32(hem,?), ref: 005D4AFA
GetAtomNameA.KERNEL32(00000000,?,00000000), ref: 005D4B4E
SetComputerNameA.KERNEL32(fedabomalozosatebusuhuzogisarojotasikuyinegizowuvovezax), ref: 005D4B59
_memset.LIBCMT ref: 005D4B74
SetDefaultCommConfigA.KERNEL32(Safemerofo,?,00000000), ref: 005D4B8A
CopyFileExA.KERNEL32(xupakesopopakuxo,tacusuhicage,00000000,00000000,00000000,00000000), ref: 005D4BA2
FreeEnvironmentStringsW.KERNEL32(00000000), ref: 005D4BAA
AddAtomW.KERNEL32(risucemufapecunisusiwatanole), ref: 005D4BB5
GetCurrentDirectoryA.KERNEL32(00000000,?), ref: 005D4BC4
GetModuleHandleA.KERNEL32(00000000), ref: 005D4BCC
EnumDateFormatsExW.KERNEL32(00000000,00000000,00000000), ref: 005D4BD8
DeleteCriticalSection.KERNEL32(?), ref: 005D4BEE
LoadLibraryW.KERNEL32(00000000), ref: 005D4BFF
_sprintf.LIBCMT ref: 005D4C0F
DisableThreadLibraryCalls.KERNEL32(00000000), ref: 005D4C62
SetConsoleTitleW.KERNEL32(00000000), ref: 005D4C6A
LocalFree.KERNEL32(00000000), ref: 005D4C72
GetConsoleAliasesLengthW.KERNEL32(00000000), ref: 005D4C84
DnsHostnameToComputerNameA.KERNEL32(hayeliyapavizovowinigaxomacowiwapihicivoje,?,?), ref: 005D4C9D
MultiByteToWideChar.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 005D4CAF
GlobalWire.KERNEL32(00000000), ref: 005D4CB7
GetTempFileNameA.KERNEL32(00000000,00000000,00000000,?), ref: 005D4CCA
MoveFileExA.KERNEL32(00000000,00000000,00000000), ref: 005D4CD6
OpenWaitableTimerA.KERNEL32(00000000,00000000,Yuhegoveson daxelowam zitaj roborile), ref: 005D4CE5
CompareStringW.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000), ref: 005D4CF7
GetLongPathNameA.KERNEL32(Rimavowegal buhaviluzu tesoyaz jicuk,?,00000000), ref: 005D4D0B
HeapValidate.KERNEL32(00000000,00000000,00000000), ref: 005D4D17
_calloc.LIBCMT ref: 005D4D21
__vswprintf.LIBCMT ref: 005D4D38
_calloc.LIBCMT ref: 005D4D44
_wscanf.LIBCMT ref: 005D4D51
_memset.LIBCMT ref: 005D4D73
_calloc.LIBCMT ref: 005D4DA9
BuildCommDCBW.KERNEL32(Xucawisi,?), ref: 005D4E4A
SetPriorityClass.KERNEL32(00000000,00000000), ref: 005D4E54
GetConsoleOutputCP.KERNEL32 ref: 005D4EED
SetFileAttributesW.KERNEL32(Sonedi vifizuxim dezanivarun xuretivase noladunes,00000000), ref: 005D4F10
OpenWaitableTimerA.KERNEL32(00000000,00000000,00000000), ref: 005D4F1C

Strings

risucemufapecunisusiwatanole, xrefs: 005D4BB0
hayeliyapavizovowinigaxomacowiwapihicivoje, xrefs: 005D4C98
0 %s %d %f, xrefs: 005D4D4C
kernel32.dll, xrefs: 005D4C0A, 005D4D33
Safemerofo, xrefs: 005D4B85
fedabomalozosatebusuhuzogisarojotasikuyinegizowuvovezax, xrefs: 005D4B54
0 %f, xrefs: 005D4D2E
Rimavowegal buhaviluzu tesoyaz jicuk, xrefs: 005D4D06
Sonedi vifizuxim dezanivarun xuretivase noladunes, xrefs: 005D4F0B
hem, xrefs: 005D4AF5
xupakesopopakuxo, xrefs: 005D4B9D
tacusuhicage, xrefs: 005D4B98
tl_, xrefs: 005D4B16
Yuhegoveson daxelowam zitaj roborile, xrefs: 005D4CDC
Xucawisi, xrefs: 005D4E45

Memory Dump Source

Source File: 00000005.00000002.1707422272.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1707342730.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1707719225.00000000005DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1707751033.00000000005E1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1707830982.00000000005E2000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1707896520.00000000005E3000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1707971710.00000000005E9000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_83BC.jbxd

Similarity

API ID: FileName$Timer$Console_calloc$AtomCommComputerFreeLibraryOpenWaitable_memset$AliasesAttributesBuildByteCallsCharClassCompareCompressedConfigCopyCriticalCurrentDateDefaultDeleteDirectoryDisableEnumEnvironmentErrorFormatsGlobalHandleHeapHostnameLastLengthLoadLocalLongModuleMoveMultiOutputPathPriorityQueueSectionSizeStringStringsTempThreadTitleValidateWideWire__vswprintf_sprintf_wscanf
String ID: 0 %f$0 %s %d %f$Rimavowegal buhaviluzu tesoyaz jicuk$Safemerofo$Sonedi vifizuxim dezanivarun xuretivase noladunes$Xucawisi$Yuhegoveson daxelowam zitaj roborile$fedabomalozosatebusuhuzogisarojotasikuyinegizowuvovezax$hayeliyapavizovowinigaxomacowiwapihicivoje$hem$kernel32.dll$risucemufapecunisusiwatanole$tacusuhicage$tl_$xupakesopopakuxo
API String ID: 495388908-2603063048
Opcode ID: 695cf1ba9796a215fb268d32fae62eefce8b37e4d2a0789d059060b55dd2710b
Instruction ID: b2d55ecec7fff098240e47999b41d0e18f12b4a01870f77d4913ca57dea581ff
Opcode Fuzzy Hash: 695cf1ba9796a215fb268d32fae62eefce8b37e4d2a0789d059060b55dd2710b
Instruction Fuzzy Hash: FEB1A471981304EBEB34AFA4EC4EB997B74FB64706F004057F2096A2D1E7B05989DF26

Uniqueness

Uniqueness Score: -1.00%

Function 0040DD6B Relevance: 15.1, APIs: 10, Instructions: 95COMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 0040DD84

Part of subcall function 00408698: __calloc_impl.LIBCMT ref: 004086A9
Part of subcall function 00408698: Sleep.KERNEL32(00000000,00402FBF,0040116E), ref: 004086C0

__calloc_crt.LIBCMT ref: 0040DDA8
__calloc_crt.LIBCMT ref: 0040DDC4
__copytlocinfo_nolock.LIBCMT ref: 0040DDE9
__setlocale_nolock.LIBCMT ref: 0040DDF6
___removelocaleref.LIBCMT ref: 0040DE02
___freetlocinfo.LIBCMT ref: 0040DE09
__setmbcp_nolock.LIBCMT ref: 0040DE21
___removelocaleref.LIBCMT ref: 0040DE36
___freetlocinfo.LIBCMT ref: 0040DE3D

Memory Dump Source

Source File: 00000005.00000002.1707422272.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1707342730.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1707719225.00000000005DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1707751033.00000000005E1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1707830982.00000000005E2000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1707896520.00000000005E3000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1707971710.00000000005E9000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_83BC.jbxd

Similarity

API ID: __calloc_crt$___freetlocinfo___removelocaleref$Sleep__calloc_impl__copytlocinfo_nolock__setlocale_nolock__setmbcp_nolock
String ID:
API String ID: 2969281212-0
Opcode ID: c70c74c5b8edf2ca2df1aacb93fc068fb113efb8875545d21e1f645cc8d32026
Instruction ID: 7b5b4c6492cbda98d1d0a6e1946fcda0163c3c5f3b0d8ca8a8bbdc733021f2c4
Opcode Fuzzy Hash: c70c74c5b8edf2ca2df1aacb93fc068fb113efb8875545d21e1f645cc8d32026
Instruction Fuzzy Hash: 8A212C35504602DBD7217F96D802A4BBBE5DF82764B21843FF485772D1DE3A8804869D

Uniqueness

Uniqueness Score: -1.00%

Function 0040D216 Relevance: 9.0, APIs: 6, Instructions: 44COMMON

Download Yara Rule

APIs

__getptd.LIBCMT ref: 0040D222

Part of subcall function 004082C8: __getptd_noexit.LIBCMT ref: 004082CB
Part of subcall function 004082C8: __amsg_exit.LIBCMT ref: 004082D8

__calloc_crt.LIBCMT ref: 0040D22D

Part of subcall function 00408698: __calloc_impl.LIBCMT ref: 004086A9
Part of subcall function 00408698: Sleep.KERNEL32(00000000,00402FBF,0040116E), ref: 004086C0

__lock.LIBCMT ref: 0040D263
___addlocaleref.LIBCMT ref: 0040D26F
__lock.LIBCMT ref: 0040D283
InterlockedIncrement.KERNEL32(?), ref: 0040D293

Part of subcall function 00402FBA: __getptd_noexit.LIBCMT ref: 00402FBA

Memory Dump Source

Source File: 00000005.00000002.1707422272.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1707342730.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1707719225.00000000005DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1707751033.00000000005E1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1707830982.00000000005E2000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1707896520.00000000005E3000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1707971710.00000000005E9000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_83BC.jbxd

Similarity

API ID: __getptd_noexit__lock$IncrementInterlockedSleep___addlocaleref__amsg_exit__calloc_crt__calloc_impl__getptd
String ID:
API String ID: 3538106438-0
Opcode ID: 27c906981a20cc50cc5f2c27753dd0ec7639ab101b7137dcc1149636d28707d1
Instruction ID: 2a31b4534c113441dfcdc768b40f26044958164bea3a783004b2f7ffdbca7413
Opcode Fuzzy Hash: 27c906981a20cc50cc5f2c27753dd0ec7639ab101b7137dcc1149636d28707d1
Instruction Fuzzy Hash: 00019E71901301EAE720BBF9990371CB7A0AF41728F20827FF884B72C1CA7C98059B6D

Uniqueness

Uniqueness Score: -1.00%

Function 00411BBA Relevance: 7.6, APIs: 5, Instructions: 71COMMON

Download Yara Rule

APIs

GetFileType.KERNEL32(?,?,?,005DF6C0,0000000C), ref: 00411BEE
GetLastError.KERNEL32(?,?,005DF6C0,0000000C), ref: 00411BF8
__dosmaperr.LIBCMT ref: 00411BFF
__alloc_osfhnd.LIBCMT ref: 00411C20
__set_osfhnd.LIBCMT ref: 00411C4A

Memory Dump Source

Source File: 00000005.00000002.1707422272.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1707342730.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1707719225.00000000005DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1707751033.00000000005E1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1707830982.00000000005E2000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1707896520.00000000005E3000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1707971710.00000000005E9000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_83BC.jbxd

Similarity

API ID: ErrorFileLastType__alloc_osfhnd__dosmaperr__set_osfhnd
String ID:
API String ID: 43408053-0
Opcode ID: 5235b3e0cd29d2853f5159aa76e5ef72b952bb872d1800fde3c97d3c09062e3e
Instruction ID: 34ba2eecf9099025350196d3bc86ecf6b8d428258272c31ffe8d2475f610f914
Opcode Fuzzy Hash: 5235b3e0cd29d2853f5159aa76e5ef72b952bb872d1800fde3c97d3c09062e3e
Instruction Fuzzy Hash: B82145305862059BCF119F75C8053DA7B60AF41368F28824BE6608F2F2E77C8581DF88

Uniqueness

Uniqueness Score: -1.00%

Function 0040D20B Relevance: 7.6, APIs: 5, Instructions: 59COMMON

Download Yara Rule

APIs

__lock.LIBCMT ref: 0040D162

Part of subcall function 0040798F: __mtinitlocknum.LIBCMT ref: 004079A5
Part of subcall function 0040798F: __amsg_exit.LIBCMT ref: 004079B1
Part of subcall function 0040798F: EnterCriticalSection.KERNEL32(00402FB0,00402FB0,?,004048AF,00000004,005DF360,0000000C,004086AE,0040116E,00402FBF,00000000,00000000,00000000,?,0040827A,00000001), ref: 004079B9

InterlockedDecrement.KERNEL32(00000000), ref: 0040D174

Part of subcall function 0040DFDB: __lock.LIBCMT ref: 0040DFF9
Part of subcall function 0040DFDB: ___sbh_find_block.LIBCMT ref: 0040E004
Part of subcall function 0040DFDB: ___sbh_free_block.LIBCMT ref: 0040E013
Part of subcall function 0040DFDB: HeapFree.KERNEL32(00000000,0040116E,005DF598,0000000C,00407970,00000000,005DF3C0,0000000C,004079AA,0040116E,00402FB0,?,004048AF,00000004,005DF360,0000000C), ref: 0040E043
Part of subcall function 0040DFDB: GetLastError.KERNEL32(?,004048AF,00000004,005DF360,0000000C,004086AE,0040116E,00402FBF,00000000,00000000,00000000,?,0040827A,00000001,00000214), ref: 0040E054

__lock.LIBCMT ref: 0040D1A2
___removelocaleref.LIBCMT ref: 0040D1B1
___freetlocinfo.LIBCMT ref: 0040D1CA

Memory Dump Source

Source File: 00000005.00000002.1707422272.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1707342730.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1707719225.00000000005DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1707751033.00000000005E1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1707830982.00000000005E2000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1707896520.00000000005E3000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1707971710.00000000005E9000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_83BC.jbxd

Similarity

API ID: __lock$CriticalDecrementEnterErrorFreeHeapInterlockedLastSection___freetlocinfo___removelocaleref___sbh_find_block___sbh_free_block__amsg_exit__mtinitlocknum
String ID:
API String ID: 1907232653-0
Opcode ID: 948bb8ac5ec46ea10aa16855a2e6a7e8656718c6dae603ce201c99792083ce74
Instruction ID: a810246a096b3bbe0d19b6fbc838a3f94ddde311780f26d895d35be02afd285e
Opcode Fuzzy Hash: 948bb8ac5ec46ea10aa16855a2e6a7e8656718c6dae603ce201c99792083ce74
Instruction Fuzzy Hash: C91191719012009ADB20AFE5944672A77A4AF00714F24053FF895BB2C1DF3CD885865D

Uniqueness

Uniqueness Score: -1.00%

Function 0040C83A Relevance: 7.5, APIs: 5, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 0040C846

Part of subcall function 004082C8: __getptd_noexit.LIBCMT ref: 004082CB
Part of subcall function 004082C8: __amsg_exit.LIBCMT ref: 004082D8

__amsg_exit.LIBCMT ref: 0040C866
__lock.LIBCMT ref: 0040C876
InterlockedDecrement.KERNEL32(?), ref: 0040C893
InterlockedIncrement.KERNEL32(02302CC0), ref: 0040C8BE

Memory Dump Source

Source File: 00000005.00000002.1707422272.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1707342730.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1707719225.00000000005DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1707751033.00000000005E1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1707830982.00000000005E2000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1707896520.00000000005E3000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1707971710.00000000005E9000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_83BC.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
String ID:
API String ID: 4271482742-0
Opcode ID: 82fe700ade242c0908b902ece444d56e046a1e1caafe9acffe8e6cc85c8b1b05
Instruction ID: e08a1dc95972f0efa4460744e8201233fe8f9217ee9f0cd9242706d55859cfac
Opcode Fuzzy Hash: 82fe700ade242c0908b902ece444d56e046a1e1caafe9acffe8e6cc85c8b1b05
Instruction Fuzzy Hash: 0A01AD33901A11DBDB20BB66988676EBB60BF01716F04823BE841776C1CB3CA941DBDD

Uniqueness

Uniqueness Score: -1.00%

Function 0040DFDB Relevance: 7.5, APIs: 5, Instructions: 44memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__lock.LIBCMT ref: 0040DFF9

Part of subcall function 0040798F: __mtinitlocknum.LIBCMT ref: 004079A5
Part of subcall function 0040798F: __amsg_exit.LIBCMT ref: 004079B1
Part of subcall function 0040798F: EnterCriticalSection.KERNEL32(00402FB0,00402FB0,?,004048AF,00000004,005DF360,0000000C,004086AE,0040116E,00402FBF,00000000,00000000,00000000,?,0040827A,00000001), ref: 004079B9

___sbh_find_block.LIBCMT ref: 0040E004
___sbh_free_block.LIBCMT ref: 0040E013
HeapFree.KERNEL32(00000000,0040116E,005DF598,0000000C,00407970,00000000,005DF3C0,0000000C,004079AA,0040116E,00402FB0,?,004048AF,00000004,005DF360,0000000C), ref: 0040E043
GetLastError.KERNEL32(?,004048AF,00000004,005DF360,0000000C,004086AE,0040116E,00402FBF,00000000,00000000,00000000,?,0040827A,00000001,00000214), ref: 0040E054

Memory Dump Source

Source File: 00000005.00000002.1707422272.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1707342730.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1707719225.00000000005DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1707751033.00000000005E1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1707830982.00000000005E2000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1707896520.00000000005E3000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1707971710.00000000005E9000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_83BC.jbxd

Similarity

API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2714421763-0
Opcode ID: e9ed2a9513954617c21dff8016b2331576a0af6a9ce2a724fef58dd75ece658f
Instruction ID: 1f9df5dba051740d2bfb4225f472511e1883bc6cf3a173e4a3fd1892b6a33370
Opcode Fuzzy Hash: e9ed2a9513954617c21dff8016b2331576a0af6a9ce2a724fef58dd75ece658f
Instruction Fuzzy Hash: 2A01A771901321EADB346FB2DC0A75E7778AF503A9F60443FF500761D1CA7C89559A5C

Uniqueness

Uniqueness Score: -1.00%

Function 005D5DDC Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(KERNEL32,005D50B1), ref: 005D5DE1
GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 005D5DF1

Strings

KERNEL32, xrefs: 005D5DDC
IsProcessorFeaturePresent, xrefs: 005D5DEB

Memory Dump Source

Source File: 00000005.00000002.1707422272.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1707342730.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1707719225.00000000005DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1707751033.00000000005E1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1707830982.00000000005E2000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1707896520.00000000005E3000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1707971710.00000000005E9000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_83BC.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: IsProcessorFeaturePresent$KERNEL32
API String ID: 1646373207-3105848591
Opcode ID: 428058febc5cf839e2aaa40c28014565c8a2a5b6e388be1e5d064f6210a94d96
Instruction ID: d238a8934e504b0fccded69e2355cbf272db9b6fed29f50ad340c6bf7265549c
Opcode Fuzzy Hash: 428058febc5cf839e2aaa40c28014565c8a2a5b6e388be1e5d064f6210a94d96
Instruction Fuzzy Hash: BBF01D30A00A09D2DB202BA9AC0E76F7F79FB90702FA505939197A1185EF3081B4D395

Uniqueness

Uniqueness Score: -1.00%

Function 005D4810 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 32COMMON

Download Yara Rule

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000000), ref: 005D4840
SetVolumeLabelW.KERNEL32(cedayuriki,ezufor), ref: 005D4880

Strings

cedayuriki, xrefs: 005D487B
ezufor, xrefs: 005D4876

Memory Dump Source

Source File: 00000005.00000002.1707422272.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1707342730.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1707719225.00000000005DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1707751033.00000000005E1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1707830982.00000000005E2000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1707896520.00000000005E3000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1707971710.00000000005E9000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_83BC.jbxd

Similarity

API ID: FileLabelModuleNameVolume
String ID: cedayuriki$ezufor
API String ID: 2532863745-4106418396
Opcode ID: d010929e49d43ce35ca47d08baca58bbdad665457ae8b0e360ef29b6a89b5e75
Instruction ID: 8d046f0ecab49aa8bbad18f20b58ddcb05f7057bb21cf020c69dad135517072b
Opcode Fuzzy Hash: d010929e49d43ce35ca47d08baca58bbdad665457ae8b0e360ef29b6a89b5e75
Instruction Fuzzy Hash: 8B018632544340DBD378AF64E84ABA63BF4FB68705F40442FE1C59A290EF385488DF52

Uniqueness

Uniqueness Score: -1.00%

Function 005D48B0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

CreateJobObjectA.KERNEL32(00000000,Bezematevaneri fedilovewe), ref: 005D48C6
HeapReAlloc.KERNEL32(00000000,00000000,00000000,00000000), ref: 005D48E9
QueryPerformanceFrequency.KERNEL32 ref: 005D48F3

Strings

Bezematevaneri fedilovewe, xrefs: 005D48BF

Memory Dump Source

Source File: 00000005.00000002.1707422272.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1707342730.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1707719225.00000000005DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1707751033.00000000005E1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1707830982.00000000005E2000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1707896520.00000000005E3000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1707971710.00000000005E9000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_83BC.jbxd

Similarity

API ID: AllocCreateFrequencyHeapObjectPerformanceQuery
String ID: Bezematevaneri fedilovewe
API String ID: 1833813744-2699451508
Opcode ID: 53f89b804dcd1190f00f33c91c29dc08baa86d6bf0efdfbd5a256c1d2e99eec3
Instruction ID: 446e8c255175d5ccae253a2ec2078725af66d5a7312e18e47331d7ce8ae18933
Opcode Fuzzy Hash: 53f89b804dcd1190f00f33c91c29dc08baa86d6bf0efdfbd5a256c1d2e99eec3
Instruction Fuzzy Hash: 0CE04F30281341AFEA34AB64EC4EB053B70BB60B0AF80451BF586991D1EBB4540DEF26

Uniqueness

Uniqueness Score: -1.00%

Function 00411490 Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 004114C4
__isleadbyte_l.LIBCMT ref: 004114F8
MultiByteToWideChar.KERNEL32(?,00000009,?,?,?,00000000,?,?,?,00000000,?,?,00000000), ref: 00411529
MultiByteToWideChar.KERNEL32(?,00000009,?,00000001,?,00000000,?,?,?,00000000,?,?,00000000), ref: 00411597

Memory Dump Source

Source File: 00000005.00000002.1707422272.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1707342730.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1707719225.00000000005DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1707751033.00000000005E1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1707830982.00000000005E2000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1707896520.00000000005E3000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1707971710.00000000005E9000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_83BC.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 5f5813b4fd667af5a10f8e6a240147d7bd8a6b7ceb6ebc44c264b509540b21fd
Instruction ID: 353d273b0c4e025fba89cd9b370088b84302e4acf539ca796d05794b1b0cd60a
Opcode Fuzzy Hash: 5f5813b4fd667af5a10f8e6a240147d7bd8a6b7ceb6ebc44c264b509540b21fd
Instruction Fuzzy Hash: 2E31B331A00256EFDB20DF64CC84DFE3BB6AF41311F14856AE6619B2A1D338DD81DB69

Uniqueness

Uniqueness Score: -1.00%

Function 005D5CC8 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 005D5CEE

Part of subcall function 005D5AD6: __fltout2.LIBCMT ref: 005D5B02

__cftog_l.LIBCMT ref: 005D5D14
__cftoe_l.LIBCMT ref: 005D5D46

Memory Dump Source

Source File: 00000005.00000002.1707422272.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1707342730.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1707719225.00000000005DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1707751033.00000000005E1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1707830982.00000000005E2000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1707896520.00000000005E3000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1707971710.00000000005E9000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_83BC.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: afc8384d7de5dc81d749eb2ef2e502e72940c946d5071aaa17129bf9d5fb4602
Instruction ID: 3487a8d023f781c1662d5d812fe785f3972bbdc7c57b14aa20a421339485b303
Opcode Fuzzy Hash: afc8384d7de5dc81d749eb2ef2e502e72940c946d5071aaa17129bf9d5fb4602
Instruction Fuzzy Hash: 8211837200054ABBDF226E88CC59CED3F23BB58350B588817FE1859231E236CA71AB91

Uniqueness

Uniqueness Score: -1.00%

Function 00411E78 Relevance: 6.0, APIs: 4, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

__FF_MSGBANNER.LIBCMT ref: 00411E86

Part of subcall function 0040BA12: __set_error_mode.LIBCMT ref: 0040BA14
Part of subcall function 0040BA12: __set_error_mode.LIBCMT ref: 0040BA21
Part of subcall function 0040BA12: __NMSG_WRITE.LIBCMT ref: 0040BA39
Part of subcall function 0040BA12: __NMSG_WRITE.LIBCMT ref: 0040BA43

__NMSG_WRITE.LIBCMT ref: 00411E8D

Part of subcall function 0040B841: __set_error_mode.LIBCMT ref: 0040B872
Part of subcall function 0040B841: __set_error_mode.LIBCMT ref: 0040B883
Part of subcall function 0040B841: _strcpy_s.LIBCMT ref: 0040B8B7
Part of subcall function 0040B841: __invoke_watson.LIBCMT ref: 0040B8C8
Part of subcall function 0040B841: GetModuleFileNameA.KERNEL32(00000000,005E3811,00000104,00402FBF,0040116E), ref: 0040B8E4
Part of subcall function 0040B841: _strcpy_s.LIBCMT ref: 0040B8F9
Part of subcall function 0040B841: __invoke_watson.LIBCMT ref: 0040B90C
Part of subcall function 0040B841: _strlen.LIBCMT ref: 0040B915
Part of subcall function 0040B841: _strlen.LIBCMT ref: 0040B922
Part of subcall function 0040B841: __invoke_watson.LIBCMT ref: 0040B94F

Part of subcall function 004088AB: ___crtCorExitProcess.LIBCMT ref: 004088B3
Part of subcall function 004088AB: ExitProcess.KERNEL32 ref: 004088BC

HeapAlloc.KERNEL32(00000000,?), ref: 00411EB9
HeapAlloc.KERNEL32(00000000,?), ref: 00411EE9

Part of subcall function 00411E29: __lock.LIBCMT ref: 00411E46
Part of subcall function 00411E29: ___sbh_alloc_block.LIBCMT ref: 00411E51

Memory Dump Source

Source File: 00000005.00000002.1707422272.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1707342730.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1707719225.00000000005DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1707751033.00000000005E1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1707830982.00000000005E2000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1707896520.00000000005E3000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1707971710.00000000005E9000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_83BC.jbxd

Similarity

API ID: __set_error_mode$__invoke_watson$AllocExitHeapProcess_strcpy_s_strlen$FileModuleName___crt___sbh_alloc_block__lock
String ID:
API String ID: 913549098-0
Opcode ID: bf4278e11ef85fec1399b1721d3a462f1d50d589d2ff71066963145c7e256508
Instruction ID: 517effd2f5d1e4ee2063112499e5f08cbd7e0e5b5d7418286829b496ce36120c
Opcode Fuzzy Hash: bf4278e11ef85fec1399b1721d3a462f1d50d589d2ff71066963145c7e256508
Instruction Fuzzy Hash: 7BF0F93154132467DB206795EC45BA63768EB50364F204027FE48AB1F1D7249D81559C

Uniqueness

Uniqueness Score: -1.00%

Function 0040C2B2 Relevance: 6.0, APIs: 4, Instructions: 34memoryCOMMON

Download Yara Rule

APIs

VirtualFree.KERNEL32(?,00000000,00008000,?), ref: 0040C2E0
HeapFree.KERNEL32(00000000,?), ref: 0040C2F0
HeapFree.KERNEL32(00000000), ref: 0040C30D
HeapDestroy.KERNEL32 ref: 0040C317

Memory Dump Source

Source File: 00000005.00000002.1707422272.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1707342730.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1707719225.00000000005DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1707751033.00000000005E1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1707830982.00000000005E2000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1707896520.00000000005E3000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1707971710.00000000005E9000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_83BC.jbxd

Similarity

API ID: FreeHeap$DestroyVirtual
String ID:
API String ID: 765507482-0
Opcode ID: 817560e951d49d91cdb36a3d7243db1e90e487bbb94a23591901c8c46b5a35ff
Instruction ID: 053c120e66831106fb588829a18b88eec201fd4d3bb048544c6f7165ca3cb1a2
Opcode Fuzzy Hash: 817560e951d49d91cdb36a3d7243db1e90e487bbb94a23591901c8c46b5a35ff
Instruction Fuzzy Hash: 2EF06732901360AFDB254F94EDC9B053B35FB60759FB2002BE6806B1B2D2726819EF64

Uniqueness

Uniqueness Score: -1.00%

Function 0040D016 Relevance: 6.0, APIs: 4, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 0040D022

Part of subcall function 004082C8: __getptd_noexit.LIBCMT ref: 004082CB
Part of subcall function 004082C8: __amsg_exit.LIBCMT ref: 004082D8

__getptd.LIBCMT ref: 0040D039
__amsg_exit.LIBCMT ref: 0040D047
__lock.LIBCMT ref: 0040D057

Memory Dump Source

Source File: 00000005.00000002.1707422272.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1707342730.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1707719225.00000000005DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1707751033.00000000005E1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1707830982.00000000005E2000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1707896520.00000000005E3000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1707971710.00000000005E9000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_83BC.jbxd

Similarity

API ID: __amsg_exit__getptd$__getptd_noexit__lock
String ID:
API String ID: 3521780317-0
Opcode ID: 925471ee8a33175dbe3d5a28921f56d1f7d8a8eced32a1368ccf1e21b9da4cda
Instruction ID: 4f809cceb2b7d67afb27cf0adf39f9faae8a4f04cb4785417f2c35b504996478
Opcode Fuzzy Hash: 925471ee8a33175dbe3d5a28921f56d1f7d8a8eced32a1368ccf1e21b9da4cda
Instruction Fuzzy Hash: 85F09671D407048BD720BBB5840675E73A06F40718F50467FE594B72C2CB3CA845DB5E

Uniqueness

Uniqueness Score: -1.00%

Function 00412C93 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 193COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00412CA3

Part of subcall function 00402113: __getptd.LIBCMT ref: 00402126

__iswctype_l.LIBCMT ref: 00412D0E

Strings

$, xrefs: 00412CF0

Memory Dump Source

Source File: 00000005.00000002.1707422272.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1707342730.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1707719225.00000000005DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1707751033.00000000005E1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1707830982.00000000005E2000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1707896520.00000000005E3000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1707971710.00000000005E9000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_83BC.jbxd

Similarity

API ID: Locale$UpdateUpdate::___getptd__iswctype_l
String ID: $
API String ID: 2516049255-3993045852
Opcode ID: f76d54ce49725d613cdcaeee3ba02eeaaafad14eec774c8a1a793f919f77ce3f
Instruction ID: 0a67cb8f5fc85dd6b6319d298163b4e5b8f90f1d4a7f432d94e19f44d63ba942
Opcode Fuzzy Hash: f76d54ce49725d613cdcaeee3ba02eeaaafad14eec774c8a1a793f919f77ce3f
Instruction Fuzzy Hash: 4A61807180021ADADF219F18D7457EF77A0EB11365F24016BE851E6290D3B88EF2D79D

Uniqueness

Uniqueness Score: -1.00%

Function 00404952 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 69COMMON

Download Yara Rule

APIs

__calloc_crt.LIBCMT ref: 00404974
__calloc_crt.LIBCMT ref: 0040498D

Strings

`6^, xrefs: 004049B9

Memory Dump Source

Source File: 00000005.00000002.1707422272.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.1707342730.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1707719225.00000000005DD000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1707751033.00000000005E1000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1707830982.00000000005E2000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1707896520.00000000005E3000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.1707971710.00000000005E9000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_400000_83BC.jbxd

Similarity

API ID: __calloc_crt
String ID: `6^
API String ID: 3494438863-2992242612
Opcode ID: cea656d19a49aa1657cf625772663b52f6d17583a4783ac12f40ac4b3860503b
Instruction ID: df224cdb938427dc7d74a326fe9eeec3ff094511b4a6a51533bd53dd3d729a72
Opcode Fuzzy Hash: cea656d19a49aa1657cf625772663b52f6d17583a4783ac12f40ac4b3860503b
Instruction Fuzzy Hash: C711E3F12056614BE71C8F3EBC8066326C5EBD4768B24023BF390EB3D0EA388882525D

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: 9561.exePID: 3488, Parent PID: 3968COMMON

Executed Functions

Function 015A0590 Relevance: .5, Instructions: 470COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1768912044.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_9561.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67e17c35bb60c6100bdbf0e2332278cbbdcaf6d67a6b29933ad2335f76d262d2
Instruction ID: 0c975ee9aac988f0feada8e8902af6637eed1405bf426aa02d5d53240cd123c6
Opcode Fuzzy Hash: 67e17c35bb60c6100bdbf0e2332278cbbdcaf6d67a6b29933ad2335f76d262d2
Instruction Fuzzy Hash: FD51373494024DDFCB06EFA8E5A0AAE7BB2BF89700F6085AEC0146B354CB759D45CF91

Uniqueness

Uniqueness Score: -1.00%

Function 015A0A50 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1768912044.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_9561.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3824b90390ed9b8a8749f2798390554727761643aed7125d66863bf57a90c1d6
Instruction ID: 97ee4d259a82988b81b7834323d024924994485d7b028ce39e45f2c192c101b3
Opcode Fuzzy Hash: 3824b90390ed9b8a8749f2798390554727761643aed7125d66863bf57a90c1d6
Instruction Fuzzy Hash: 3471E3347502059FD725EB6CD4A4A2DBFA2BF88310B9A8169E516CF3D9DB70EC05CB81

Uniqueness

Uniqueness Score: -1.00%

Function 015A0848 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1768912044.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_9561.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c69bff13244b2f88b35f7c27914c0fb10f57ca2d2e48f4bddc1e06f7d2462a35
Instruction ID: c5dd486ef30f63a8aa8b959dfbe337c8198b59777da328f0ea469d0b44f020e1
Opcode Fuzzy Hash: c69bff13244b2f88b35f7c27914c0fb10f57ca2d2e48f4bddc1e06f7d2462a35
Instruction Fuzzy Hash: 6851173490024DDFCB15EFA8E5A0A9EBBB2FB89704F6085ADC0156B354CB71AD45CF91

Uniqueness

Uniqueness Score: -1.00%

Function 015A0CD9 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.1768912044.00000000015A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_15a0000_9561.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a224563da7fc5a793599f02d56572b5f328e6897ed67804722b05fca1754348
Instruction ID: 932c4e26d8c59d1204497706ea00965e025c43587c2daba02e98270cfab5b060
Opcode Fuzzy Hash: 1a224563da7fc5a793599f02d56572b5f328e6897ed67804722b05fca1754348
Instruction Fuzzy Hash: 5E31233174020A8FCB01DBAD94809BEBBE5BBC4324B50412AE409DB382DB30ED06CBE0

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: 288c47bbc1871b439df19ff4df68f076.exePID: 7848, Parent PID: 3488COMMON

Execution Graph

Execution Coverage:	4.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	12
Total number of Limit Nodes:	1

Executed Functions

Function 02CF47C6 Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 02CF47EE
Module32First.KERNEL32(00000000,00000224), ref: 02CF480E

Memory Dump Source

Source File: 00000008.00000002.4107329248.0000000002CF4000.00000040.00000020.00020000.00000000.sdmp, Offset: 02CF4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2cf4000_288c47bbc1871b439df19ff4df68f076.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: b379928e1b0391cb1ba1ede0cb6eab90d526f3dc6836ae9dcf67f591c5b8e560
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: 48F062352007106BD7B43BF9A88DBAB76E8AF89625F100629E742E15C0DB70E9458A61

Uniqueness

Uniqueness Score: -1.00%

Function 02CF4485 Relevance: 1.3, APIs: 1, Instructions: 48
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 02CF44D6

Memory Dump Source

Source File: 00000008.00000002.4107329248.0000000002CF4000.00000040.00000020.00020000.00000000.sdmp, Offset: 02CF4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_2cf4000_288c47bbc1871b439df19ff4df68f076.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: 9f51283a0e43469e522ae000b3c755041d64f63705fad8fa3f3ee7b479fc9fd2
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: 7E113F79A00208EFDB41DF98C985E99BBF5AF08351F058094FA489B361D375EA50EF80

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00433840 Relevance: 12.7, Strings: 10, Instructions: 172
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

,/=MOScghs ( + , / @ P [ %q%v(") )()*., ->-r-t.\///C/d/f/i/q/s/v000X0b0o0s0x25536480: :]; =#> ??A3A4AVB:CNCcCfCoCsLlLmLoLtLuMcMeMnNdNlNoOKOUPCPcPdPePfPiPoPsSBSTScSkSmSoTeToV1V2V3V5V6V7YiZlZpZs")":"\*\D\E\S\W\"\\\d\n\r\s\w ])]:][]dsh2i)idipivmsn=nsos, xrefs: 00433A05
VirtualQuery for stack base failedadding nil Certificate to CertPoolarchive/tar: header field too longchacha20: wrong HChaCha20 key sizecouldn't create a new cipher blockcrypto/aes: invalid buffer overlapcrypto/des: invalid buffer overlapcrypto/rc4: invalid bu, xrefs: 00433AA5
%, xrefs: 00433B64
CreateWaitableTimerEx when creating timer failedHKCU\Software\Classes\mscfile\shell\open\commandMozilla/4.0 (compatible; MSIE 5.15; Mac_PowerPC)SELECT OSArchitecture FROM Win32_OperatingSystem"%s" --nt-service -f "%s" --Log "notice file %s"bufio: writer return, xrefs: 00433B00
bad g0 stackbad recoverybad value %dbootmgfw.efibuild_numberc ap trafficc hs trafficcaller errorcan't happencas64 failedcdn is emptychan receiveclose notifycontent-typecontext.TODOcountry_codedse disableddumping heapend tracegcentersyscallexit status failed t, xrefs: 00433A4A
runtime.minit: duplicatehandle failed; errno=runtime: CreateWaitableTimerEx failed; errno=runtime: failed mSpanList.remove span.npages=tls: internal error: failed to update binderstls: internal error: unexpected renegotiationtransform: input and output are not, xrefs: 00433B27
runtime: g0 stack [runtime: pcdata is runtime: preempt g0semaRoot rotateLeftset HTTPS proxy: %wsignature not foundskip this directorystopm holding lockssync.Cond is copiedsysMemStat overflowtoo many open filesunexpected InstFailunexpected data: %vunexpected g , xrefs: 004339DB
runtime: VirtualQuery failed; errno=runtime: bad notifyList size - sync=runtime: inconsistent write deadlineruntime: invalid pc-encoded table f=runtime: invalid typeBitsBulkBarrierruntime: marked free object in span runtime: mcall called on m->g0 stackruntime:, xrefs: 00433A71
runtime: CreateWaitableTimerEx failed; errno=runtime: failed mSpanList.remove span.npages=tls: internal error: failed to update binderstls: internal error: unexpected renegotiationtransform: input and output are not identicaltransitioning GC to the same state , xrefs: 00433ACC
runtime.minit: duplicatehandle failedruntime: allocation size out of rangeruntime: unexpected SPWRITE function setprofilebucket: profile already setstartTheWorld: inconsistent mp->nextptimezone hour outside of range [0,23]tls: failed to verify certificate: %st, xrefs: 00433B5B

Memory Dump Source

Source File: 00000008.00000002.4075648542.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.4075648542.0000000000840000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4075648542.0000000000843000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4075648542.0000000000ACD000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4075648542.0000000000C77000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4075648542.0000000000C7A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4075648542.0000000000CCF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4075648542.0000000000CD3000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4075648542.0000000000CEF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4075648542.0000000000CF6000.00000040.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_288c47bbc1871b439df19ff4df68f076.jbxd

Yara matches

Similarity

API ID:
String ID: %$,/=MOScghs ( + , / @ P [ %q%v(") )()*., ->-r-t.\///C/d/f/i/q/s/v000X0b0o0s0x25536480: :]; =#> ??A3A4AVB:CNCcCfCoCsLlLmLoLtLuMcMeMnNdNlNoOKOUPCPcPdPePfPiPoPsSBSTScSkSmSoTeToV1V2V3V5V6V7YiZlZpZs")":"\*\D\E\S\W\"\\\d\n\r\s\w ])]:][]dsh2i)idipivmsn=nsos$CreateWaitableTimerEx when creating timer failedHKCU\Software\Classes\mscfile\shell\open\commandMozilla/4.0 (compatible; MSIE 5.15; Mac_PowerPC)SELECT OSArchitecture FROM Win32_OperatingSystem"%s" --nt-service -f "%s" --Log "notice file %s"bufio: writer return$VirtualQuery for stack base failedadding nil Certificate to CertPoolarchive/tar: header field too longchacha20: wrong HChaCha20 key sizecouldn't create a new cipher blockcrypto/aes: invalid buffer overlapcrypto/des: invalid buffer overlapcrypto/rc4: invalid bu$bad g0 stackbad recoverybad value %dbootmgfw.efibuild_numberc ap trafficc hs trafficcaller errorcan't happencas64 failedcdn is emptychan receiveclose notifycontent-typecontext.TODOcountry_codedse disableddumping heapend tracegcentersyscallexit status failed t$runtime.minit: duplicatehandle failed; errno=runtime: CreateWaitableTimerEx failed; errno=runtime: failed mSpanList.remove span.npages=tls: internal error: failed to update binderstls: internal error: unexpected renegotiationtransform: input and output are not$runtime.minit: duplicatehandle failedruntime: allocation size out of rangeruntime: unexpected SPWRITE function setprofilebucket: profile already setstartTheWorld: inconsistent mp->nextptimezone hour outside of range [0,23]tls: failed to verify certificate: %st$runtime: CreateWaitableTimerEx failed; errno=runtime: failed mSpanList.remove span.npages=tls: internal error: failed to update binderstls: internal error: unexpected renegotiationtransform: input and output are not identicaltransitioning GC to the same state $runtime: VirtualQuery failed; errno=runtime: bad notifyList size - sync=runtime: inconsistent write deadlineruntime: invalid pc-encoded table f=runtime: invalid typeBitsBulkBarrierruntime: marked free object in span runtime: mcall called on m->g0 stackruntime:$runtime: g0 stack [runtime: pcdata is runtime: preempt g0semaRoot rotateLeftset HTTPS proxy: %wsignature not foundskip this directorystopm holding lockssync.Cond is copiedsysMemStat overflowtoo many open filesunexpected InstFailunexpected data: %vunexpected g
API String ID: 0-2845907608
Opcode ID: ff352bc28894d16a452a2f4caff7d189ab20ce9f481d000fe134d9cfeccecbe9
Instruction ID: 54d86a38c7ca5e9b4d361dfb47ed8c6cf3eb888c171a558932b5f88d5bc68312
Opcode Fuzzy Hash: ff352bc28894d16a452a2f4caff7d189ab20ce9f481d000fe134d9cfeccecbe9
Instruction Fuzzy Hash: 8281CFB45097018FD700EF66C18575AFBE0BF88708F41992EF49887392EB789949CF5A

Uniqueness

Uniqueness Score: -1.00%

Function 00443890 Relevance: 5.1, Strings: 4, Instructions: 81
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

p->status= s.nelems= schedtick= span.list= timerslen=$WINDIR\rss%!(BADPREC)%s (%d): %s) at entry+, elemsize=, npages = , settings:.WithCancel/dev/stderr/dev/stdout/index.html30517578125: frame.sp=BLAKE2b-256BLAKE2b-384BLAKE2b-512BLAKE2s-256Bad GatewayBad Req, xrefs: 00443997
releasep: m=remote errorremoving appruntime: gp=runtime: sp=s ap traffics hs trafficself-preemptsetupapi.dllshort bufferspanSetSpinesweepWaiterstraceStringstraffic/readtransmitfileulrichard.chunexpected )unknown portunknown typevmacthlp.exevmtoolsd.exewatchdog, xrefs: 00443929
releasep: invalid argremoving command appsruntime: confused by runtime: newstack at runtime: newstack sp=runtime: searchIdx = runtime: work.nwait= sequence tag mismatchstale NFS file handlestartlockedm: m has pstartm: m is spinningstate not recoverablestun.sip, xrefs: 004439E1
m->p= max= min= next= p->m= prev= span=% util%s.exe%s.sys%s: %s(...), i = , not , val -BEFV--DYOR--FMLD--FZTA--IRXC--JFQI--JQGP--JSKV--JZUF--KGQJ--KSFO--MKND--MOHU--NSFS--PFQJ--PLND--RTMD--VRSM--XQVL-.local.onion/%d-%s370000390625:31461<-chanAcceptAnswerAr, xrefs: 0044394B

Memory Dump Source

Source File: 00000008.00000002.4075648542.0000000000400000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.4075648542.0000000000840000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4075648542.0000000000843000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4075648542.0000000000ACD000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4075648542.0000000000C77000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4075648542.0000000000C7A000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4075648542.0000000000CCF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4075648542.0000000000CD3000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4075648542.0000000000CEF000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000008.00000002.4075648542.0000000000CF6000.00000040.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_288c47bbc1871b439df19ff4df68f076.jbxd

Yara matches

Similarity

API ID:
String ID: m->p= max= min= next= p->m= prev= span=% util%s.exe%s.sys%s: %s(...), i = , not , val -BEFV--DYOR--FMLD--FZTA--IRXC--JFQI--JQGP--JSKV--JZUF--KGQJ--KSFO--MKND--MOHU--NSFS--PFQJ--PLND--RTMD--VRSM--XQVL-.local.onion/%d-%s370000390625:31461<-chanAcceptAnswerAr$ p->status= s.nelems= schedtick= span.list= timerslen=$WINDIR\rss%!(BADPREC)%s (%d): %s) at entry+, elemsize=, npages = , settings:.WithCancel/dev/stderr/dev/stdout/index.html30517578125: frame.sp=BLAKE2b-256BLAKE2b-384BLAKE2b-512BLAKE2s-256Bad GatewayBad Req$releasep: invalid argremoving command appsruntime: confused by runtime: newstack at runtime: newstack sp=runtime: searchIdx = runtime: work.nwait= sequence tag mismatchstale NFS file handlestartlockedm: m has pstartm: m is spinningstate not recoverablestun.sip$releasep: m=remote errorremoving appruntime: gp=runtime: sp=s ap traffics hs trafficself-preemptsetupapi.dllshort bufferspanSetSpinesweepWaiterstraceStringstraffic/readtransmitfileulrichard.chunexpected )unknown portunknown typevmacthlp.exevmtoolsd.exewatchdog
API String ID: 0-3530339137
Opcode ID: 03cba40248be9614d912058f238ee98c854f22f9c3287f9368adac6faf42cc96
Instruction ID: 41eda2ad12dc9040aabd0b4fda58d31df6fc94468559f7c6cc3daccb715ab915
Opcode Fuzzy Hash: 03cba40248be9614d912058f238ee98c854f22f9c3287f9368adac6faf42cc96
Instruction Fuzzy Hash: 9C31E2B45087418FD700EF25C185B1AFBE1BF88708F45882EF4888B352DB789948CB6A

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. The Regsvr32.exe binary may also be signed by Microsoft.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Module: Module Load, Network Traffic: Network Connection Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse rundll32.exe to proxy execution of malicious code. Using rundll32.exe, vice executing directly (i.e. Shared Modules ), may avoid triggering security tools that may not monitor execution of the rundll32.exe process because of allowlists or false positives from normal operations. Rundll32.exe is commonly associated with executing DLL payloads (ex: `rundll32.exe {DLLname, DLLfunction}` ).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: StealC

Threatname: SmokeLoader

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Privilege Escalation

Bitcoin Miner

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\CPointASP\bin\x86\7z.exe (copy)

C:\Program Files (x86)\CPointASP\bin\x86\COPYING.LGPLv2.1 (copy)

C:\Program Files (x86)\CPointASP\bin\x86\OptimFROG.dll (copy)

C:\Program Files (x86)\CPointASP\bin\x86\bass_fx.dll (copy)

C:\Program Files (x86)\CPointASP\bin\x86\bass_ofr.dll (copy)

C:\Program Files (x86)\CPointASP\bin\x86\bass_tta.dll (copy)

C:\Program Files (x86)\CPointASP\bin\x86\bassalac.dll (copy)

Windows Analysis Report
file.exe

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre