Edit tour

Windows Analysis Report
v6SEx6rJ3E.exe

Overview

General Information

Sample name:	v6SEx6rJ3E.exe renamed because original name is a hash value
Original sample name:	10f4053998fd9c03a187fe7f75a36697.exe
Analysis ID:	1384598
MD5:	10f4053998fd9c03a187fe7f75a36697
SHA1:	e7d8bf1e601693288db584bacd161d0cabfbe8d7
SHA256:	25825052577f72cf9553334f78fef5fb991ee4891a908e90555bfd16dd6a1c4e
Tags:	exe
Infos:

Detection

LummaC, Glupteba, LummaC Stealer, SmokeLoader, Socks5Systemz, Stealc, Vidar

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Antivirus detection for dropped file

Benign windows process drops PE files

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

UAC bypass detected (Fodhelper)

Yara detected Glupteba

Yara detected LummaC Stealer

Yara detected SmokeLoader

Yara detected Socks5Systemz

Yara detected Stealc

Yara detected UAC Bypass using CMSTP

Yara detected Vidar stealer

C2 URLs / IPs found in malware configuration

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Checks if the current machine is a virtual machine (disk enumeration)

Contains functionality to infect the boot sector

Contains functionality to inject code into remote processes

Creates a thread in another existing process (thread injection)

Deletes itself after installation

Drops PE files with benign system names

Found many strings related to Crypto-Wallets (likely being stolen)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Injects a PE file into a foreign processes

LummaC encrypted strings found

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

PE file contains section with special chars

Query firmware table information (likely to detect VMs)

Sample uses process hollowing technique

Sigma detected: Bypass UAC via Fodhelper.exe

Sigma detected: Files With System Process Name In Unsuspected Locations

Sigma detected: System File Execution Location Anomaly

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Tries to steal Mail credentials (via file / registry access)

Uses schtasks.exe or at.exe to add and modify task schedules

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Connects to several IPs in different countries

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to shutdown / reboot the system

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Entry point lies outside standard sections

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evasive API chain (may stop execution after checking a module file name)

Found evasive API chain checking for process token information

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains an invalid checksum

PE file contains executable resources (Code or Archives)

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries disk information (often used to detect virtual machines)

Queries information about the installed CPU (vendor, model number etc)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Registers a DLL

Sample execution stops while process was sleeping (likely an evasion)

Searches for user specific document files

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Execution of Suspicious File Type Extension

Sigma detected: Suspicious Process Patterns NTDS.DIT Exfil

Sigma detected: Suspicious Schtasks From Env Var Folder

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Tries to load missing DLLs

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w10x64

v6SEx6rJ3E.exe (PID: 6292 cmdline: C:\Users\user\Desktop\v6SEx6rJ3E.exe MD5: 10F4053998FD9C03A187FE7F75A36697)

explorer.exe (PID: 4004 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)

52CE.exe (PID: 2784 cmdline: C:\Users\user\AppData\Local\Temp\52CE.exe MD5: DD0A3EBCD915E422F47141770AF20252)

conhost.exe (PID: 7096 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

58CA.exe (PID: 796 cmdline: C:\Users\user\AppData\Local\Temp\58CA.exe MD5: 1274287F7DAA409EEA3E07059CF8FD51)

58CA.exe (PID: 3300 cmdline: C:\Users\user\AppData\Local\Temp\58CA.exe MD5: 1274287F7DAA409EEA3E07059CF8FD51)

5C46.exe (PID: 1468 cmdline: C:\Users\user\AppData\Local\Temp\5C46.exe MD5: 1996A23C7C764A77CCACF5808FEC23B0)

regsvr32.exe (PID: 6104 cmdline: regsvr32 /s C:\Users\user\AppData\Local\Temp\6000.dll MD5: B0C2FA35D14A9FAD919E99D9D75E1B9E)

regsvr32.exe (PID: 4904 cmdline: /s C:\Users\user\AppData\Local\Temp\6000.dll MD5: 878E47C8656E53AE8A8A21E927C6F7E0)

7147.exe (PID: 6084 cmdline: C:\Users\user\AppData\Local\Temp\7147.exe MD5: AFEC1180BFCBA8D6B8BCAE439C73E1EC)

8B96.exe (PID: 3004 cmdline: C:\Users\user\AppData\Local\Temp\8B96.exe MD5: 2AB09B6EBDA5C4FDE187A8A91AC25F64)

InstallSetup4.exe (PID: 5616 cmdline: "C:\Users\user\AppData\Local\Temp\InstallSetup4.exe" MD5: AB8E9C5D6AB3051C122463922F936EE8)

BroomSetup.exe (PID: 6484 cmdline: C:\Users\user\AppData\Local\Temp\BroomSetup.exe MD5: 5E94F0F6265F9E8B2F706F1D46BBD39E)

cmd.exe (PID: 3800 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Temp\Task.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6136 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

chcp.com (PID: 2708 cmdline: chcp 1251 MD5: 20A59FB950D8A191F7D35C4CA7DA9CAF)

schtasks.exe (PID: 3756 cmdline: schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\user\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F MD5: 48C2FE20575769DE916F48EF0676A965)

nsh9BCF.tmp (PID: 1424 cmdline: C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp MD5: F90AB999CA323DA846279F15FC70C470)

288c47bbc1871b439df19ff4df68f076.exe (PID: 1432 cmdline: "C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe" MD5: 1E2FBA96A14DB95142038A3BD5277306)

cmd.exe (PID: 2192 cmdline: C:\Windows\Sysnative\cmd.exe /C fodhelper MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 524 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

fodhelper.exe (PID: 1656 cmdline: fodhelper MD5: 85018BE1FD913656BC9FF541F017EACD)

fodhelper.exe (PID: 5412 cmdline: "C:\Windows\system32\fodhelper.exe" MD5: 85018BE1FD913656BC9FF541F017EACD)

fodhelper.exe (PID: 6080 cmdline: "C:\Windows\system32\fodhelper.exe" MD5: 85018BE1FD913656BC9FF541F017EACD)

288c47bbc1871b439df19ff4df68f076.exe (PID: 5352 cmdline: "C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe" MD5: 1E2FBA96A14DB95142038A3BD5277306)

99FE.exe (PID: 4060 cmdline: C:\Users\user\AppData\Local\Temp\99FE.exe MD5: 4D0BDD6E4F596B077EB8FAC05E502EDA)

99FE.tmp (PID: 1080 cmdline: "C:\Users\user\AppData\Local\Temp\is-7LVCL.tmp\99FE.tmp" /SL5="$1043A,7349384,54272,C:\Users\user\AppData\Local\Temp\99FE.exe" MD5: 558517932AFFF8DEF7D6C9E9A2A51668)

99FE.exe (PID: 2616 cmdline: "C:\Users\user\AppData\Local\Temp\99FE.exe" /SPAWNWND=$1049A /NOTIFYWND=$1043A MD5: 4D0BDD6E4F596B077EB8FAC05E502EDA)

99FE.tmp (PID: 3432 cmdline: "C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp" /SL5="$204D0,7349384,54272,C:\Users\user\AppData\Local\Temp\99FE.exe" /SPAWNWND=$1049A /NOTIFYWND=$1043A MD5: 558517932AFFF8DEF7D6C9E9A2A51668)

ksverify.exe (PID: 3604 cmdline: "C:\Users\user\AppData\Local\Key Signatures verification\ksverify.exe" -i MD5: 75BC189F3B2906887761C60E480B7CCF)

ksverify.exe (PID: 6524 cmdline: "C:\Users\user\AppData\Local\Key Signatures verification\ksverify.exe" -s MD5: 75BC189F3B2906887761C60E480B7CCF)

BD27.exe (PID: 1176 cmdline: C:\Users\user\AppData\Local\Temp\BD27.exe MD5: 31A6C56DA13533F4ADDEF7BAB188E395)

csrss.exe (PID: 3992 cmdline: "C:\ProgramData\Drivers\csrss.exe" MD5: 1274287F7DAA409EEA3E07059CF8FD51)

esiffai (PID: 5052 cmdline: C:\Users\user\AppData\Roaming\esiffai MD5: 10F4053998FD9C03A187FE7F75A36697)

5C46.exe (PID: 1656 cmdline: "C:\Users\user\AppData\Local\Temp\5C46.exe" MD5: 1996A23C7C764A77CCACF5808FEC23B0)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://darktrace.com/blog/the-rise-of-the-lumma-info-stealer https://g0njxa.medium.com/approaching-stealers-devs-a-brief-interview-with-lummac2-94111d4b1e11	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Name	Description	Attribution	Blogpost URLs	Link
Glupteba	Glupteba is a trojan horse malware that is one of the top ten malware variants of 2021. After infecting a system, the Glupteba malware can be used to deliver additional malware, steal user authentication information, and enroll the infected system in a cryptomining botnet.	No Attribution	http://resources.infosecinstitute.com/tdss4-part-1/ https://blog.chainalysis.com/reports/2022-crypto-crime-report-preview-malware/ https://blog.google/technology/safety-security/new-action-combat-cyber-crime/ https://blog.google/threat-analysis-group/disrupting-glupteba-operation/ https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/	https://malpedia.caad.fkie.fraunhofer.de/details/win.glupteba

Name	Description	Attribution	Blogpost URLs	Link
SmokeLoader	The SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body.	SMOKY SPIDER	http://security.neurolabs.club/2019/08/smokeloaders-hardcoded-domains-sneaky.html http://security.neurolabs.club/2019/10/dynamic-imports-and-working-around.html http://security.neurolabs.club/2020/04/diffing-malware-samples-using-bindiff.html http://security.neurolabs.club/2020/06/unpacking-smokeloader-and.html https://0xc0decafe.com/2020/12/23/detect-rc4-in-malicious-binaries	https://malpedia.caad.fkie.fraunhofer.de/details/win.smokeloader

Name	Description	Attribution	Blogpost URLs	Link
Stealc	Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-2/ https://cocomelonc.github.io/book/2023/12/13/malwild-book.html https://g0njxa.medium.com/approaching-stealers-devs-a-brief-interview-with-stealc-cbe5c94b84af	https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Name	Description	Attribution	Blogpost URLs	Link
Vidar	Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.	No Attribution	https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-1-(-Unpacking-)/ https://0x00-0x7f.github.io/A-Case-of-Vidar-Infostealer-Part-2/ https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/vidar-stealer-h-and-m-campaign https://0xtoxin.github.io/malware%20analysis/Vidar-Stealer-Campaign/ https://asec.ahnlab.com/en/22932/	https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.172.128.79/3886d2276f6914c4.php"}

Threatname: LummaC

{"C2 url": ["sofahuntingslidedine.shop", "culturesketchfinanciall.shop", "triangleseasonbenchwj.shop", "triangleseasonbenchwj.shop", "modestessayevenmilwek.shop", "liabilityarrangemenyit.shop", "claimconcessionrebe.shop", "claimconcessionrebe.shop", "secretionsuitcasenioise.shop", "gemcreedarticulateod.shop", "sofahuntingslidedine.shop", "culturesketchfinanciall.shop", "triangleseasonbenchwj.shop", "triangleseasonbenchwj.shop", "modestessayevenmilwek.shop", "liabilityarrangemenyit.shop", "claimconcessionrebe.shop", "claimconcessionrebe.shop", "secretionsuitcasenioise.shop", "gemcreedarticulateod.shop"], "Build id": "nKh2V5--pal"}

Threatname: SmokeLoader

{"Version": 2022, "C2 list": ["http://valarioulinity1.net/index.php", "http://buriatiarutuhuob.net/index.php", "http://cassiosssionunu.me/index.php"]}

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\Users\user\AppData\Local\Temp\BroomSetup.exe	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
C:\Users\user\AppData\Local\Temp\8B96.exe	MALWARE_Win_DLInjector04	Detects downloader / injector	ditekSHen	0x617c00:$s1: Runner 0x617d65:$s3: RunOnStartup 0x617c14:$a1: Antis 0x617c41:$a2: antiVM 0x617c48:$a3: antiSandbox 0x617c54:$a4: antiDebug 0x617c5e:$a5: antiEmulator 0x617c6b:$a6: enablePersistence 0x617c7d:$a7: enableFakeError 0x617d8e:$a8: DetectVirtualMachine 0x617db3:$a9: DetectSandboxie 0x617dde:$a10: DetectDebugger 0x617ded:$a11: CheckEmulator

Memory Dumps

Source	Rule	Description	Author	Strings
00000006.00000002.2363431931.00000000004C0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
0000002B.00000002.2660260455.0000000004E00000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x778:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000017.00000000.2496485402.0000000000401000.00000020.00000001.01000000.00000010.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
00000012.00000003.2882836255.00000000017BE000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000000.00000002.2122757186.00000000020B1000.00000004.10000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000000.00000002.2122757186.00000000020B1000.00000004.10000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x2a4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
0000002C.00000002.2739842815.0000000004FE0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000012.00000002.2887800762.00000000017BE000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000016.00000002.2669166825.00000000053A3000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Glupteba	Yara detected Glupteba	Joe Security
0000002C.00000002.2728077355.0000000004BE0000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x798:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000000.00000002.2122690423.0000000002080000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
0000002C.00000002.2695084948.0000000000843000.00000040.00000001.01000000.0000000F.sdmp	JoeSecurity_Glupteba	Yara detected Glupteba	Joe Security
00000006.00000002.2363904788.00000000004D0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000006.00000002.2363904788.00000000004D0000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x6a4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000026.00000002.2679986992.0000000002BC0000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000026.00000003.2625881100.0000000002BD0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
0000002C.00000003.2663525231.0000000005D12000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Glupteba	Yara detected Glupteba	Joe Security
00000016.00000002.2668458001.0000000004A58000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x798:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000000.00000002.2122714644.0000000002090000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000000.00000002.2122714644.0000000002090000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x6a4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
0000001E.00000002.3306141637.0000000002B70000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
0000001E.00000002.3306141637.0000000002B70000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
0000000A.00000002.2405732872.0000000000413000.00000004.00000001.01000000.00000008.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000023.00000002.4721026220.0000000000B21000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Socks5Systemz	Yara detected Socks5Systemz	Joe Security
00000023.00000002.4714471412.00000000008BE000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Socks5Systemz	Yara detected Socks5Systemz	Joe Security
0000001E.00000002.3308661443.0000000002BE5000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
0000001E.00000002.3301685410.000000000043C000.00000040.00000001.01000000.00000015.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000016.00000002.2669166825.0000000004F60000.00000040.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_3687686f	unknown	unknown	0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000000.00000002.2122463373.000000000048D000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x394f:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000026.00000002.2680038796.0000000002BD0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000026.00000002.2680038796.0000000002BD0000.00000004.00001000.00020000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x624:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000012.00000003.2885033991.00000000017BE000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000001E.00000003.2588311330.0000000004760000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
0000001E.00000002.3311798789.0000000002C09000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x464d:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000006.00000002.2364285288.0000000000551000.00000004.10000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000006.00000002.2364285288.0000000000551000.00000004.10000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x2a4:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
00000006.00000002.2364391445.00000000005AE000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x3657:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000012.00000003.2883808615.00000000017BE000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000010.00000002.2442232703.0000000000413000.00000004.00000001.01000000.00000008.sdmp	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
00000026.00000002.2680618871.0000000002C79000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x7011:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
00000026.00000002.2680205009.0000000002C11000.00000004.10000000.00040000.00000000.sdmp	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
00000026.00000002.2680205009.0000000002C11000.00000004.10000000.00040000.00000000.sdmp	Windows_Trojan_Smokeloader_4e31426e	unknown	unknown	0x224:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
0000001E.00000002.3301685410.0000000000400000.00000040.00000001.01000000.00000015.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000009.00000002.2441680458.0000000004905000.00000040.00000020.00020000.00000000.sdmp	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x798:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
0000002C.00000002.2739842815.0000000005423000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_Glupteba	Yara detected Glupteba	Joe Security
00000016.00000003.2535351079.0000000005C92000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Glupteba	Yara detected Glupteba	Joe Security
00000016.00000002.2661056946.0000000000843000.00000040.00000001.01000000.0000000F.sdmp	JoeSecurity_Glupteba	Yara detected Glupteba	Joe Security
Process Memory Space: explorer.exe PID: 4004	ironshell_php	Semi-Auto-generated - file ironshell.php.txt	Neo23x0 Yara BRG + customization by Stefan -dfate- Molls	0xc45e7:$s2: ~ Shell I
Process Memory Space: 52CE.exe PID: 2784	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: 52CE.exe PID: 2784	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
Click to see the 45 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
16.2.5C46.exe.400000.0.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
16.2.5C46.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x10000:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x100a0:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x10170:$s2: Elevation:Administrator!new:
38.2.BD27.exe.400000.0.unpack	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
38.3.BD27.exe.2bd0000.0.raw.unpack	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
30.2.nsh9BCF.tmp.2b70e67.1.raw.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
30.3.nsh9BCF.tmp.4760000.0.raw.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
10.2.5C46.exe.400000.0.unpack	JoeSecurity_UACBypassusingCMSTP	Yara detected UAC Bypass using CMSTP	Joe Security
10.2.5C46.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM	Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)	ditekSHen	0x10000:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x100a0:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7} 0x10170:$s2: Elevation:Administrator!new:
38.2.BD27.exe.2bc0e67.1.raw.unpack	JoeSecurity_SmokeLoader_2	Yara detected SmokeLoader	Joe Security
30.2.nsh9BCF.tmp.400000.0.raw.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
20.0.8B96.exe.930000.0.unpack	MALWARE_Win_DLInjector04	Detects downloader / injector	ditekSHen	0x617c00:$s1: Runner 0x617d65:$s3: RunOnStartup 0x617c14:$a1: Antis 0x617c41:$a2: antiVM 0x617c48:$a3: antiSandbox 0x617c54:$a4: antiDebug 0x617c5e:$a5: antiEmulator 0x617c6b:$a6: enablePersistence 0x617c7d:$a7: enableFakeError 0x617d8e:$a8: DetectVirtualMachine 0x617db3:$a9: DetectSandboxie 0x617dde:$a10: DetectDebugger 0x617ded:$a11: CheckEmulator
30.2.nsh9BCF.tmp.2b70e67.1.unpack	JoeSecurity_Vidar_1	Yara detected Vidar stealer	Joe Security
30.2.nsh9BCF.tmp.2b70e67.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
30.2.nsh9BCF.tmp.2b70e67.1.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
30.2.nsh9BCF.tmp.2b70e67.1.unpack	Windows_Trojan_RedLineStealer_ed346e4c	unknown	unknown	0x9b3e6:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
30.2.nsh9BCF.tmp.2b70e67.1.unpack	INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation	Detects executables containing potential Windows Defender anti-emulation checks	ditekSHen	0x6ee81:$s1: JohnDoe 0x6ee61:$s2: HAL9TH
23.0.BroomSetup.exe.400000.0.unpack	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security
30.2.nsh9BCF.tmp.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
30.2.nsh9BCF.tmp.400000.0.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
44.2.288c47bbc1871b439df19ff4df68f076.exe.400000.6.unpack	JoeSecurity_Glupteba	Yara detected Glupteba	Joe Security
22.2.288c47bbc1871b439df19ff4df68f076.exe.4f60e67.8.unpack	JoeSecurity_Glupteba	Yara detected Glupteba	Joe Security
44.3.288c47bbc1871b439df19ff4df68f076.exe.58d0000.2.unpack	JoeSecurity_Glupteba	Yara detected Glupteba	Joe Security
22.2.288c47bbc1871b439df19ff4df68f076.exe.400000.7.unpack	JoeSecurity_Glupteba	Yara detected Glupteba	Joe Security
44.2.288c47bbc1871b439df19ff4df68f076.exe.4fe0e67.15.unpack	JoeSecurity_Glupteba	Yara detected Glupteba	Joe Security
22.3.288c47bbc1871b439df19ff4df68f076.exe.5850000.4.unpack	JoeSecurity_Glupteba	Yara detected Glupteba	Joe Security
Click to see the 20 entries

Sigma Signatures

System Summary

Sigma detected: Bypass UAC via Fodhelper.exe

Source: Process started

Author: E.M. Anhaus (originally from Atomic Blue Detections, Tony Lambert), oscd.community: Data: Command: "C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe" , CommandLine: "C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe, ParentCommandLine: "C:\Windows\system32\fodhelper.exe" , ParentImage: C:\Windows\System32\fodhelper.exe, ParentProcessId: 6080, ParentProcessName: fodhelper.exe, ProcessCommandLine: "C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe" , ProcessId: 5352, ProcessName: 288c47bbc1871b439df19ff4df68f076.exe

Sigma detected: Files With System Process Name In Unsuspected Locations

Source: File created

Author: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\58CA.exe, ProcessId: 3300, TargetFilename: C:\ProgramData\Drivers\csrss.exe

Sigma detected: System File Execution Location Anomaly

Source: Process started

Author: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: Data: Command: "C:\ProgramData\Drivers\csrss.exe" , CommandLine: "C:\ProgramData\Drivers\csrss.exe" , CommandLine|base64offset|contains: , Image: C:\ProgramData\Drivers\csrss.exe, NewProcessName: C:\ProgramData\Drivers\csrss.exe, OriginalFileName: C:\ProgramData\Drivers\csrss.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 4004, ParentProcessName: explorer.exe, ProcessCommandLine: "C:\ProgramData\Drivers\csrss.exe" , ProcessId: 3992, ProcessName: csrss.exe

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\ProgramData\Drivers\csrss.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\58CA.exe, ProcessId: 3300, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CSRSS

Sigma detected: Execution of Suspicious File Type Extension

Source: Process started

Author: Max Altgelt (Nextron Systems): Data: Command: C:\Users\user\AppData\Roaming\esiffai, CommandLine: C:\Users\user\AppData\Roaming\esiffai, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\esiffai, NewProcessName: C:\Users\user\AppData\Roaming\esiffai, OriginalFileName: C:\Users\user\AppData\Roaming\esiffai, ParentCommandLine: , ParentImage: , ParentProcessId: 1064, ProcessCommandLine: C:\Users\user\AppData\Roaming\esiffai, ProcessId: 5052, ProcessName: esiffai

Sigma detected: Suspicious Process Patterns NTDS.DIT Exfil

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: C:\Users\user\AppData\Roaming\esiffai, CommandLine: C:\Users\user\AppData\Roaming\esiffai, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\esiffai, NewProcessName: C:\Users\user\AppData\Roaming\esiffai, OriginalFileName: C:\Users\user\AppData\Roaming\esiffai, ParentCommandLine: , ParentImage: , ParentProcessId: 1064, ProcessCommandLine: C:\Users\user\AppData\Roaming\esiffai, ProcessId: 5052, ProcessName: esiffai

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\user\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F, CommandLine: schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\user\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F, CommandLine|base64offset|contains: mj,, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Temp\Task.bat" ", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 3800, ParentProcessName: cmd.exe, ProcessCommandLine: schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\user\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F, ProcessId: 3756, ProcessName: schtasks.exe

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\ProgramData\Drivers\csrss.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\58CA.exe, ProcessId: 3300, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CSRSS

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: "C:\ProgramData\Drivers\csrss.exe" , CommandLine: "C:\ProgramData\Drivers\csrss.exe" , CommandLine|base64offset|contains: , Image: C:\ProgramData\Drivers\csrss.exe, NewProcessName: C:\ProgramData\Drivers\csrss.exe, OriginalFileName: C:\ProgramData\Drivers\csrss.exe, ParentCommandLine: C:\Windows\Explorer.EXE, ParentImage: C:\Windows\explorer.exe, ParentProcessId: 4004, ParentProcessName: explorer.exe, ProcessCommandLine: "C:\ProgramData\Drivers\csrss.exe" , ProcessId: 3992, ProcessName: csrss.exe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: https://claimconcessionrebe.shop/9g	Avira URL Cloud: Label: phishing
Source: triangleseasonbenchwj.shop	Avira URL Cloud: Label: malware
Source: sofahuntingslidedine.shop	Avira URL Cloud: Label: phishing
Source: liabilityarrangemenyit.shop	Avira URL Cloud: Label: malware
Source: https://claimconcessionrebe.shop/api	Avira URL Cloud: Label: phishing
Source: https://claimconcessionrebe.shop/	Avira URL Cloud: Label: phishing
Source: claimconcessionrebe.shop	Avira URL Cloud: Label: phishing

Antivirus detection for dropped file

Source: C:\ProgramData\DeliveryStatusFields_65\DeliveryStatusFields_65.exe	Avira: detection malicious, Label: HEUR/AGEN.1324712
Source: C:\ProgramData\Drivers\csrss.exe	Avira: detection malicious, Label: HEUR/AGEN.1312689

Found malware configuration

Source: 00000000.00000002.2122757186.00000000020B1000.00000004.10000000.00040000.00000000.sdmp	Malware Configuration Extractor: SmokeLoader {"Version": 2022, "C2 list": ["http://valarioulinity1.net/index.php", "http://buriatiarutuhuob.net/index.php", "http://cassiosssionunu.me/index.php"]}
Source: 0000001E.00000002.3306141637.0000000002B70000.00000040.00001000.00020000.00000000.sdmp	Malware Configuration Extractor: StealC {"C2 url": "http://185.172.128.79/3886d2276f6914c4.php"}
Source: 52CE.exe.2784.7.memstrmin	Malware Configuration Extractor: LummaC {"C2 url": ["sofahuntingslidedine.shop", "culturesketchfinanciall.shop", "triangleseasonbenchwj.shop", "triangleseasonbenchwj.shop", "modestessayevenmilwek.shop", "liabilityarrangemenyit.shop", "claimconcessionrebe.shop", "claimconcessionrebe.shop", "secretionsuitcasenioise.shop", "gemcreedarticulateod.shop", "sofahuntingslidedine.shop", "culturesketchfinanciall.shop", "triangleseasonbenchwj.shop", "triangleseasonbenchwj.shop", "modestessayevenmilwek.shop", "liabilityarrangemenyit.shop", "claimconcessionrebe.shop", "claimconcessionrebe.shop", "secretionsuitcasenioise.shop", "gemcreedarticulateod.shop"], "Build id": "nKh2V5--pal"}

Multi AV Scanner detection for domain / URL

Source: http://buriatiarutuhuob.net/index.php	Virustotal: Detection: 13%	Perma Link
Source: http://cassiosssionunu.me/index.php	Virustotal: Detection: 13%	Perma Link
Source: sofahuntingslidedine.shop	Virustotal: Detection: 12%	Perma Link
Source: triangleseasonbenchwj.shop	Virustotal: Detection: 17%	Perma Link
Source: claimconcessionrebe.shop	Virustotal: Detection: 14%	Perma Link
Source: liabilityarrangemenyit.shop	Virustotal: Detection: 9%	Perma Link
Source: https://claimconcessionrebe.shop/api	Virustotal: Detection: 15%	Perma Link

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\DeliveryStatusFields_65\DeliveryStatusFields_65.exe	Virustotal: Detection: 43%	Perma Link
Source: C:\ProgramData\Drivers\csrss.exe	ReversingLabs: Detection: 65%
Source: C:\ProgramData\Drivers\csrss.exe	Virustotal: Detection: 54%	Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\syncUpd[1].exe	ReversingLabs: Detection: 31%
Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe	ReversingLabs: Detection: 71%
Source: C:\Users\user\AppData\Local\Temp\3ADF.exe	ReversingLabs: Detection: 26%
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	ReversingLabs: Detection: 52%
Source: C:\Users\user\AppData\Local\Temp\58CA.exe	ReversingLabs: Detection: 65%
Source: C:\Users\user\AppData\Local\Temp\5C46.exe	ReversingLabs: Detection: 86%
Source: C:\Users\user\AppData\Local\Temp\6000.dll	ReversingLabs: Detection: 31%
Source: C:\Users\user\AppData\Local\Temp\7147.exe	ReversingLabs: Detection: 34%
Source: C:\Users\user\AppData\Local\Temp\8B96.exe	ReversingLabs: Detection: 78%
Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exe	ReversingLabs: Detection: 21%
Source: C:\Users\user\AppData\Local\Temp\D358.exe	ReversingLabs: Detection: 84%
Source: C:\Users\user\AppData\Local\Temp\DFB4.exe	ReversingLabs: Detection: 36%
Source: C:\Users\user\AppData\Local\Temp\InstallSetup4.exe	ReversingLabs: Detection: 65%
Source: C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp	ReversingLabs: Detection: 31%
Source: C:\Users\user\AppData\Roaming\esiffai	ReversingLabs: Detection: 55%

Multi AV Scanner detection for submitted file

Source: v6SEx6rJ3E.exe	ReversingLabs: Detection: 55%
Source: v6SEx6rJ3E.exe	Virustotal: Detection: 41%			Perma Link

Yara detected Glupteba

Source: Yara match	File source: 44.2.288c47bbc1871b439df19ff4df68f076.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.288c47bbc1871b439df19ff4df68f076.exe.4f60e67.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 44.3.288c47bbc1871b439df19ff4df68f076.exe.58d0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.288c47bbc1871b439df19ff4df68f076.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 44.2.288c47bbc1871b439df19ff4df68f076.exe.4fe0e67.15.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.3.288c47bbc1871b439df19ff4df68f076.exe.5850000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000016.00000002.2669166825.00000000053A3000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000002.2695084948.0000000000843000.00000040.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.2663525231.0000000005D12000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000002.2739842815.0000000005423000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.2535351079.0000000005C92000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.2661056946.0000000000843000.00000040.00000001.01000000.0000000F.sdmp, type: MEMORY

Machine Learning detection for dropped file

Source: C:\ProgramData\DeliveryStatusFields_65\DeliveryStatusFields_65.exe	Joe Sandbox ML: detected
Source: C:\ProgramData\Drivers\csrss.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: v6SEx6rJ3E.exe

Joe Sandbox ML: detected

Source: 58CA.exe, 00000011.00000003.3491176059.0000000003A84000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: -----BEGIN RSA PUBLIC KEY-----

memstr_85d09042-b

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 16.2.5C46.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.5C46.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000A.00000002.2405732872.0000000000413000.00000004.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2442232703.0000000000413000.00000004.00000001.01000000.00000008.sdmp, type: MEMORY

Privilege Escalation

UAC bypass detected (Fodhelper)

Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe	Registry value created: DelegateExecute
Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe	Registry value created: NULL "C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"

Bitcoin Miner

Yara detected Glupteba

Source: Yara match	File source: 44.2.288c47bbc1871b439df19ff4df68f076.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.288c47bbc1871b439df19ff4df68f076.exe.4f60e67.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 44.3.288c47bbc1871b439df19ff4df68f076.exe.58d0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.288c47bbc1871b439df19ff4df68f076.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 44.2.288c47bbc1871b439df19ff4df68f076.exe.4fe0e67.15.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.3.288c47bbc1871b439df19ff4df68f076.exe.5850000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000016.00000002.2669166825.00000000053A3000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000002.2695084948.0000000000843000.00000040.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.2663525231.0000000005D12000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000002.2739842815.0000000005423000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.2535351079.0000000005C92000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.2661056946.0000000000843000.00000040.00000001.01000000.0000000F.sdmp, type: MEMORY

Compliance

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe	Unpacked PE file: 22.2.288c47bbc1871b439df19ff4df68f076.exe.400000.7.unpack
Source: C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp	Unpacked PE file: 30.2.nsh9BCF.tmp.400000.0.unpack
Source: C:\Users\user\AppData\Local\Key Signatures verification\ksverify.exe	Unpacked PE file: 34.2.ksverify.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Key Signatures verification\ksverify.exe	Unpacked PE file: 35.2.ksverify.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe	Unpacked PE file: 44.2.288c47bbc1871b439df19ff4df68f076.exe.400000.6.unpack

Source: v6SEx6rJ3E.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: C:\Users\user\Desktop\v6SEx6rJ3E.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source:	Binary string: c:\omtnkdoj\bnwv\yogisfk\cqf.pdb source: 5C46.exe, 0000000A.00000002.2405705506.0000000000410000.00000002.00000001.01000000.00000008.sdmp, 5C46.exe, 0000000A.00000000.2355083766.0000000000410000.00000002.00000001.01000000.00000008.sdmp, 5C46.exe, 00000010.00000002.2442206283.0000000000410000.00000002.00000001.01000000.00000008.sdmp, 5C46.exe, 00000010.00000000.2375703307.0000000000410000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: c:\bfllk\pdgh\qovxk\wqdtbmac.pdb source: 5C46.exe, 00000010.00000002.2442412063.0000000000551000.00000004.00000020.00020000.00000000.sdmp, 5C46.exe, 00000010.00000002.2464218511.0000000004970000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jfmo\tlcp\nyvnyt\obocmwsb.pdb source: 5C46.exe, 00000010.00000002.2443145243.000000000284B000.00000004.00000020.00020000.00000000.sdmp, 5C46.exe, 00000010.00000002.2464218511.0000000004970000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\mitegocom.pdb source: 58CA.exe, 00000009.00000000.2346852287.00000000005C2000.00000002.00000001.01000000.00000007.sdmp, 58CA.exe, 00000009.00000002.2438731839.00000000005C2000.00000002.00000001.01000000.00000007.sdmp, 58CA.exe, 00000011.00000000.2417518022.00000000005C2000.00000002.00000001.01000000.00000007.sdmp
Source:	Binary string: c:\bfllk\pdgh\qovxk\wqdtbmac.pdb/; source: 5C46.exe, 00000010.00000002.2442412063.0000000000551000.00000004.00000020.00020000.00000000.sdmp, 5C46.exe, 00000010.00000002.2464218511.0000000004970000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jfmo\tlcp\nyvnyt\obocmwsb.pdb/; source: 5C46.exe, 00000010.00000002.2443145243.000000000284B000.00000004.00000020.00020000.00000000.sdmp, 5C46.exe, 00000010.00000002.2464218511.0000000004970000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: p.*C:\mitegocom.pdb source: 58CA.exe, 00000009.00000000.2346852287.00000000005C2000.00000002.00000001.01000000.00000007.sdmp, 58CA.exe, 00000009.00000002.2438731839.00000000005C2000.00000002.00000001.01000000.00000007.sdmp, 58CA.exe, 00000011.00000000.2417518022.00000000005C2000.00000002.00000001.01000000.00000007.sdmp

Source: C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\
Source: C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\
Source: C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\
Source: C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\
Source: C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\
Source: C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 109.175.29.39 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 186.147.159.149 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 172.67.173.86 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 91.215.85.120 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 185.172.128.19 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 141.8.192.6 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 91.92.244.44 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 189.232.10.46 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 103.20.213.70 443	Jump to behavior

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://185.172.128.79/3886d2276f6914c4.php
Source: Malware configuration extractor	URLs: sofahuntingslidedine.shop
Source: Malware configuration extractor	URLs: culturesketchfinanciall.shop
Source: Malware configuration extractor	URLs: triangleseasonbenchwj.shop
Source: Malware configuration extractor	URLs: triangleseasonbenchwj.shop
Source: Malware configuration extractor	URLs: modestessayevenmilwek.shop
Source: Malware configuration extractor	URLs: liabilityarrangemenyit.shop
Source: Malware configuration extractor	URLs: claimconcessionrebe.shop
Source: Malware configuration extractor	URLs: claimconcessionrebe.shop
Source: Malware configuration extractor	URLs: secretionsuitcasenioise.shop
Source: Malware configuration extractor	URLs: gemcreedarticulateod.shop
Source: Malware configuration extractor	URLs: sofahuntingslidedine.shop
Source: Malware configuration extractor	URLs: culturesketchfinanciall.shop
Source: Malware configuration extractor	URLs: triangleseasonbenchwj.shop
Source: Malware configuration extractor	URLs: triangleseasonbenchwj.shop
Source: Malware configuration extractor	URLs: modestessayevenmilwek.shop
Source: Malware configuration extractor	URLs: liabilityarrangemenyit.shop
Source: Malware configuration extractor	URLs: claimconcessionrebe.shop
Source: Malware configuration extractor	URLs: claimconcessionrebe.shop
Source: Malware configuration extractor	URLs: secretionsuitcasenioise.shop
Source: Malware configuration extractor	URLs: gemcreedarticulateod.shop
Source: Malware configuration extractor	URLs: http://valarioulinity1.net/index.php
Source: Malware configuration extractor	URLs: http://buriatiarutuhuob.net/index.php
Source: Malware configuration extractor	URLs: http://cassiosssionunu.me/index.php

Source: unknown

Network traffic detected: IP country count 11

Source: Joe Sandbox View	IP Address: 77.88.21.249 77.88.21.249
Source: Joe Sandbox View	IP Address: 13.248.169.48 13.248.169.48

Source: explorer.exe, 00000002.00000003.2334278323.0000000002F20000.00000004.00000001.00020000.00000000.sdmp, 52CE.exe, 00000007.00000003.2336164835.0000000002343000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: explorer.exe, 00000002.00000000.2115057118.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2115057118.000000000973C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: explorer.exe, 00000002.00000003.2334278323.0000000002F20000.00000004.00000001.00020000.00000000.sdmp, 52CE.exe, 00000007.00000003.2336164835.0000000002343000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: explorer.exe, 00000002.00000003.2334278323.0000000002F20000.00000004.00000001.00020000.00000000.sdmp, 52CE.exe, 00000007.00000003.2336164835.0000000002343000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: explorer.exe, 00000002.00000003.2334278323.0000000002F20000.00000004.00000001.00020000.00000000.sdmp, 52CE.exe, 00000007.00000003.2336164835.0000000002343000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: explorer.exe, 00000002.00000003.2334278323.0000000002F20000.00000004.00000001.00020000.00000000.sdmp, 52CE.exe, 00000007.00000003.2336164835.0000000002343000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: explorer.exe, 00000002.00000000.2115057118.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2115057118.000000000973C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: explorer.exe, 00000002.00000003.2334278323.0000000002F20000.00000004.00000001.00020000.00000000.sdmp, 52CE.exe, 00000007.00000003.2336164835.0000000002343000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: explorer.exe, 00000002.00000003.2334278323.0000000002F20000.00000004.00000001.00020000.00000000.sdmp, 52CE.exe, 00000007.00000003.2336164835.0000000002343000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: 52CE.exe, 00000007.00000003.2336164835.0000000002343000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: explorer.exe, 00000002.00000000.2115057118.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2115057118.000000000973C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: explorer.exe, 00000002.00000003.2334278323.0000000002F20000.00000004.00000001.00020000.00000000.sdmp, 52CE.exe, 00000007.00000003.2336164835.0000000002343000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: explorer.exe, 00000002.00000000.2115057118.000000000978C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000003.2334278323.0000000002F20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2115057118.000000000973C000.00000004.00000001.00020000.00000000.sdmp, 52CE.exe, 00000007.00000003.2336164835.0000000002343000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 00000002.00000003.2334278323.0000000002F20000.00000004.00000001.00020000.00000000.sdmp, 52CE.exe, 00000007.00000003.2336164835.0000000002343000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: explorer.exe, 00000002.00000003.2334278323.0000000002F20000.00000004.00000001.00020000.00000000.sdmp, 52CE.exe, 00000007.00000003.2336164835.0000000002343000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: explorer.exe, 00000002.00000003.2334278323.0000000002F20000.00000004.00000001.00020000.00000000.sdmp, 52CE.exe, 00000007.00000003.2336164835.0000000002343000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: explorer.exe, 00000002.00000000.2115057118.000000000962B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: 58CA.exe, 00000011.00000003.4030191989.000000003C58F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://r3.i.lencr.org/0
Source: 58CA.exe, 00000011.00000003.4030191989.000000003C58F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://r3.o.lencr.org0
Source: explorer.exe, 00000002.00000000.2113359732.0000000007B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.2111255061.00000000028A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.2113369969.0000000007B60000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: 58CA.exe, 00000011.00000003.4063841358.0000000033806000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096532907.0000000033088000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096136090.0000000033ACA000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://walmart.com/shop/deals/game-time-savings?povid=GlobalNav_rWeb_GameTime_GameTimeSavings
Source: explorer.exe, 00000002.00000000.2117072939.000000000C3BE000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: explorer.exe, 00000002.00000003.2334278323.0000000002F20000.00000004.00000001.00020000.00000000.sdmp, 52CE.exe, 00000007.00000003.2336164835.0000000002343000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: 52CE.exe, 00000007.00000003.2358835967.0000000002F2B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: explorer.exe, 00000002.00000000.2115395626.00000000099AB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp
Source: explorer.exe, 00000002.00000000.2117072939.000000000BFDF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000002.00000000.2115057118.000000000962B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000002.00000000.2115057118.000000000962B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/I
Source: explorer.exe, 00000002.00000000.2115057118.000000000973C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000002.00000000.2115057118.000000000962B000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?
Source: explorer.exe, 00000002.00000000.2112640933.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=435B7A89D7D74BDF801F2DA188906BAF&timeOut=5000&oc
Source: explorer.exe, 00000002.00000000.2112640933.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2115057118.000000000973C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 00000002.00000000.2115057118.000000000973C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.com
Source: explorer.exe, 00000002.00000000.2112640933.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
Source: explorer.exe, 00000002.00000000.2112640933.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehwh2.svg
Source: 58CA.exe, 00000011.00000003.4030191989.000000003C58F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://bookends.cdn.vpsvc.com/html/statics/dep-share/v8_bundle-faf089dc.js
Source: 52CE.exe, 00000007.00000003.2358835967.0000000002F2B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: explorer.exe, 00000002.00000000.2112640933.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
Source: explorer.exe, 00000002.00000000.2112640933.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
Source: explorer.exe, 00000002.00000000.2112640933.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhz
Source: explorer.exe, 00000002.00000000.2112640933.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhz-dark
Source: 52CE.exe, 00000007.00000003.2358835967.0000000002F2B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: 52CE.exe, 00000007.00000003.2358835967.0000000002F2B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: 52CE.exe, 00000007.00000003.2509088566.0000000000841000.00000004.00000020.00020000.00000000.sdmp, 52CE.exe, 00000007.00000003.2508897548.00000000008D0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://claimconcessionrebe.shop/
Source: 52CE.exe, 00000007.00000003.2357497536.0000000000829000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://claimconcessionrebe.shop/9g
Source: 52CE.exe, 00000007.00000003.2370596947.00000000008AC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://claimconcessionrebe.shop/?h
Source: 52CE.exe, 00000007.00000003.2357497536.0000000000841000.00000004.00000020.00020000.00000000.sdmp, 52CE.exe, 00000007.00000003.2451172289.00000000008A9000.00000004.00000020.00020000.00000000.sdmp, 52CE.exe, 00000007.00000003.2473453710.00000000008AB000.00000004.00000020.00020000.00000000.sdmp, 52CE.exe, 00000007.00000002.2536018433.00000000008AB000.00000004.00000020.00020000.00000000.sdmp, 52CE.exe, 00000007.00000003.2404960865.00000000008B5000.00000004.00000020.00020000.00000000.sdmp, 52CE.exe, 00000007.00000003.2370596947.00000000008AC000.00000004.00000020.00020000.00000000.sdmp, 52CE.exe, 00000007.00000003.2508519144.00000000008AB000.00000004.00000020.00020000.00000000.sdmp, 52CE.exe, 00000007.00000003.2509088566.0000000000841000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://claimconcessionrebe.shop/api
Source: 52CE.exe, 00000007.00000003.2506090974.00000000008AB000.00000004.00000020.00020000.00000000.sdmp, 52CE.exe, 00000007.00000002.2536018433.00000000008AB000.00000004.00000020.00020000.00000000.sdmp, 52CE.exe, 00000007.00000003.2508519144.00000000008AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://claimconcessionrebe.shop/apiN
Source: 52CE.exe, 00000007.00000003.2451172289.00000000008A9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://claimconcessionrebe.shop/apitN
Source: 52CE.exe, 00000007.00000003.2358962427.0000000002F28000.00000004.00000800.00020000.00000000.sdmp, 52CE.exe, 00000007.00000003.2358835967.0000000002F2B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: 52CE.exe, 00000007.00000003.2358962427.0000000002F28000.00000004.00000800.00020000.00000000.sdmp, 52CE.exe, 00000007.00000003.2358835967.0000000002F2B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: 52CE.exe, 00000007.00000003.2358962427.0000000002F28000.00000004.00000800.00020000.00000000.sdmp, 52CE.exe, 00000007.00000003.2358835967.0000000002F2B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: explorer.exe, 00000002.00000000.2117072939.000000000C048000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com-
Source: 58CA.exe, 00000011.00000003.4063841358.0000000033806000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096532907.0000000033088000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4061553467.000000002B9CF000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096136090.0000000033ACA000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://i5.walmartimages.com/asr/036b6949-9d3a-4ec3-8c96-0199e264ad76.c0b9a0d121e0842d12e834590fc417
Source: 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://i5.walmartimages.com/asr/108f286f-fb55-4b0b-b77a-a9dfb22cf4d3.b8c9e952f412cc20cea0c5cb86daaa
Source: 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://i5.walmartimages.com/asr/4b8caa32-a7c4-41ed-88a8-93e79984ba4d.ebc51273a3f0428049f51fe85c7fd6
Source: 58CA.exe, 00000011.00000003.4063841358.0000000033806000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096532907.0000000033088000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4061553467.000000002B9CF000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096136090.0000000033ACA000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://i5.walmartimages.com/asr/9caacb97-7172-4d68-8beb-ce1965d87d56.ee371dfa453f290bcd462a64c1c83b
Source: 58CA.exe, 00000011.00000003.4063841358.0000000033806000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096532907.0000000033088000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4061553467.000000002B9CF000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096136090.0000000033ACA000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://i5.walmartimages.com/asr/c227e160-1b31-45fb-a3aa-2aaa922c5e36.4d06f03e1717d33bdf57e44e398c99
Source: 58CA.exe, 00000011.00000003.4063841358.0000000033806000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096532907.0000000033088000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4061553467.000000002B9CF000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096136090.0000000033ACA000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://i5.walmartimages.com/asr/d65f3348-4afe-4667-bc2c-85651b97df3b.4bff1ee59f291884e1b9c75b19e987
Source: 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://i5.walmartimages.com/asr/f29c5883-ea93-47b7-91e0-83e553f6521a.c5e444bea30956531d283c6fa6273d
Source: 58CA.exe, 00000011.00000003.4063841358.0000000033806000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096532907.0000000033088000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096136090.0000000033ACA000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://i5.walmartimages.com/dfw/4ff9c6c9-1920/k2-_eba01adf-bf8c-43f3-9f0d-b1ab61dda095.v1.jpg
Source: 58CA.exe, 00000011.00000003.4063841358.0000000033806000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096532907.0000000033088000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096136090.0000000033ACA000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://i5.walmartimages.com/dfw/4ff9c6c9-1d80/k2-_2717e6b4-7f29-450b-be46-415792fb365f.v1.jpg
Source: 58CA.exe, 00000011.00000003.4063841358.0000000033806000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096532907.0000000033088000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096136090.0000000033ACA000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://i5.walmartimages.com/dfw/4ff9c6c9-1f74/k2-_632281e7-d1ef-4358-8ca2-66bd2c2678f0.v1.jpg
Source: 58CA.exe, 00000011.00000003.4063841358.0000000033806000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096532907.0000000033088000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096136090.0000000033ACA000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://i5.walmartimages.com/dfw/4ff9c6c9-273f/k2-_2c3a5a53-903c-4b40-aa3c-4af2ec662bce.v1.jpg
Source: 58CA.exe, 00000011.00000003.4063841358.0000000033806000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096532907.0000000033088000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4061553467.000000002B9CF000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096136090.0000000033ACA000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://i5.walmartimages.com/dfw/4ff9c6c9-2e0c/k2-_10223c8b-2686-4bd4-8ac9-c7e9da248e0a.v1.jpg
Source: 58CA.exe, 00000011.00000003.4063841358.0000000033806000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096532907.0000000033088000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4061553467.000000002B9CF000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096136090.0000000033ACA000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://i5.walmartimages.com/dfw/4ff9c6c9-364a/k2-_5c4cbd98-0f51-4e00-9c26-3335227d3b53.v1.jpg
Source: 58CA.exe, 00000011.00000003.4063841358.0000000033806000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096532907.0000000033088000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4061553467.000000002B9CF000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096136090.0000000033ACA000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://i5.walmartimages.com/dfw/4ff9c6c9-4677/k2-_80471a98-6b3c-478c-854f-db226c97af19.v1.jpg
Source: 58CA.exe, 00000011.00000003.4063841358.0000000033806000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096532907.0000000033088000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4061553467.000000002B9CF000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096136090.0000000033ACA000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://i5.walmartimages.com/dfw/4ff9c6c9-4775/k2-_0e8012c6-6a7b-442d-a46f-be538a20e0ae.v1.jpg
Source: 58CA.exe, 00000011.00000003.4063841358.0000000033806000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096532907.0000000033088000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096136090.0000000033ACA000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://i5.walmartimages.com/dfw/4ff9c6c9-48f6/k2-_7aed4b13-f076-4785-8b0c-2a8343c2b70c.v1.jpg
Source: 58CA.exe, 00000011.00000003.4063841358.0000000033806000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096532907.0000000033088000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096136090.0000000033ACA000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://i5.walmartimages.com/dfw/4ff9c6c9-49a1/k2-_34929c48-8885-4b5f-9448-b9abc7b04116.v1.jpg
Source: 58CA.exe, 00000011.00000003.4063841358.0000000033806000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096532907.0000000033088000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096136090.0000000033ACA000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://i5.walmartimages.com/dfw/4ff9c6c9-4a23/k2-_7caf0f79-3f76-4cb0-8ea4-5849e1657bae.v1.jpg
Source: 58CA.exe, 00000011.00000003.4063841358.0000000033806000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096532907.0000000033088000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096136090.0000000033ACA000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://i5.walmartimages.com/dfw/4ff9c6c9-4e0f/k2-_7fcd9674-3427-4927-b9fa-b1195d69a7d4.v1.jpg
Source: 58CA.exe, 00000011.00000003.4063841358.0000000033806000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096532907.0000000033088000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096136090.0000000033ACA000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://i5.walmartimages.com/dfw/4ff9c6c9-6406/k2-_987b6e28-ac24-4c30-a150-afe57033daf2.v1.jpg
Source: 58CA.exe, 00000011.00000003.4063841358.0000000033806000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096532907.0000000033088000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096136090.0000000033ACA000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://i5.walmartimages.com/dfw/4ff9c6c9-648f/k2-_c76e7139-cecb-4d48-893d-686d9bbbbfbe.v1.jpg
Source: 58CA.exe, 00000011.00000003.4063841358.0000000033806000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096532907.0000000033088000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096136090.0000000033ACA000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://i5.walmartimages.com/dfw/4ff9c6c9-64b9/k2-_6b3d48c1-0664-4310-b44c-1da866885771.v1.jpg
Source: 58CA.exe, 00000011.00000003.4063841358.0000000033806000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096532907.0000000033088000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096136090.0000000033ACA000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://i5.walmartimages.com/dfw/4ff9c6c9-6897/k2-_9d771225-ddc0-4ae4-8302-1921a8ace961.v1.jpg
Source: 58CA.exe, 00000011.00000003.4063841358.0000000033806000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096532907.0000000033088000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096136090.0000000033ACA000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://i5.walmartimages.com/dfw/4ff9c6c9-6a8d/k2-_4f147c7f-478b-4e25-96c7-22fbcda3cf40.v1.jpg
Source: 58CA.exe, 00000011.00000003.4063841358.0000000033806000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096532907.0000000033088000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096136090.0000000033ACA000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://i5.walmartimages.com/dfw/4ff9c6c9-6ae2/k2-_437b9bc6-13b2-4b28-8442-34ea21968531.v1.jpg
Source: 58CA.exe, 00000011.00000003.4063841358.0000000033806000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096532907.0000000033088000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096136090.0000000033ACA000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://i5.walmartimages.com/dfw/4ff9c6c9-8370/k2-_15a0a4d2-1619-4914-94cd-774567d41404.v1.jpg
Source: 58CA.exe, 00000011.00000003.4063841358.0000000033806000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096532907.0000000033088000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4061553467.000000002B9CF000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096136090.0000000033ACA000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://i5.walmartimages.com/dfw/4ff9c6c9-84db/k2-_5d160174-ff31-4dd5-851c-dc710eec781e.v1.jpg
Source: 58CA.exe, 00000011.00000003.4063841358.0000000033806000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096532907.0000000033088000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4061553467.000000002B9CF000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096136090.0000000033ACA000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://i5.walmartimages.com/dfw/4ff9c6c9-9191/k2-_3973f72a-4c18-4127-b2eb-de7c8eb320e0.v1.jpg
Source: 58CA.exe, 00000011.00000003.4063841358.0000000033806000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096532907.0000000033088000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096136090.0000000033ACA000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://i5.walmartimages.com/dfw/4ff9c6c9-9674/k2-_cd6b8be4-8bfb-47bc-9843-49e8ed571106.v1.jpg
Source: 58CA.exe, 00000011.00000003.4063841358.0000000033806000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096532907.0000000033088000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4061553467.000000002B9CF000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096136090.0000000033ACA000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://i5.walmartimages.com/dfw/4ff9c6c9-a099/k2-_6958c2af-b8a0-4fce-86a5-2b62a23d0e62.v1.jpg
Source: 58CA.exe, 00000011.00000003.4063841358.0000000033806000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096532907.0000000033088000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096136090.0000000033ACA000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://i5.walmartimages.com/dfw/4ff9c6c9-a6f3/k2-_26dabc42-d17d-4b93-aa58-dcd5a9ed744b.v1.jpg
Source: 58CA.exe, 00000011.00000003.4063841358.0000000033806000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096532907.0000000033088000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096136090.0000000033ACA000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://i5.walmartimages.com/dfw/4ff9c6c9-b54d/k2-_05ed48cf-f4b0-48ad-bac2-ce16c73da5af.v1.jpg
Source: 58CA.exe, 00000011.00000003.4063841358.0000000033806000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096532907.0000000033088000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4061553467.000000002B9CF000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096136090.0000000033ACA000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://i5.walmartimages.com/dfw/4ff9c6c9-b684/k2-_a080ff7f-9bb4-4033-9402-ee665c58fac7.v1.jpg
Source: 58CA.exe, 00000011.00000003.4063841358.0000000033806000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096532907.0000000033088000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096136090.0000000033ACA000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://i5.walmartimages.com/dfw/4ff9c6c9-bf80/k2-_98fd2df6-c703-4e47-8269-1d2b66df2faf.v1.jpg
Source: 58CA.exe, 00000011.00000003.4063841358.0000000033806000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096532907.0000000033088000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096136090.0000000033ACA000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://i5.walmartimages.com/dfw/4ff9c6c9-d172/k2-_03f75c9e-4b5c-4553-9439-4a9febfafab9.v1.jpg
Source: 58CA.exe, 00000011.00000003.4063841358.0000000033806000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096532907.0000000033088000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096136090.0000000033ACA000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://i5.walmartimages.com/dfw/4ff9c6c9-da61/k2-_56a58d5c-0b26-46ec-b335-1b9f0cdaed17.v1.jpg
Source: 58CA.exe, 00000011.00000003.4063841358.0000000033806000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096532907.0000000033088000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096136090.0000000033ACA000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://i5.walmartimages.com/dfw/4ff9c6c9-db33/k2-_76752a43-1765-455e-85d2-16a450d8ff5a.v1.jpg
Source: 58CA.exe, 00000011.00000003.4063841358.0000000033806000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096532907.0000000033088000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096136090.0000000033ACA000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://i5.walmartimages.com/dfw/4ff9c6c9-dfbc/k2-_d1dfad32-2c36-47c1-a247-158d770058e7.v1.jpg
Source: 58CA.exe, 00000011.00000003.4063841358.0000000033806000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096532907.0000000033088000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096136090.0000000033ACA000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://i5.walmartimages.com/dfw/4ff9c6c9-e091/k2-_5abd632e-14d1-44b2-8361-fd23d6198365.v1.jpg
Source: 58CA.exe, 00000011.00000003.4063841358.0000000033806000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096532907.0000000033088000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096136090.0000000033ACA000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://i5.walmartimages.com/dfw/4ff9c6c9-f2d4/k2-_132eead8-ed1f-4151-b38a-ba0c55c03322.v1.jpg
Source: 58CA.exe, 00000011.00000003.4063841358.0000000033806000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096532907.0000000033088000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096136090.0000000033ACA000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://i5.walmartimages.com/dfw/4ff9c6c9-f903/k2-_593c15ba-e773-49f3-9de3-d36778997619.v1.jpg
Source: 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://i5.walmartimages.com/seo/5-Pack-Men-s-Dry-Fit-Active-Athletic-Performance-Crew-Neck-T-Shirts
Source: 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://i5.walmartimages.com/seo/5ft-Artificial-Eucalyptus-Silk-Plants-Pot-Faux-Plastic-Tree-Durable
Source: 58CA.exe, 00000011.00000003.4063841358.0000000033806000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096532907.0000000033088000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4061553467.000000002B9CF000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096136090.0000000033ACA000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://i5.walmartimages.com/seo/Airtight-Pantry-Storage-Canisters-for-Flour-Sugar-Pantrystar-2-Pcs-
Source: 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://i5.walmartimages.com/seo/Animals-Plush-Toy-Lunar-Year-Plush-Dragon-for-Couch-Lunar-New-Year-
Source: 58CA.exe, 00000011.00000003.4063841358.0000000033806000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096532907.0000000033088000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4061553467.000000002B9CF000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096136090.0000000033ACA000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://i5.walmartimages.com/seo/Beats-Studio-Buds-True-Wireless-Noise-Cancelling-Bluetooth-Earbuds-
Source: 58CA.exe, 00000011.00000003.4063841358.0000000033806000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096532907.0000000033088000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096136090.0000000033ACA000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://i5.walmartimages.com/seo/HOBIBEAR-Women-s-Snow-Boots-Anti-Slip-Waterproof-Warm-Winter-Shoes_
Source: 58CA.exe, 00000011.00000003.4063841358.0000000033806000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096532907.0000000033088000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096136090.0000000033ACA000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://i5.walmartimages.com/seo/INGALIK-Convertible-Sectional-Sofa-Couch-L-Shaped-Couch-Reversible-
Source: 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://i5.walmartimages.com/seo/INGALIK-Twin-Mattress-Topper-Extra-Thick-Cooling-Pad-Cover-400TC-Co
Source: 58CA.exe, 00000011.00000003.4063841358.0000000033806000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096532907.0000000033088000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096136090.0000000033ACA000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://i5.walmartimages.com/seo/Juicy-Couture-Viva-La-Juicy-Eau-De-Parfum-Perfume-for-Women-0-5-Oz_
Source: 58CA.exe, 00000011.00000003.4063841358.0000000033806000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096532907.0000000033088000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096136090.0000000033ACA000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://i5.walmartimages.com/seo/Karaoke-Machine-Mini-Portable-Bluetooth-Singing-Speaker-Adults-Kids
Source: 58CA.exe, 00000011.00000003.4063841358.0000000033806000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096532907.0000000033088000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096136090.0000000033ACA000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://i5.walmartimages.com/seo/Melalenia-Luggage-Carry-on-Luggage-PP-Material-Luggage-with-Spinner
Source: 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://i5.walmartimages.com/seo/NELEUS-Womens-High-Waist-Running-Workout-Yoga-Leggings-with-Pockets
Source: 58CA.exe, 00000011.00000003.4063841358.0000000033806000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096532907.0000000033088000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4061553467.000000002B9CF000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096136090.0000000033ACA000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://i5.walmartimages.com/seo/PHANCIR-Under-Sink-Organizer-2-Tier-Multi-Purpose-Large-Capacity-Ki
Source: 58CA.exe, 00000011.00000003.4063841358.0000000033806000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096532907.0000000033088000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4061553467.000000002B9CF000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096136090.0000000033ACA000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://i5.walmartimages.com/seo/Prep-Naturals-Food-Storage-Containers-Disposable-Meal-Prep-Containe
Source: 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://i5.walmartimages.com/seo/Restored-Apple-iPad-10-2-inch-Retina-Wi-Fi-Only-32GB-Latest-OS-Bund
Source: 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://i5.walmartimages.com/seo/Restored-Apple-iPhone-11-64GB-Verizon-GSM-Unlocked-T-Mobile-AT-T-4G
Source: 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://i5.walmartimages.com/seo/Slsy-Folding-Bed-Cot-with-3-3-Inch-Mattress-75-28-Folding-Camping-C
Source: 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://i5.walmartimages.com/seo/Twin-Mattress-Nisien-10-Inch-Hybrid-Mattress-Box-Gel-Memory-Foam-Ma
Source: 58CA.exe, 00000011.00000003.4063841358.0000000033806000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096532907.0000000033088000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096136090.0000000033ACA000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://i5.walmartimages.com/seo/WhatsBedding-2-Pieces-Bed-in-a-Bag-Comforter-Set-Duvet-Insert-Rever
Source: 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://i5.walmartimages.com/seo/YDZJY-Walking-Pad-Walking-Treadmill-Under-Desk-Treadmill-2-in-1-for
Source: 58CA.exe, 00000011.00000003.4063841358.0000000033806000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096532907.0000000033088000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4061553467.000000002B9CF000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096136090.0000000033ACA000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://i5.walmartimages.com/seo/YOUPINS-Double-Laundry-Hamper-Lid-Removable-Bags-Large-Collapsible-
Source: explorer.exe, 00000002.00000000.2112640933.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
Source: explorer.exe, 00000002.00000000.2112640933.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAzME7S.img
Source: explorer.exe, 00000002.00000000.2117072939.000000000C048000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.come
Source: 58CA.exe, 00000011.00000003.4063841358.0000000033806000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096532907.0000000033088000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4061553467.000000002B9CF000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096136090.0000000033ACA000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://player.vimeo.com/progressive_redirect/playback/853528055/rendition/1080p/file.mp4?loc=extern
Source: explorer.exe, 00000002.00000000.2117072939.000000000BFEF000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.comEMd
Source: 58CA.exe, 00000011.00000003.2969930160.0000000002F09000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.2959484573.0000000003B36000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.2959949994.0000000003C99000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.2963025040.0000000003F52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sabotage.net
Source: explorer.exe, 00000002.00000000.2112640933.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000002.00000000.2112640933.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000002.00000000.2115395626.00000000099AB000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/e
Source: explorer.exe, 00000002.00000000.2117072939.000000000C048000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.comM
Source: 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.blankbeauty.com/Walmart?povid=GlobalNav_rWeb_Beauty_TrendinginBeauty_BlankBeautyCustomNa
Source: 52CE.exe, 00000007.00000003.2358835967.0000000002F2B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: 52CE.exe, 00000007.00000003.2358835967.0000000002F2B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: explorer.exe, 00000002.00000000.2112640933.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/10-things-rich-people-never-buy-and-you-shouldn-t-ei
Source: explorer.exe, 00000002.00000000.2112640933.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/money-matters-changing-institution-of-marriage/ar-AA
Source: explorer.exe, 00000002.00000000.2112640933.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/realestate/why-this-florida-city-is-a-safe-haven-from-hurricanes/ar-
Source: explorer.exe, 00000002.00000000.2112640933.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/savingandinvesting/americans-average-net-worth-by-age/ar-AA1h4ngF
Source: explorer.exe, 00000002.00000000.2112640933.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/how-donald-trump-helped-kari-lake-become-arizona-s-and-ameri
Source: explorer.exe, 00000002.00000000.2112640933.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/kevin-mccarthy-s-ouster-as-house-speaker-could-cost-gop-its-
Source: explorer.exe, 00000002.00000000.2112640933.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/republicans-already-barred-trump-from-being-speaker-of-the-h
Source: explorer.exe, 00000002.00000000.2112640933.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/trump-campaign-says-he-raised-more-than-45-million-in-3rd-qu
Source: explorer.exe, 00000002.00000000.2112640933.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/technology/a-federal-emergency-alert-will-be-sent-to-us-phones-nation
Source: explorer.exe, 00000002.00000000.2112640933.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/biden-administration-waives-26-federal-laws-to-allow-border-wall-c
Source: explorer.exe, 00000002.00000000.2112640933.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the
Source: explorer.exe, 00000002.00000000.2112640933.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/world/us-supplies-ukraine-with-a-million-rounds-of-ammunition-seized-
Source: explorer.exe, 00000002.00000000.2112640933.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/travel/news/you-can-t-beat-bobby-flay-s-phoenix-airport-restaurant-one-of-
Source: explorer.exe, 00000002.00000000.2112640933.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/california-s-reservoirs-runneth-over-in-astounding-reve
Source: explorer.exe, 00000002.00000000.2112640933.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com:443/en-us/feed
Source: 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.walmart.com/browse/7924299?facet=fulfillment_speed%3AToday
Source: 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.walmart.com/browse/beauty-by-top-brands/equate-beauty/1085666_3316357_8168824?povid=Glob
Source: 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.walmart.com/browse/beauty/exclusives/1085666_5349205?povid=GlobalNav_rWeb_Beauty_Trendin
Source: 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.walmart.com/browse/beauty/travel-size-beauty/1085666_8097138?povid=GlobalNav_rWeb_Beauty
Source: 58CA.exe, 00000011.00000003.4063841358.0000000033806000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096532907.0000000033088000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096136090.0000000033ACA000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.walmart.com/browse/electronics/home-audio-theater/3944_77622?povid=GlobalNav_rWeb_GameTi
Source: 58CA.exe, 00000011.00000003.4063841358.0000000033806000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096532907.0000000033088000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096136090.0000000033ACA000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.walmart.com/browse/electronics/shop-tvs-by-size/3944_1060825_2489948?povid=GlobalNav_rWe
Source: 58CA.exe, 00000011.00000003.4063841358.0000000033806000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096532907.0000000033088000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096136090.0000000033ACA000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.walmart.com/browse/electronics/streaming-devices/3944_77622_7549938_1229631_1085065?povi
Source: 58CA.exe, 00000011.00000003.4063841358.0000000033806000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096532907.0000000033088000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096136090.0000000033ACA000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.walmart.com/browse/food/shop-all-game-time-food/976759_1567409_3282877_6093905?povid=Glo
Source: 58CA.exe, 00000011.00000003.4063841358.0000000033806000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096532907.0000000033088000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096136090.0000000033ACA000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.walmart.com/browse/home/all-folding-furniture/4044_103150_2506585_5247588?povid=GlobalNa
Source: 58CA.exe, 00000011.00000003.4063841358.0000000033806000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096532907.0000000033088000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4061553467.000000002B9CF000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096136090.0000000033ACA000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4060926865.0000000029D0A000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.walmart.com/browse/home/kids-bathroom/4044_1154295_1143252?povid=GlobalNav_rWeb_Kids_Kid
Source: 58CA.exe, 00000011.00000003.4063841358.0000000033806000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096532907.0000000033088000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4061553467.000000002B9CF000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096136090.0000000033ACA000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4060926865.0000000029D0A000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.walmart.com/browse/home/kids-characters/4044_1154295_6561064?povid=GlobalNav_rWeb_Kids_K
Source: 58CA.exe, 00000011.00000003.4063841358.0000000033806000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096532907.0000000033088000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4061553467.000000002B9CF000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096136090.0000000033ACA000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4060926865.0000000029D0A000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.walmart.com/browse/home/kids-furniture/4044_1154295_1155958?povid=GlobalNav_rWeb_Kids_Ki
Source: 58CA.exe, 00000011.00000003.4063841358.0000000033806000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096532907.0000000033088000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4061553467.000000002B9CF000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096136090.0000000033ACA000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4060926865.0000000029D0A000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.walmart.com/browse/home/kids-room-decor/4044_1154295_1156072?povid=GlobalNav_rWeb_Kids_K
Source: 58CA.exe, 00000011.00000003.4063841358.0000000033806000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096532907.0000000033088000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096136090.0000000033ACA000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.walmart.com/browse/home/shop-kitchen-appliances/4044_90548_90546_5175115?facet=facet_pro
Source: 58CA.exe, 00000011.00000003.4063841358.0000000033806000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096532907.0000000033088000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4061553467.000000002B9CF000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096136090.0000000033ACA000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4060926865.0000000029D0A000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.walmart.com/browse/men-s-essentials/1005862_1056884?max_price=10min_price=0&povid=Gl
Source: 58CA.exe, 00000011.00000003.4063841358.0000000033806000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096532907.0000000033088000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096136090.0000000033ACA000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.walmart.com/browse/party-occasions/football-party-occasions/2637_7336515?povid=GlobalNav
Source: 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.walmart.com/browse/premium-bath-body/premium-sun-care-sunscreens/7924299_3571844_9069144
Source: 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.walmart.com/browse/premium-beauty/facial-skin-care/7924299_6754293?povid=GlobalNav_rWeb_
Source: 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.walmart.com/browse/premium-beauty/premium-hair-care/7924299_3522922?povid=GlobalNav_rWeb
Source: 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.walmart.com/browse/premium-beauty/premium-makeup/7924299_1417743?povid=GlobalNav_rWeb_Be
Source: 58CA.exe, 00000011.00000003.4063841358.0000000033806000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096532907.0000000033088000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096136090.0000000033ACA000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.walmart.com/browse/seasonal/outdoor-hosting/1085632_8704122?povid=GlobalNav_rWeb_GameTim
Source: 58CA.exe, 00000011.00000003.4063841358.0000000033806000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096532907.0000000033088000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096136090.0000000033ACA000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.walmart.com/browse/sports-outdoors/nfl-shop-all/4125_1063984_1423455_7175574?povid=Globa
Source: 58CA.exe, 00000011.00000003.4063841358.0000000033806000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096532907.0000000033088000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4061553467.000000002B9CF000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096136090.0000000033ACA000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4060926865.0000000029D0A000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.walmart.com/browse/toys/kids-playhouses/4171_14521_3747773?povid=GlobalNav_rWeb_Kids_Kid
Source: 58CA.exe, 00000011.00000003.4063841358.0000000033806000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096532907.0000000033088000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4061553467.000000002B9CF000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096136090.0000000033ACA000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4060926865.0000000029D0A000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.walmart.com/browse/toys/swing-sets/4171_14521_6449441?povid=GlobalNav_rWeb_Kids_KidsSpor
Source: 58CA.exe, 00000011.00000003.4063841358.0000000033806000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096532907.0000000033088000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4061553467.000000002B9CF000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096136090.0000000033ACA000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4060926865.0000000029D0A000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.walmart.com/browse/toys/toys-for-kids-12-years-up/4171_3318550_1077724?povid=GlobalNav_r
Source: 58CA.exe, 00000011.00000003.4063841358.0000000033806000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096532907.0000000033088000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4061553467.000000002B9CF000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096136090.0000000033ACA000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4060926865.0000000029D0A000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.walmart.com/browse/toys/toys-for-kids-5-to-7-years/4171_3318550_617941?povid=GlobalNav_r
Source: 58CA.exe, 00000011.00000003.4063841358.0000000033806000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096532907.0000000033088000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4061553467.000000002B9CF000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096136090.0000000033ACA000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4060926865.0000000029D0A000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.walmart.com/browse/toys/toys-for-kids-8-to-11-years/4171_3318550_617942?povid=GlobalNav_
Source: 58CA.exe, 00000011.00000003.4063841358.0000000033806000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096532907.0000000033088000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096136090.0000000033ACA000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.walmart.com/browse/video-games/madden-nfl-24/2636_7899038_6075006_6774374?povid=GlobalNa
Source: 58CA.exe, 00000011.00000003.4063841358.0000000033806000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096532907.0000000033088000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096136090.0000000033ACA000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.walmart.com/cp/6957270?povid=GlobalNav_rWeb_Kids_ShopAllKids_Control
Source: 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.walmart.com/cp/7924299?povid=GlobalNav_rWeb_Beauty_PremiumBeauty_ShopAll_051123
Source: 58CA.exe, 00000011.00000003.4063841358.0000000033806000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096532907.0000000033088000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4061553467.000000002B9CF000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096136090.0000000033ACA000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4060926865.0000000029D0A000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.walmart.com/cp/castrol/3373615?povid=GlobalNav_rWeb_AutoTires_FeaturedBrands_Castrol
Source: 58CA.exe, 00000011.00000003.4063841358.0000000033806000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096532907.0000000033088000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096136090.0000000033ACA000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.walmart.com/cp/character-shop/5939293?povid=GlobalNav_rWeb_Kids_FeaturedShops_CharacterS
Source: 58CA.exe, 00000011.00000003.4063841358.0000000033806000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096532907.0000000033088000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096136090.0000000033ACA000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.walmart.com/cp/game-time/1091906?povid=GlobalNav_rWeb_GameTime_ShopAll
Source: 58CA.exe, 00000011.00000003.4063841358.0000000033806000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096532907.0000000033088000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4061553467.000000002B9CF000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096136090.0000000033ACA000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4060926865.0000000029D0A000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.walmart.com/cp/kids-bedding/1156114?povid=GlobalNav_rWeb_Kids_KidsRooms_KidsBedding_Cont
Source: 58CA.exe, 00000011.00000003.4063841358.0000000033806000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096532907.0000000033088000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4061553467.000000002B9CF000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096136090.0000000033ACA000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4060926865.0000000029D0A000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.walmart.com/cp/kids-bikes-riding-toys/133073?povid=GlobalNav_rWeb_Kids_KidsSportsOutdoor
Source: 58CA.exe, 00000011.00000003.4063841358.0000000033806000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096532907.0000000033088000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4061553467.000000002B9CF000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096136090.0000000033ACA000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4060926865.0000000029D0A000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.walmart.com/cp/kids-rooms/1154295?povid=GlobalNav_rWeb_Kids_KidsRooms_ShopAllKidsRooms_C
Source: 58CA.exe, 00000011.00000003.4063841358.0000000033806000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096532907.0000000033088000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4061553467.000000002B9CF000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096136090.0000000033ACA000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4060926865.0000000029D0A000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.walmart.com/cp/nintendo-switch/4646529?povid=GlobalNav_rWeb_Kids_VideoGames_Nintendo_Con
Source: 58CA.exe, 00000011.00000003.4063841358.0000000033806000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096532907.0000000033088000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4061553467.000000002B9CF000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096136090.0000000033ACA000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4060926865.0000000029D0A000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.walmart.com/cp/outdoor-play/14521?povid=GlobalNav_rWeb_Kids_KidsSportsOutdoors_ShopAllOu
Source: 58CA.exe, 00000011.00000003.4063841358.0000000033806000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096532907.0000000033088000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4061553467.000000002B9CF000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096136090.0000000033ACA000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4060926865.0000000029D0A000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.walmart.com/cp/outdoor-toys/14521?povid=GlobalNav_rWeb_Kids_KidsSportsOutdoors_OutdoorTo
Source: 58CA.exe, 00000011.00000003.4063841358.0000000033806000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096532907.0000000033088000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4061553467.000000002B9CF000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096136090.0000000033ACA000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4060926865.0000000029D0A000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.walmart.com/cp/playstation-5/3475115?povid=GlobalNav_rWeb_Kids_VideoGames_Playstation_Co
Source: 58CA.exe, 00000011.00000003.4063841358.0000000033806000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096532907.0000000033088000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4061553467.000000002B9CF000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096136090.0000000033ACA000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4060926865.0000000029D0A000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.walmart.com/cp/preschool-toys/1077545?povid=GlobalNav_rWeb_Kids_KidsToys_PreschoolToy_Co
Source: 58CA.exe, 00000011.00000003.4063841358.0000000033806000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096532907.0000000033088000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4061553467.000000002B9CF000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096136090.0000000033ACA000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4060926865.0000000029D0A000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.walmart.com/cp/recreation/1224931?povid=GlobalNav_rWeb_Kids_KidsSportsOutdoors_Recreatio
Source: 58CA.exe, 00000011.00000003.4063841358.0000000033806000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096532907.0000000033088000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4061553467.000000002B9CF000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096136090.0000000033ACA000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4060926865.0000000029D0A000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.walmart.com/cp/sports/4161?povid=GlobalNav_rWeb_Kids_KidsSportsOutdoors_ShopAllSports_Co
Source: 58CA.exe, 00000011.00000003.4063841358.0000000033806000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096532907.0000000033088000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096136090.0000000033ACA000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.walmart.com/cp/supporting-black-communities/5486926?athAsset=eyJhdGhjcGlkIjoiNWYyZDViZTE
Source: 58CA.exe, 00000011.00000003.4063841358.0000000033806000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096532907.0000000033088000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4061553467.000000002B9CF000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096136090.0000000033ACA000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4060926865.0000000029D0A000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.walmart.com/cp/toys/4171?povid=GlobalNav_rWeb_Kids_KidsToys_ShopAllToys_Control
Source: 58CA.exe, 00000011.00000003.4063841358.0000000033806000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096532907.0000000033088000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4061553467.000000002B9CF000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096136090.0000000033ACA000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4060926865.0000000029D0A000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.walmart.com/cp/valentines-day-kids-celebrations/1723769?povid=GlobalNav_rWeb_Kids_Featur
Source: 58CA.exe, 00000011.00000003.4063841358.0000000033806000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096532907.0000000033088000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4061553467.000000002B9CF000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096136090.0000000033ACA000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4060926865.0000000029D0A000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.walmart.com/cp/video-games/2636?povid=GlobalNav_rWeb_Kids_VideoGames_ShopAllVideoGames_C
Source: 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.walmart.com/cp/walmart-in-the-know/7781927
Source: 58CA.exe, 00000011.00000003.4063841358.0000000033806000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096532907.0000000033088000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4061553467.000000002B9CF000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096136090.0000000033ACA000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4060926865.0000000029D0A000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.walmart.com/cp/xbox-series-x/9206773?povid=GlobalNav_rWeb_Kids_VideoGames_Xbox_Control
Source: 58CA.exe, 00000011.00000003.4063841358.0000000033806000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096532907.0000000033088000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096136090.0000000033ACA000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.walmart.com/shop/clothing-and-accessories/new-arrivals?povid=GlobalNav_rWeb_ClothingShoe
Source: 58CA.exe, 00000011.00000003.4063841358.0000000033806000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096532907.0000000033088000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096136090.0000000033ACA000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.walmart.com/shop/deals/all-home?povid=GlobalNav_rWeb_Deals_Deals_Home
Source: 58CA.exe, 00000011.00000003.4063841358.0000000033806000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096532907.0000000033088000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096136090.0000000033ACA000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.walmart.com/shop/deals/clothing-and-accessories?povid=GlobalNav_rWeb_Deals_Deals_Clothin
Source: 58CA.exe, 00000011.00000003.4063841358.0000000033806000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096532907.0000000033088000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4061553467.000000002B9CF000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096136090.0000000033ACA000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.walmart.com/shop/deals/electronics/apple
Source: 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.walmart.com/shop/deals/electronics/apple?athAsset=eyJhdGhjcGlkIjoiZmNmMTJhZGUtNjdkOS00MW
Source: 58CA.exe, 00000011.00000003.4063841358.0000000033806000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096532907.0000000033088000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096136090.0000000033ACA000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.walmart.com/shop/deals/electronics?povid=GlobalNav_rWeb_Deals_Deals_Electronics
Source: 58CA.exe, 00000011.00000003.4063841358.0000000033806000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096532907.0000000033088000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096136090.0000000033ACA000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.walmart.com/shop/deals/kids?povid=GlobalNav_rWeb_Kids_KidsDeals_Control
Source: 58CA.exe, 00000011.00000003.4063841358.0000000033806000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096532907.0000000033088000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4061553467.000000002B9CF000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096136090.0000000033ACA000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4060926865.0000000029D0A000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.walmart.com/shop/deals/seasonal-decor?povid=GlobalNav_rWeb_Deals_Deals_SeasonalDecor
Source: 58CA.exe, 00000011.00000003.4063841358.0000000033806000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096532907.0000000033088000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096136090.0000000033ACA000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.walmart.com/shop/deals/toys?povid=GlobalNav_rWeb_Deals_Deals_Toys
Source: 58CA.exe, 00000011.00000003.4063841358.0000000033806000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096532907.0000000033088000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4061553467.000000002B9CF000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096136090.0000000033ACA000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4060926865.0000000029D0A000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.walmart.com/shop/deals/toys?povid=GlobalNav_rWeb_Kids_KidsToys_ToyDeals_Control
Source: 58CA.exe, 00000011.00000003.4063841358.0000000033806000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096532907.0000000033088000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096136090.0000000033ACA000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.walmart.com/shop/deals?povid=GlobalNav_rWeb_Deals_Deals_ShopAll
Source: 58CA.exe, 00000011.00000003.4063841358.0000000033806000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096532907.0000000033088000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096136090.0000000033ACA000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.walmart.com/shop/game-time-bulk-items?povid=GlobalNav_rWeb_GameTime_BulkSupplies
Source: 58CA.exe, 00000011.00000003.4063841358.0000000033806000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096532907.0000000033088000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096136090.0000000033ACA000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.walmart.com/shop/seasonal-fashion?povid=GlobalNav_rWeb_Kids_FeaturedShops_ColdWeatherSho
Source: 58CA.exe, 00000011.00000003.4063841358.0000000033806000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096532907.0000000033088000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096136090.0000000033ACA000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.walmart.com/shop/seasonal/household-essentials/cleaning-supplies?povid=GlobalNav_rWeb_Ga

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected SmokeLoader

Source: Yara match	File source: 38.2.BD27.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.BD27.exe.2bd0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.BD27.exe.2bc0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2122757186.00000000020B1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2363904788.00000000004D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.2625881100.0000000002BD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2122714644.0000000002090000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.2680038796.0000000002BD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2364285288.0000000000551000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.2680205009.0000000002C11000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY

E-Banking Fraud

Yara detected Glupteba

Source: Yara match	File source: 44.2.288c47bbc1871b439df19ff4df68f076.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.288c47bbc1871b439df19ff4df68f076.exe.4f60e67.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 44.3.288c47bbc1871b439df19ff4df68f076.exe.58d0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.288c47bbc1871b439df19ff4df68f076.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 44.2.288c47bbc1871b439df19ff4df68f076.exe.4fe0e67.15.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.3.288c47bbc1871b439df19ff4df68f076.exe.5850000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000016.00000002.2669166825.00000000053A3000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000002.2695084948.0000000000843000.00000040.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.2663525231.0000000005D12000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000002.2739842815.0000000005423000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.2535351079.0000000005C92000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.2661056946.0000000000843000.00000040.00000001.01000000.0000000F.sdmp, type: MEMORY

System Summary

Malicious sample detected (through community Yara rule)

Source: 16.2.5C46.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 10.2.5C46.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 20.0.8B96.exe.930000.0.unpack, type: UNPACKEDPE	Matched rule: Detects downloader / injector Author: ditekSHen
Source: 30.2.nsh9BCF.tmp.2b70e67.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 30.2.nsh9BCF.tmp.2b70e67.1.unpack, type: UNPACKEDPE	Matched rule: Detects executables containing potential Windows Defender anti-emulation checks Author: ditekSHen
Source: 00000006.00000002.2363431931.00000000004C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 0000002B.00000002.2660260455.0000000004E00000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.2122757186.00000000020B1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 0000002C.00000002.2739842815.0000000004FE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 0000002C.00000002.2728077355.0000000004BE0000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.2122690423.0000000002080000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000006.00000002.2363904788.00000000004D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000026.00000002.2679986992.0000000002BC0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000016.00000002.2668458001.0000000004A58000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000000.00000002.2122714644.0000000002090000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 0000001E.00000002.3306141637.0000000002B70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000016.00000002.2669166825.0000000004F60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000000.00000002.2122463373.000000000048D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000026.00000002.2680038796.0000000002BD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 0000001E.00000002.3311798789.0000000002C09000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000006.00000002.2364285288.0000000000551000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000006.00000002.2364391445.00000000005AE000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000026.00000002.2680618871.0000000002C79000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000026.00000002.2680205009.0000000002C11000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000009.00000002.2441680458.0000000004905000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: Process Memory Space: explorer.exe PID: 4004, type: MEMORYSTR	Matched rule: Semi-Auto-generated - file ironshell.php.txt Author: Neo23x0 Yara BRG + customization by Stefan -dfate- Molls
Source: C:\Users\user\AppData\Local\Temp\8B96.exe, type: DROPPED	Matched rule: Detects downloader / injector Author: ditekSHen

PE file contains section with special chars

Source: 7147.exe.2.dr	Static PE information: section name: .size>\
Source: 7147.exe.2.dr	Static PE information: section name: .size>\

Source: C:\Windows\explorer.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\AppData\Local\Temp\58CA.exe	Memory allocated: 7385F000 page read and write			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\58CA.exe	Memory allocated: 751CC000 page read and write			Jump to behavior

Source: C:\Users\user\Desktop\v6SEx6rJ3E.exe	Code function: 0_2_00401553 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401553
Source: C:\Users\user\Desktop\v6SEx6rJ3E.exe	Code function: 0_2_00401561 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401561
Source: C:\Users\user\Desktop\v6SEx6rJ3E.exe	Code function: 0_2_0040156B NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_0040156B
Source: C:\Users\user\Desktop\v6SEx6rJ3E.exe	Code function: 0_2_0040156F NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_0040156F
Source: C:\Users\user\Desktop\v6SEx6rJ3E.exe	Code function: 0_2_00401729 NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401729
Source: C:\Users\user\Desktop\v6SEx6rJ3E.exe	Code function: 0_2_004023E5 NtQuerySystemInformation,	0_2_004023E5
Source: C:\Users\user\Desktop\v6SEx6rJ3E.exe	Code function: 0_2_00401583 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401583
Source: C:\Users\user\Desktop\v6SEx6rJ3E.exe	Code function: 0_2_00401587 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	0_2_00401587
Source: C:\Users\user\Desktop\v6SEx6rJ3E.exe	Code function: 0_2_004026A0 NtEnumerateKey,	0_2_004026A0
Source: C:\Users\user\AppData\Roaming\esiffai	Code function: 6_2_00401553 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	6_2_00401553
Source: C:\Users\user\AppData\Roaming\esiffai	Code function: 6_2_00401561 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	6_2_00401561
Source: C:\Users\user\AppData\Roaming\esiffai	Code function: 6_2_0040156B NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	6_2_0040156B
Source: C:\Users\user\AppData\Roaming\esiffai	Code function: 6_2_0040156F NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	6_2_0040156F
Source: C:\Users\user\AppData\Roaming\esiffai	Code function: 6_2_00401729 NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	6_2_00401729
Source: C:\Users\user\AppData\Roaming\esiffai	Code function: 6_2_004023E5 NtQuerySystemInformation,	6_2_004023E5
Source: C:\Users\user\AppData\Roaming\esiffai	Code function: 6_2_00401583 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	6_2_00401583
Source: C:\Users\user\AppData\Roaming\esiffai	Code function: 6_2_00401587 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	6_2_00401587
Source: C:\Users\user\AppData\Roaming\esiffai	Code function: 6_2_004026A0 NtEnumerateKey,	6_2_004026A0
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Code function: 7_2_00793C30 NtAllocateVirtualMemory,NtFreeVirtualMemory,	7_2_00793C30
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Code function: 7_2_00796930 NtAllocateVirtualMemory,NtFreeVirtualMemory,	7_2_00796930
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Code function: 7_2_007979A0 NtAllocateVirtualMemory,NtFreeVirtualMemory,	7_2_007979A0
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Code function: 7_2_00793E10 NtAllocateVirtualMemory,NtFreeVirtualMemory,	7_2_00793E10
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Code function: 7_2_0078FEC0 NtAllocateVirtualMemory,NtFreeVirtualMemory,	7_2_0078FEC0
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Code function: 7_2_00770EA0 NtAllocateVirtualMemory,NtFreeVirtualMemory,	7_2_00770EA0
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Code function: 7_2_00768370 NtAllocateVirtualMemory,NtFreeVirtualMemory,	7_2_00768370
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Code function: 7_2_00795F40 NtAllocateVirtualMemory,NtFreeVirtualMemory,	7_2_00795F40
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Code function: 7_2_00796730 NtAllocateVirtualMemory,NtFreeVirtualMemory,	7_2_00796730
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Code function: 7_2_00795B20 NtAllocateVirtualMemory,NtFreeVirtualMemory,	7_2_00795B20
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Code function: 7_2_0078FFD0 NtAllocateVirtualMemory,NtFreeVirtualMemory,	7_2_0078FFD0
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Code function: 7_2_007963D0 NtAllocateVirtualMemory,NtFreeVirtualMemory,	7_2_007963D0
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Code function: 7_2_00784BB0 NtAllocateVirtualMemory,NtFreeVirtualMemory,	7_2_00784BB0
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Code function: 7_2_00797B90 NtAllocateVirtualMemory,NtFreeVirtualMemory,	7_2_00797B90
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Code function: 7_2_0077B070 NtAllocateVirtualMemory,NtFreeVirtualMemory,	7_2_0077B070
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Code function: 7_2_00773850 NtAllocateVirtualMemory,NtFreeVirtualMemory,	7_2_00773850
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Code function: 7_2_00773C20 NtAllocateVirtualMemory,NtFreeVirtualMemory,	7_2_00773C20
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Code function: 7_2_007908A0 NtAllocateVirtualMemory,NtFreeVirtualMemory,	7_2_007908A0
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Code function: 7_2_00790480 NtAllocateVirtualMemory,NtFreeVirtualMemory,	7_2_00790480
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Code function: 7_2_00797560 NtAllocateVirtualMemory,NtFreeVirtualMemory,	7_2_00797560
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Code function: 7_2_00795D20 NtAllocateVirtualMemory,NtFreeVirtualMemory,	7_2_00795D20
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Code function: 7_2_00768500 NtAllocateVirtualMemory,NtFreeVirtualMemory,	7_2_00768500
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Code function: 7_2_0078DD00 NtAllocateVirtualMemory,NtFreeVirtualMemory,	7_2_0078DD00
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Code function: 7_2_00796D00 NtAllocateVirtualMemory,NtFreeVirtualMemory,	7_2_00796D00
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Code function: 7_2_00786DD0 NtAllocateVirtualMemory,NtFreeVirtualMemory,	7_2_00786DD0
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Code function: 7_2_00796180 NtAllocateVirtualMemory,NtFreeVirtualMemory,	7_2_00796180
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Code function: 7_2_00773660 NtAllocateVirtualMemory,NtFreeVirtualMemory,	7_2_00773660
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Code function: 7_2_00773A60 NtAllocateVirtualMemory,NtFreeVirtualMemory,	7_2_00773A60
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Code function: 7_2_00790240 NtAllocateVirtualMemory,NtFreeVirtualMemory,	7_2_00790240
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Code function: 7_2_007906C0 NtAllocateVirtualMemory,NtFreeVirtualMemory,	7_2_007906C0
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Code function: 7_2_00786F70 NtAllocateVirtualMemory,NtFreeVirtualMemory,	7_2_00786F70
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Code function: 7_2_00796F10 NtAllocateVirtualMemory,NtFreeVirtualMemory,	7_2_00796F10
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Code function: 7_2_00797390 NtAllocateVirtualMemory,NtFreeVirtualMemory,	7_2_00797390
Source: C:\Users\user\AppData\Local\Temp\58CA.exe	Code function: 9_2_04AC0110 VirtualAlloc,CreateProcessA,VirtualFree,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,ExitProcess,	9_2_04AC0110
Source: C:\Users\user\AppData\Local\Temp\5C46.exe	Code function: 10_2_00409543 GetWindowsDirectoryW,NtAllocateVirtualMemory,EnterCriticalSection,RtlInitUnicodeString,RtlInitUnicodeString,LeaveCriticalSection,LdrEnumerateLoadedModules,	10_2_00409543
Source: C:\Users\user\AppData\Local\Temp\5C46.exe	Code function: 10_2_0040E48D NtQuerySystemInformation,	10_2_0040E48D
Source: C:\Users\user\AppData\Local\Temp\5C46.exe	Code function: 10_2_00401B2C NtQueryInformationProcess,	10_2_00401B2C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 15_2_04F258B8 NtCreateThreadEx,	15_2_04F258B8
Source: C:\Users\user\AppData\Local\Temp\5C46.exe	Code function: 16_2_00409543 GetWindowsDirectoryW,NtAllocateVirtualMemory,EnterCriticalSection,RtlInitUnicodeString,RtlInitUnicodeString,LeaveCriticalSection,LdrEnumerateLoadedModules,	16_2_00409543
Source: C:\Users\user\AppData\Local\Temp\5C46.exe	Code function: 16_2_00401B2C NtQueryInformationProcess,	16_2_00401B2C
Source: C:\Users\user\AppData\Local\Temp\5C46.exe	Code function: 16_2_004023F2 LoadLibraryA,LookupPrivilegeValueA,AdjustTokenPrivileges,LoadLibraryA,NtShutdownSystem,	16_2_004023F2
Source: C:\Users\user\AppData\Local\Temp\5C46.exe	Code function: 16_2_0040E48D NtQuerySystemInformation,	16_2_0040E48D

Source: C:\Users\user\AppData\Local\Temp\5C46.exe

Code function: 10_2_0040B453: DeviceIoControl,

10_2_0040B453

Source: C:\Users\user\AppData\Local\Temp\5C46.exe

Code function: 16_2_004023F2 LoadLibraryA,LookupPrivilegeValueA,AdjustTokenPrivileges,LoadLibraryA,NtShutdownSystem,

16_2_004023F2

Source: C:\Users\user\Desktop\v6SEx6rJ3E.exe	Code function: 0_2_0042E662	0_2_0042E662
Source: C:\Users\user\Desktop\v6SEx6rJ3E.exe	Code function: 0_2_0042FA10	0_2_0042FA10
Source: C:\Users\user\Desktop\v6SEx6rJ3E.exe	Code function: 0_2_0042D161	0_2_0042D161
Source: C:\Users\user\Desktop\v6SEx6rJ3E.exe	Code function: 0_2_0042F102	0_2_0042F102
Source: C:\Users\user\Desktop\v6SEx6rJ3E.exe	Code function: 0_2_0042FD0F	0_2_0042FD0F
Source: C:\Users\user\Desktop\v6SEx6rJ3E.exe	Code function: 0_2_0042F795	0_2_0042F795
Source: C:\Users\user\Desktop\v6SEx6rJ3E.exe	Code function: 0_2_00431FAF	0_2_00431FAF
Source: C:\Users\user\Desktop\v6SEx6rJ3E.exe	Code function: 0_2_0042EBB1	0_2_0042EBB1
Source: C:\Users\user\AppData\Roaming\esiffai	Code function: 6_2_0042E662	6_2_0042E662
Source: C:\Users\user\AppData\Roaming\esiffai	Code function: 6_2_0042FA10	6_2_0042FA10
Source: C:\Users\user\AppData\Roaming\esiffai	Code function: 6_2_0042D161	6_2_0042D161
Source: C:\Users\user\AppData\Roaming\esiffai	Code function: 6_2_0042F102	6_2_0042F102
Source: C:\Users\user\AppData\Roaming\esiffai	Code function: 6_2_0042FD0F	6_2_0042FD0F
Source: C:\Users\user\AppData\Roaming\esiffai	Code function: 6_2_0042F795	6_2_0042F795
Source: C:\Users\user\AppData\Roaming\esiffai	Code function: 6_2_00431FAF	6_2_00431FAF
Source: C:\Users\user\AppData\Roaming\esiffai	Code function: 6_2_0042EBB1	6_2_0042EBB1
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Code function: 7_2_00407458	7_2_00407458
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Code function: 7_2_0042D058	7_2_0042D058
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Code function: 7_2_00401000	7_2_00401000
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Code function: 7_2_00408801	7_2_00408801
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Code function: 7_2_0041E018	7_2_0041E018
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Code function: 7_2_00427438	7_2_00427438
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Code function: 7_2_0040A0D2	7_2_0040A0D2
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Code function: 7_2_00429088	7_2_00429088
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Code function: 7_2_0041F8A8	7_2_0041F8A8
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Code function: 7_2_00427CA8	7_2_00427CA8
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Code function: 7_2_0041FCB8	7_2_0041FCB8
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Code function: 7_2_00454168	7_2_00454168
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Code function: 7_2_00456568	7_2_00456568
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Code function: 7_2_0042B118	7_2_0042B118
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Code function: 7_2_0041ED98	7_2_0041ED98
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Code function: 7_2_0040799C	7_2_0040799C
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Code function: 7_2_004521B8	7_2_004521B8
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Code function: 7_2_0044A608	7_2_0044A608
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Code function: 7_2_0042C218	7_2_0042C218
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Code function: 7_2_00407EE0	7_2_00407EE0
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Code function: 7_2_0042BAE8	7_2_0042BAE8
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Code function: 7_2_004062B3	7_2_004062B3
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Code function: 7_2_0045CEB8	7_2_0045CEB8
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Code function: 7_2_00425B18	7_2_00425B18
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Code function: 7_2_00432718	7_2_00432718
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Code function: 7_2_0041D338	7_2_0041D338
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Code function: 7_2_00465B38	7_2_00465B38
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Code function: 7_2_0041C7C8	7_2_0041C7C8
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Code function: 7_2_004123D8	7_2_004123D8
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Code function: 7_2_004287D8	7_2_004287D8
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Code function: 7_2_004657D8	7_2_004657D8
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Code function: 7_2_0041F3E8	7_2_0041F3E8
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Code function: 7_2_00426B98	7_2_00426B98
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Code function: 7_2_0075DC50	7_2_0075DC50
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Code function: 7_2_0075BD10	7_2_0075BD10
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Code function: 7_2_0075CE10	7_2_0075CE10
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Code function: 7_2_0075C6E0	7_2_0075C6E0
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Code function: 7_2_00796730	7_2_00796730
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Code function: 7_2_007593D0	7_2_007593D0
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Code function: 7_2_007963D0	7_2_007963D0
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Code function: 7_2_00758030	7_2_00758030
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Code function: 7_2_0074EC10	7_2_0074EC10
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Code function: 7_2_00741000	7_2_00741000
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Code function: 7_2_007508B0	7_2_007508B0
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Code function: 7_2_007504A0	7_2_007504A0
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Code function: 7_2_007588A0	7_2_007588A0
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Code function: 7_2_00759C80	7_2_00759C80
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Code function: 7_2_00784D60	7_2_00784D60
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Code function: 7_2_00782DB0	7_2_00782DB0
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Code function: 7_2_0074F990	7_2_0074F990
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Code function: 7_2_0077B200	7_2_0077B200
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Code function: 7_2_0078DAB0	7_2_0078DAB0
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Code function: 7_2_0074DF30	7_2_0074DF30
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Code function: 7_2_00756710	7_2_00756710
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Code function: 7_2_00763310	7_2_00763310
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Code function: 7_2_0074FFE0	7_2_0074FFE0
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Code function: 7_2_00742FD0	7_2_00742FD0
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Code function: 7_2_0074D3C0	7_2_0074D3C0
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Code function: 7_2_00757790	7_2_00757790
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Code function: 7_2_00741780	7_2_00741780
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 15_2_04DF4794	15_2_04DF4794
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 15_2_04DF1018	15_2_04DF1018
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 15_2_04DF42C8	15_2_04DF42C8
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 15_2_04DF2438	15_2_04DF2438
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 15_2_04DF3678	15_2_04DF3678
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 15_2_04DF54EC	15_2_04DF54EC
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 15_2_04DF43E0	15_2_04DF43E0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 15_2_04F21972	15_2_04F21972
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 15_2_04F210BB	15_2_04F210BB
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 15_2_04F258B8	15_2_04F258B8
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 15_2_04F247E0	15_2_04F247E0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 15_2_04F2E820	15_2_04F2E820
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 15_2_04F252AB	15_2_04F252AB
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 15_2_04F2E191	15_2_04F2E191
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 15_2_04F2E370	15_2_04F2E370
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 15_2_04F24AB0	15_2_04F24AB0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 15_2_04F24530	15_2_04F24530
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 15_2_04F254A0	15_2_04F254A0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 15_2_04F2E590	15_2_04F2E590

Source: Joe Sandbox View	Dropped File: C:\ProgramData\DeliveryStatusFields_65\DeliveryStatusFields_65.exe 84FE81E96ADEA7140A714181417137D54695F489A1AA4900A6875E76D8B26046
Source: Joe Sandbox View	Dropped File: C:\ProgramData\Drivers\csrss.exe EAB7F930DC57ABA040449BF4A2A9E2481873AA897A2305D7BE3C3E36765E2843
Source: Joe Sandbox View	Dropped File: C:\ProgramData\freebl3.dll EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA

Source: 58CA.exe.2.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: 99FE.exe.2.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: csrss.exe.17.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: 288c47bbc1871b439df19ff4df68f076.exe.20.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: 99FE.tmp.24.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: 99FE.tmp.24.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows
Source: 99FE.tmp.24.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: 99FE.tmp.24.dr	Static PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
Source: 99FE.tmp.31.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: 99FE.tmp.31.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows
Source: 99FE.tmp.31.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: 99FE.tmp.31.dr	Static PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped
Source: is-MTO63.tmp.32.dr	Static PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: is-MTO63.tmp.32.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows
Source: is-MTO63.tmp.32.dr	Static PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: is-MTO63.tmp.32.dr	Static PE information: Resource name: RT_VERSION type: 370 sysV pure executable not stripped

Source: is-G0QLS.tmp.32.dr	Static PE information: Number of sections : 11 > 10
Source: is-N956R.tmp.32.dr	Static PE information: Number of sections : 11 > 10
Source: is-L82B0.tmp.32.dr	Static PE information: Number of sections : 11 > 10
Source: is-U0S2N.tmp.32.dr	Static PE information: Number of sections : 11 > 10
Source: is-3DVHE.tmp.32.dr	Static PE information: Number of sections : 11 > 10
Source: is-R4VT6.tmp.32.dr	Static PE information: Number of sections : 11 > 10
Source: BroomSetup.exe.21.dr	Static PE information: Number of sections : 11 > 10

Source: C:\Users\user\Desktop\v6SEx6rJ3E.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\v6SEx6rJ3E.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\v6SEx6rJ3E.exe	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.cloudstore.schema.shell.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: cdprt.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: smartscreenps.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mfsrcsnk.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: windows.internal.shell.broker.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\esiffai	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\esiffai	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\esiffai	Section loaded: msvcr100.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\58CA.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\58CA.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\58CA.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5C46.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5C46.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5C46.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5C46.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5C46.exe	Section loaded: comsvcs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5C46.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5C46.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5C46.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5C46.exe	Section loaded: cmlua.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5C46.exe	Section loaded: cmutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5C46.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: winscard.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5C46.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5C46.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5C46.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\58CA.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\58CA.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\58CA.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\58CA.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\58CA.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\58CA.exe	Section loaded: winscard.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\58CA.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\58CA.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\58CA.exe	Section loaded: csunsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\58CA.exe	Section loaded: swift.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\58CA.exe	Section loaded: nfhwcrhk.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\58CA.exe	Section loaded: surewarehook.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\58CA.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\58CA.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\58CA.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\58CA.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\58CA.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\58CA.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\58CA.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\58CA.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\58CA.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\58CA.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\58CA.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\58CA.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\58CA.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\58CA.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\58CA.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\58CA.exe	Section loaded: csunsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\58CA.exe	Section loaded: aep.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\58CA.exe	Section loaded: atasi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\58CA.exe	Section loaded: swift.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\58CA.exe	Section loaded: nfhwcrhk.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\58CA.exe	Section loaded: nuronssl.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\58CA.exe	Section loaded: surewarehook.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\58CA.exe	Section loaded: ubsec.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\58CA.exe	Section loaded: aep.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\58CA.exe	Section loaded: atasi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\58CA.exe	Section loaded: swift.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\58CA.exe	Section loaded: nfhwcrhk.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\58CA.exe	Section loaded: nuronssl.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\58CA.exe	Section loaded: surewarehook.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\58CA.exe	Section loaded: ubsec.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\58CA.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\58CA.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\58CA.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\58CA.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\58CA.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\58CA.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\58CA.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\58CA.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\58CA.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\58CA.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\58CA.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\58CA.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\58CA.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\58CA.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7147.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\7147.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\7147.exe	Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\7147.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\7147.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\7147.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\7147.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\7147.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\7147.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\7147.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\7147.exe	Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\7147.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\7147.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\7147.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\7147.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\7147.exe	Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\7147.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\7147.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\7147.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\7147.exe	Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\7147.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\7147.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\7147.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\7147.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\7147.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\7147.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\7147.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\7147.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\8B96.exe	Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\8B96.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\8B96.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\8B96.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\8B96.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\8B96.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\8B96.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\8B96.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\8B96.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\8B96.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\8B96.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\8B96.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\8B96.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\8B96.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\8B96.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\8B96.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\8B96.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\8B96.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\8B96.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\8B96.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\8B96.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\8B96.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\8B96.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\8B96.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\8B96.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\8B96.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\InstallSetup4.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\InstallSetup4.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\InstallSetup4.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\InstallSetup4.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\InstallSetup4.exe	Section loaded: dwmapi.dll
Source: C:\Users\user\AppData\Local\Temp\InstallSetup4.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\InstallSetup4.exe	Section loaded: oleacc.dll
Source: C:\Users\user\AppData\Local\Temp\InstallSetup4.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\InstallSetup4.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\InstallSetup4.exe	Section loaded: shfolder.dll
Source: C:\Users\user\AppData\Local\Temp\InstallSetup4.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\InstallSetup4.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\InstallSetup4.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\InstallSetup4.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\InstallSetup4.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\InstallSetup4.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\InstallSetup4.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\InstallSetup4.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\InstallSetup4.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\InstallSetup4.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\InstallSetup4.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\InstallSetup4.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\InstallSetup4.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\InstallSetup4.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\InstallSetup4.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe	Section loaded: msvcr100.dll
Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe	Section loaded: powrprof.dll
Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe	Section loaded: umpdc.dll
Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe	Section loaded: winsta.dll
Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe	Section loaded: sxs.dll
Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe	Section loaded: netapi32.dll
Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe	Section loaded: samcli.dll
Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe	Section loaded: samlib.dll
Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exe	Section loaded: netapi32.dll
Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exe	Section loaded: wkscli.dll
Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exe	Section loaded: cscapi.dll
Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exe	Section loaded: winsta.dll
Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exe	Section loaded: colorui.dll
Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exe	Section loaded: mscms.dll
Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exe	Section loaded: coloradapterclient.dll
Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exe	Section loaded: compstui.dll
Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exe	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exe	Section loaded: inetres.dll
Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exe	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exe	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exe	Section loaded: dwmapi.dll
Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exe	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exe	Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exe	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exe	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\99FE.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\99FE.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\is-7LVCL.tmp\99FE.tmp	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\is-7LVCL.tmp\99FE.tmp	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\is-7LVCL.tmp\99FE.tmp	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\is-7LVCL.tmp\99FE.tmp	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\is-7LVCL.tmp\99FE.tmp	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\is-7LVCL.tmp\99FE.tmp	Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\is-7LVCL.tmp\99FE.tmp	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\is-7LVCL.tmp\99FE.tmp	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\is-7LVCL.tmp\99FE.tmp	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\is-7LVCL.tmp\99FE.tmp	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\is-7LVCL.tmp\99FE.tmp	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\is-7LVCL.tmp\99FE.tmp	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\is-7LVCL.tmp\99FE.tmp	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\is-7LVCL.tmp\99FE.tmp	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\is-7LVCL.tmp\99FE.tmp	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\is-7LVCL.tmp\99FE.tmp	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\is-7LVCL.tmp\99FE.tmp	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\is-7LVCL.tmp\99FE.tmp	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\is-7LVCL.tmp\99FE.tmp	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\is-7LVCL.tmp\99FE.tmp	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\is-7LVCL.tmp\99FE.tmp	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\is-7LVCL.tmp\99FE.tmp	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\is-7LVCL.tmp\99FE.tmp	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\is-7LVCL.tmp\99FE.tmp	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\is-7LVCL.tmp\99FE.tmp	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\is-7LVCL.tmp\99FE.tmp	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\is-7LVCL.tmp\99FE.tmp	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\is-7LVCL.tmp\99FE.tmp	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\is-7LVCL.tmp\99FE.tmp	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\is-7LVCL.tmp\99FE.tmp	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\is-7LVCL.tmp\99FE.tmp	Section loaded: pcacli.dll
Source: C:\Users\user\AppData\Local\Temp\is-7LVCL.tmp\99FE.tmp	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\SysWOW64\chcp.com	Section loaded: ulib.dll
Source: C:\Windows\SysWOW64\chcp.com	Section loaded: fsutilext.dll
Source: C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp	Section loaded: msvcr100.dll
Source: C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp	Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp	Section loaded: mozglue.dll
Source: C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp	Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp	Section loaded: vcruntime140.dll
Source: C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp	Section loaded: msvcp140.dll
Source: C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp	Section loaded: linkinfo.dll
Source: C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp	Section loaded: windowscodecs.dll
Source: C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp	Section loaded: pcacli.dll
Source: C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp	Section loaded: sfc_os.dll
Source: C:\Users\user\AppData\Local\Temp\99FE.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\99FE.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp	Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp	Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp	Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp	Section loaded: shfolder.dll
Source: C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp	Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp	Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp	Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp	Section loaded: msacm32.dll
Source: C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp	Section loaded: winmmbase.dll
Source: C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp	Section loaded: winmmbase.dll
Source: C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp	Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp	Section loaded: explorerframe.dll
Source: C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp	Section loaded: sfc.dll
Source: C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll
Source: C:\Users\user\AppData\Local\Key Signatures verification\ksverify.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Key Signatures verification\ksverify.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Key Signatures verification\ksverify.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Key Signatures verification\ksverify.exe	Section loaded: appxsip.dll
Source: C:\Users\user\AppData\Local\Key Signatures verification\ksverify.exe	Section loaded: opcservices.dll
Source: C:\Users\user\AppData\Local\Key Signatures verification\ksverify.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Key Signatures verification\ksverify.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Key Signatures verification\ksverify.exe	Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Key Signatures verification\ksverify.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Key Signatures verification\ksverify.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Key Signatures verification\ksverify.exe	Section loaded: appxsip.dll
Source: C:\Users\user\AppData\Local\Key Signatures verification\ksverify.exe	Section loaded: opcservices.dll
Source: C:\Users\user\AppData\Local\Key Signatures verification\ksverify.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Key Signatures verification\ksverify.exe	Section loaded: dhcpcsvc.dll
Source: C:\Users\user\AppData\Local\Key Signatures verification\ksverify.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Key Signatures verification\ksverify.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Key Signatures verification\ksverify.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Key Signatures verification\ksverify.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Key Signatures verification\ksverify.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Key Signatures verification\ksverify.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Key Signatures verification\ksverify.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Key Signatures verification\ksverify.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Key Signatures verification\ksverify.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Key Signatures verification\ksverify.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Key Signatures verification\ksverify.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Key Signatures verification\ksverify.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Key Signatures verification\ksverify.exe	Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Key Signatures verification\ksverify.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Key Signatures verification\ksverify.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Key Signatures verification\ksverify.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: edputil.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: appresolver.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: slc.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: sppc.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: pcacli.dll
Source: C:\Windows\System32\cmd.exe	Section loaded: sfc_os.dll
Source: C:\Users\user\AppData\Local\Temp\BD27.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\BD27.exe	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Local\Temp\BD27.exe	Section loaded: msvcr100.dll
Source: C:\Windows\System32\fodhelper.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\fodhelper.exe	Section loaded: uxtheme.dll
Source: C:\Windows\System32\fodhelper.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\fodhelper.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\fodhelper.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\fodhelper.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\fodhelper.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\fodhelper.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\fodhelper.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\fodhelper.exe	Section loaded: ieframe.dll
Source: C:\Windows\System32\fodhelper.exe	Section loaded: netapi32.dll
Source: C:\Windows\System32\fodhelper.exe	Section loaded: version.dll
Source: C:\Windows\System32\fodhelper.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\fodhelper.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\fodhelper.exe	Section loaded: wkscli.dll
Source: C:\Windows\System32\fodhelper.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\fodhelper.exe	Section loaded: edputil.dll
Source: C:\Windows\System32\fodhelper.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\fodhelper.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\fodhelper.exe	Section loaded: mlang.dll
Source: C:\Windows\System32\fodhelper.exe	Section loaded: wininet.dll
Source: C:\Windows\System32\fodhelper.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\fodhelper.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\fodhelper.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\fodhelper.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\fodhelper.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\fodhelper.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\fodhelper.exe	Section loaded: mrmcorer.dll
Source: C:\Windows\System32\fodhelper.exe	Section loaded: windows.staterepositorycore.dll
Source: C:\Windows\System32\fodhelper.exe	Section loaded: windows.ui.dll
Source: C:\Windows\System32\fodhelper.exe	Section loaded: windowmanagementapi.dll
Source: C:\Windows\System32\fodhelper.exe	Section loaded: textinputframework.dll
Source: C:\Windows\System32\fodhelper.exe	Section loaded: inputhost.dll
Source: C:\Windows\System32\fodhelper.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\fodhelper.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\fodhelper.exe	Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\fodhelper.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\fodhelper.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\System32\fodhelper.exe	Section loaded: coreuicomponents.dll
Source: C:\Windows\System32\fodhelper.exe	Section loaded: coremessaging.dll
Source: C:\Windows\System32\fodhelper.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\fodhelper.exe	Section loaded: bcp47mrm.dll
Source: C:\ProgramData\Drivers\csrss.exe	Section loaded: apphelp.dll
Source: C:\ProgramData\Drivers\csrss.exe	Section loaded: msimg32.dll
Source: C:\ProgramData\Drivers\csrss.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe	Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe	Section loaded: msvcr100.dll
Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe	Section loaded: powrprof.dll
Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe	Section loaded: umpdc.dll
Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe	Section loaded: wtsapi32.dll
Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe	Section loaded: winsta.dll
Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe	Section loaded: sxs.dll
Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe	Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe	Section loaded: version.dll

Source: v6SEx6rJ3E.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 16.2.5C46.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 10.2.5C46.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 20.0.8B96.exe.930000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_DLInjector04 author = ditekSHen, description = Detects downloader / injector
Source: 30.2.nsh9BCF.tmp.2b70e67.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 30.2.nsh9BCF.tmp.2b70e67.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_WindDefender_AntiEmaulation author = ditekSHen, description = Detects executables containing potential Windows Defender anti-emulation checks
Source: 00000006.00000002.2363431931.00000000004C0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 0000002B.00000002.2660260455.0000000004E00000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.2122757186.00000000020B1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 0000002C.00000002.2739842815.0000000004FE0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 0000002C.00000002.2728077355.0000000004BE0000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.2122690423.0000000002080000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000006.00000002.2363904788.00000000004D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000026.00000002.2679986992.0000000002BC0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000016.00000002.2668458001.0000000004A58000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000000.00000002.2122714644.0000000002090000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 0000001E.00000002.3306141637.0000000002B70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000016.00000002.2669166825.0000000004F60000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000000.00000002.2122463373.000000000048D000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000026.00000002.2680038796.0000000002BD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 0000001E.00000002.3311798789.0000000002C09000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000006.00000002.2364285288.0000000000551000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000006.00000002.2364391445.00000000005AE000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000026.00000002.2680618871.0000000002C79000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000026.00000002.2680205009.0000000002C11000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000009.00000002.2441680458.0000000004905000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: Process Memory Space: explorer.exe PID: 4004, type: MEMORYSTR	Matched rule: ironshell_php author = Neo23x0 Yara BRG + customization by Stefan -dfate- Molls, description = Semi-Auto-generated - file ironshell.php.txt, hash = 8bfa2eeb8a3ff6afc619258e39fded56
Source: C:\Users\user\AppData\Local\Temp\8B96.exe, type: DROPPED	Matched rule: MALWARE_Win_DLInjector04 author = ditekSHen, description = Detects downloader / injector

Source: 52CE.exe.2.dr

Static PE information: Section: .reloc IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: D358.exe.2.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 58CA.exe.2.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: 6000.dll.2.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: BD27.exe.2.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: DFB4.exe.2.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: afiffai.2.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: csrss.exe.17.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: syncUpd[1].exe.21.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: nsh9BCF.tmp.21.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: ksverify.exe.32.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: _RegDLL.tmp.32.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: DeliveryStatusFields_65.exe.34.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winEXE@69/121@0/100

Source: C:\Users\user\AppData\Local\Temp\5C46.exe

Code function: 16_2_004023F2 LoadLibraryA,LookupPrivilegeValueA,AdjustTokenPrivileges,LoadLibraryA,NtShutdownSystem,

16_2_004023F2

Source: C:\Users\user\Desktop\v6SEx6rJ3E.exe

Code function: 0_2_0049097D CreateToolhelp32Snapshot,Module32First,

0_2_0049097D

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Roaming\esiffai

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\5C46.exe	Mutant created: \Sessions\1\BaseNamedObjects\jmuZVxzUSQKZJ
Source: C:\Users\user\AppData\Local\Temp\8B96.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7096:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6136:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:524:120:WilError_03

Source: C:\Windows\explorer.exe

File created: C:\Users\user\AppData\Local\Temp\52CE.tmp

Jump to behavior

Source: Yara match	File source: 23.0.BroomSetup.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000017.00000000.2496485402.0000000000401000.00000020.00000001.01000000.00000010.sdmp, type: MEMORY
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\BroomSetup.exe, type: DROPPED

Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Temp\Task.bat" "

Source: C:\Users\user\AppData\Local\Temp\52CE.exe

Command line argument: `R@

7_2_004051B0

Source: v6SEx6rJ3E.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name FROM Win32_Processor

Source: C:\Windows\explorer.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\v6SEx6rJ3E.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganization

Source: C:\Users\user\AppData\Local\Key Signatures verification\ksverify.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Key Signatures verification\ksverify.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: 52CE.exe, 00000007.00000003.2438030873.0000000002F13000.00000004.00000800.00020000.00000000.sdmp, 52CE.exe, 00000007.00000003.2359219219.00000000008AB000.00000004.00000020.00020000.00000000.sdmp, 52CE.exe, 00000007.00000003.2439971229.00000000008DA000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: v6SEx6rJ3E.exe	ReversingLabs: Detection: 55%
Source: v6SEx6rJ3E.exe	Virustotal: Detection: 41%

Source: unknown	Process created: C:\Users\user\Desktop\v6SEx6rJ3E.exe C:\Users\user\Desktop\v6SEx6rJ3E.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\esiffai C:\Users\user\AppData\Roaming\esiffai
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\52CE.exe C:\Users\user\AppData\Local\Temp\52CE.exe
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\58CA.exe C:\Users\user\AppData\Local\Temp\58CA.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\5C46.exe C:\Users\user\AppData\Local\Temp\5C46.exe
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\regsvr32.exe regsvr32 /s C:\Users\user\AppData\Local\Temp\6000.dll
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe /s C:\Users\user\AppData\Local\Temp\6000.dll
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\5C46.exe "C:\Users\user\AppData\Local\Temp\5C46.exe"
Source: C:\Users\user\AppData\Local\Temp\58CA.exe	Process created: C:\Users\user\AppData\Local\Temp\58CA.exe C:\Users\user\AppData\Local\Temp\58CA.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\7147.exe C:\Users\user\AppData\Local\Temp\7147.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\8B96.exe C:\Users\user\AppData\Local\Temp\8B96.exe
Source: C:\Users\user\AppData\Local\Temp\8B96.exe	Process created: C:\Users\user\AppData\Local\Temp\InstallSetup4.exe "C:\Users\user\AppData\Local\Temp\InstallSetup4.exe"
Source: C:\Users\user\AppData\Local\Temp\8B96.exe	Process created: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe "C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"
Source: C:\Users\user\AppData\Local\Temp\InstallSetup4.exe	Process created: C:\Users\user\AppData\Local\Temp\BroomSetup.exe C:\Users\user\AppData\Local\Temp\BroomSetup.exe
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\99FE.exe C:\Users\user\AppData\Local\Temp\99FE.exe
Source: C:\Users\user\AppData\Local\Temp\99FE.exe	Process created: C:\Users\user\AppData\Local\Temp\is-7LVCL.tmp\99FE.tmp "C:\Users\user\AppData\Local\Temp\is-7LVCL.tmp\99FE.tmp" /SL5="$1043A,7349384,54272,C:\Users\user\AppData\Local\Temp\99FE.exe"
Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Temp\Task.bat" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 1251
Source: C:\Users\user\AppData\Local\Temp\InstallSetup4.exe	Process created: C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp
Source: C:\Users\user\AppData\Local\Temp\is-7LVCL.tmp\99FE.tmp	Process created: C:\Users\user\AppData\Local\Temp\99FE.exe "C:\Users\user\AppData\Local\Temp\99FE.exe" /SPAWNWND=$1049A /NOTIFYWND=$1043A
Source: C:\Users\user\AppData\Local\Temp\99FE.exe	Process created: C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp "C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp" /SL5="$204D0,7349384,54272,C:\Users\user\AppData\Local\Temp\99FE.exe" /SPAWNWND=$1049A /NOTIFYWND=$1043A
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\user\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
Source: C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp	Process created: C:\Users\user\AppData\Local\Key Signatures verification\ksverify.exe "C:\Users\user\AppData\Local\Key Signatures verification\ksverify.exe" -i
Source: C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp	Process created: C:\Users\user\AppData\Local\Key Signatures verification\ksverify.exe "C:\Users\user\AppData\Local\Key Signatures verification\ksverify.exe" -s
Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\Sysnative\cmd.exe /C fodhelper
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\BD27.exe C:\Users\user\AppData\Local\Temp\BD27.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\fodhelper.exe fodhelper
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\fodhelper.exe "C:\Windows\system32\fodhelper.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\fodhelper.exe "C:\Windows\system32\fodhelper.exe"
Source: C:\Windows\explorer.exe	Process created: C:\ProgramData\Drivers\csrss.exe "C:\ProgramData\Drivers\csrss.exe"
Source: C:\Windows\System32\fodhelper.exe	Process created: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe "C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\52CE.exe C:\Users\user\AppData\Local\Temp\52CE.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\58CA.exe C:\Users\user\AppData\Local\Temp\58CA.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\5C46.exe C:\Users\user\AppData\Local\Temp\5C46.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\regsvr32.exe regsvr32 /s C:\Users\user\AppData\Local\Temp\6000.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\7147.exe C:\Users\user\AppData\Local\Temp\7147.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\8B96.exe C:\Users\user\AppData\Local\Temp\8B96.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\99FE.exe C:\Users\user\AppData\Local\Temp\99FE.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Users\user\AppData\Local\Temp\BD27.exe C:\Users\user\AppData\Local\Temp\BD27.exe	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\ProgramData\Drivers\csrss.exe "C:\ProgramData\Drivers\csrss.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\58CA.exe	Process created: C:\Users\user\AppData\Local\Temp\58CA.exe C:\Users\user\AppData\Local\Temp\58CA.exe	Jump to behavior
Source: C:\Windows\System32\regsvr32.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe /s C:\Users\user\AppData\Local\Temp\6000.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8B96.exe	Process created: C:\Users\user\AppData\Local\Temp\InstallSetup4.exe "C:\Users\user\AppData\Local\Temp\InstallSetup4.exe"
Source: C:\Users\user\AppData\Local\Temp\8B96.exe	Process created: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe "C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"
Source: C:\Users\user\AppData\Local\Temp\InstallSetup4.exe	Process created: C:\Users\user\AppData\Local\Temp\BroomSetup.exe C:\Users\user\AppData\Local\Temp\BroomSetup.exe
Source: C:\Users\user\AppData\Local\Temp\InstallSetup4.exe	Process created: C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp
Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\Sysnative\cmd.exe /C fodhelper
Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Temp\Task.bat" "
Source: C:\Users\user\AppData\Local\Temp\99FE.exe	Process created: C:\Users\user\AppData\Local\Temp\is-7LVCL.tmp\99FE.tmp "C:\Users\user\AppData\Local\Temp\is-7LVCL.tmp\99FE.tmp" /SL5="$1043A,7349384,54272,C:\Users\user\AppData\Local\Temp\99FE.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 1251
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\user\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
Source: C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\99FE.exe	Process created: C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp "C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp" /SL5="$204D0,7349384,54272,C:\Users\user\AppData\Local\Temp\99FE.exe" /SPAWNWND=$1049A /NOTIFYWND=$1043A
Source: C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp	Process created: C:\Users\user\AppData\Local\Key Signatures verification\ksverify.exe "C:\Users\user\AppData\Local\Key Signatures verification\ksverify.exe" -i
Source: C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp	Process created: C:\Users\user\AppData\Local\Key Signatures verification\ksverify.exe "C:\Users\user\AppData\Local\Key Signatures verification\ksverify.exe" -s
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\fodhelper.exe fodhelper
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\fodhelper.exe "C:\Windows\system32\fodhelper.exe"
Source: C:\Windows\System32\fodhelper.exe	Process created: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe "C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"
Source: C:\ProgramData\Drivers\csrss.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe	Process created: unknown unknown

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwner

Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exe

Window found: window name: TButton

Source: C:\Users\user\AppData\Local\Temp\58CA.exe	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\58CA.exe	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\AppData\Local\Temp\8B96.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001

Source: C:\Users\user\Desktop\v6SEx6rJ3E.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source:	Binary string: c:\omtnkdoj\bnwv\yogisfk\cqf.pdb source: 5C46.exe, 0000000A.00000002.2405705506.0000000000410000.00000002.00000001.01000000.00000008.sdmp, 5C46.exe, 0000000A.00000000.2355083766.0000000000410000.00000002.00000001.01000000.00000008.sdmp, 5C46.exe, 00000010.00000002.2442206283.0000000000410000.00000002.00000001.01000000.00000008.sdmp, 5C46.exe, 00000010.00000000.2375703307.0000000000410000.00000002.00000001.01000000.00000008.sdmp
Source:	Binary string: c:\bfllk\pdgh\qovxk\wqdtbmac.pdb source: 5C46.exe, 00000010.00000002.2442412063.0000000000551000.00000004.00000020.00020000.00000000.sdmp, 5C46.exe, 00000010.00000002.2464218511.0000000004970000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jfmo\tlcp\nyvnyt\obocmwsb.pdb source: 5C46.exe, 00000010.00000002.2443145243.000000000284B000.00000004.00000020.00020000.00000000.sdmp, 5C46.exe, 00000010.00000002.2464218511.0000000004970000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\mitegocom.pdb source: 58CA.exe, 00000009.00000000.2346852287.00000000005C2000.00000002.00000001.01000000.00000007.sdmp, 58CA.exe, 00000009.00000002.2438731839.00000000005C2000.00000002.00000001.01000000.00000007.sdmp, 58CA.exe, 00000011.00000000.2417518022.00000000005C2000.00000002.00000001.01000000.00000007.sdmp
Source:	Binary string: c:\bfllk\pdgh\qovxk\wqdtbmac.pdb/; source: 5C46.exe, 00000010.00000002.2442412063.0000000000551000.00000004.00000020.00020000.00000000.sdmp, 5C46.exe, 00000010.00000002.2464218511.0000000004970000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jfmo\tlcp\nyvnyt\obocmwsb.pdb/; source: 5C46.exe, 00000010.00000002.2443145243.000000000284B000.00000004.00000020.00020000.00000000.sdmp, 5C46.exe, 00000010.00000002.2464218511.0000000004970000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: p.*C:\mitegocom.pdb source: 58CA.exe, 00000009.00000000.2346852287.00000000005C2000.00000002.00000001.01000000.00000007.sdmp, 58CA.exe, 00000009.00000002.2438731839.00000000005C2000.00000002.00000001.01000000.00000007.sdmp, 58CA.exe, 00000011.00000000.2417518022.00000000005C2000.00000002.00000001.01000000.00000007.sdmp

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\v6SEx6rJ3E.exe	Unpacked PE file: 0.2.v6SEx6rJ3E.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.tls:W;.rsrc:R; vs .text:EW;
Source: C:\Users\user\AppData\Roaming\esiffai	Unpacked PE file: 6.2.esiffai.400000.0.unpack .text:ER;.rdata:R;.data:W;.tls:W;.rsrc:R; vs .text:EW;
Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe	Unpacked PE file: 22.2.288c47bbc1871b439df19ff4df68f076.exe.400000.7.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.idata:W;.reloc:R;.symtab:R;
Source: C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp	Unpacked PE file: 30.2.nsh9BCF.tmp.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:EW;.rdata:R;.data:W;.reloc:R;
Source: C:\Users\user\AppData\Local\Key Signatures verification\ksverify.exe	Unpacked PE file: 34.2.ksverify.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R;_wma6:EW; vs .text:ER;.rdata:R;.data:W;.vmp0:ER;.rsrc:R;
Source: C:\Users\user\AppData\Local\Key Signatures verification\ksverify.exe	Unpacked PE file: 35.2.ksverify.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R;_wma6:EW; vs .text:ER;.rdata:R;.data:W;.vmp0:ER;.rsrc:R;
Source: C:\Users\user\AppData\Local\Temp\BD27.exe	Unpacked PE file: 38.2.BD27.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:EW;
Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe	Unpacked PE file: 44.2.288c47bbc1871b439df19ff4df68f076.exe.400000.6.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.idata:W;.reloc:R;.symtab:R;

Detected unpacking (overwrites its own PE header)

Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe	Unpacked PE file: 22.2.288c47bbc1871b439df19ff4df68f076.exe.400000.7.unpack
Source: C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp	Unpacked PE file: 30.2.nsh9BCF.tmp.400000.0.unpack
Source: C:\Users\user\AppData\Local\Key Signatures verification\ksverify.exe	Unpacked PE file: 34.2.ksverify.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Key Signatures verification\ksverify.exe	Unpacked PE file: 35.2.ksverify.exe.400000.0.unpack
Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe	Unpacked PE file: 44.2.288c47bbc1871b439df19ff4df68f076.exe.400000.6.unpack

Source: C:\Users\user\Desktop\v6SEx6rJ3E.exe

Code function: 0_2_00428960 LoadLibraryW,GetProcAddress,VirtualProtect,

0_2_00428960

Source: initial sample

Static PE information: section where entry point is pointing to: .vmp

Source: INetC.dll.21.dr	Static PE information: real checksum: 0x0 should be: 0x69a0
Source: _setup64.tmp.32.dr	Static PE information: real checksum: 0x0 should be: 0x8546
Source: _RegDLL.tmp.32.dr	Static PE information: real checksum: 0x0 should be: 0xc2b7
Source: InstallSetup4.exe.20.dr	Static PE information: real checksum: 0x0 should be: 0x20c304
Source: _iscrypt.dll.32.dr	Static PE information: real checksum: 0x0 should be: 0x89d2
Source: 6000.dll.2.dr	Static PE information: real checksum: 0x0 should be: 0x17f85b
Source: 99FE.tmp.24.dr	Static PE information: real checksum: 0x0 should be: 0xb387e
Source: 99FE.tmp.31.dr	Static PE information: real checksum: 0x0 should be: 0xb387e
Source: 99FE.exe.2.dr	Static PE information: real checksum: 0x0 should be: 0x749b38
Source: 288c47bbc1871b439df19ff4df68f076.exe.20.dr	Static PE information: real checksum: 0x412bd3 should be: 0x414c72
Source: _isdecmp.dll.32.dr	Static PE information: real checksum: 0x0 should be: 0x123ff
Source: is-MTO63.tmp.32.dr	Static PE information: real checksum: 0x0 should be: 0xba2b4
Source: 8B96.exe.2.dr	Static PE information: real checksum: 0x0 should be: 0x61f20f
Source: 52CE.exe.2.dr	Static PE information: real checksum: 0x0 should be: 0xb201a
Source: BroomSetup.exe.21.dr	Static PE information: real checksum: 0x0 should be: 0x4cbbf8

Source: 3ADF.exe.2.dr	Static PE information: section name: .vmp
Source: 3ADF.exe.2.dr	Static PE information: section name: .vmp
Source: 3ADF.exe.2.dr	Static PE information: section name: .vmp
Source: 7147.exe.2.dr	Static PE information: section name: .size>\
Source: 7147.exe.2.dr	Static PE information: section name: .size>\
Source: 7147.exe.2.dr	Static PE information: section name: .
Source: 7147.exe.2.dr	Static PE information: section name: .
Source: 7147.exe.2.dr	Static PE information: section name: .
Source: 52CE.exe.2.dr	Static PE information: section name: .mgjh
Source: 52CE.exe.2.dr	Static PE information: section name: .eEBC
Source: BroomSetup.exe.21.dr	Static PE information: section name: .didata
Source: freebl3.dll.30.dr	Static PE information: section name: .00cfg
Source: freebl3[1].dll.30.dr	Static PE information: section name: .00cfg
Source: mozglue.dll.30.dr	Static PE information: section name: .00cfg
Source: mozglue[1].dll.30.dr	Static PE information: section name: .00cfg
Source: msvcp140.dll.30.dr	Static PE information: section name: .didat
Source: msvcp140[1].dll.30.dr	Static PE information: section name: .didat
Source: nss3.dll.30.dr	Static PE information: section name: .00cfg
Source: nss3[1].dll.30.dr	Static PE information: section name: .00cfg
Source: softokn3.dll.30.dr	Static PE information: section name: .00cfg
Source: softokn3[1].dll.30.dr	Static PE information: section name: .00cfg
Source: ksverify.exe.32.dr	Static PE information: section name: _wma6
Source: is-G0QLS.tmp.32.dr	Static PE information: section name: /4
Source: is-L82B0.tmp.32.dr	Static PE information: section name: /4
Source: is-RHOK0.tmp.32.dr	Static PE information: section name: /4
Source: is-R4VT6.tmp.32.dr	Static PE information: section name: /4
Source: is-HN3OD.tmp.32.dr	Static PE information: section name: /4
Source: is-U0S2N.tmp.32.dr	Static PE information: section name: /4
Source: is-G7N1I.tmp.32.dr	Static PE information: section name: /4
Source: is-JBCJU.tmp.32.dr	Static PE information: section name: /4
Source: is-M5A95.tmp.32.dr	Static PE information: section name: /4
Source: is-3DVHE.tmp.32.dr	Static PE information: section name: /4
Source: is-52MI6.tmp.32.dr	Static PE information: section name: /4
Source: is-1OHA3.tmp.32.dr	Static PE information: section name: /4
Source: is-N956R.tmp.32.dr	Static PE information: section name: /4
Source: DeliveryStatusFields_65.exe.34.dr	Static PE information: section name: _wma6

Source: C:\Windows\explorer.exe

Process created: C:\Windows\System32\regsvr32.exe regsvr32 /s C:\Users\user\AppData\Local\Temp\6000.dll

Source: C:\Users\user\Desktop\v6SEx6rJ3E.exe	Code function: 0_2_00403253 push eax; ret	0_2_0040332D
Source: C:\Users\user\Desktop\v6SEx6rJ3E.exe	Code function: 0_2_00401C64 push es; retf	0_2_00401C83
Source: C:\Users\user\Desktop\v6SEx6rJ3E.exe	Code function: 0_2_0040332A push eax; ret	0_2_0040332D
Source: C:\Users\user\Desktop\v6SEx6rJ3E.exe	Code function: 0_2_00402F91 push 60B44389h; retf	0_2_00402FAB
Source: C:\Users\user\Desktop\v6SEx6rJ3E.exe	Code function: 0_2_0042E371 push ecx; ret	0_2_0042E384
Source: C:\Users\user\Desktop\v6SEx6rJ3E.exe	Code function: 0_2_0048D63C pushad ; retn 0048h	0_2_0048D63D
Source: C:\Users\user\Desktop\v6SEx6rJ3E.exe	Code function: 0_2_02081CCB push es; retf	0_2_02081CEA
Source: C:\Users\user\Desktop\v6SEx6rJ3E.exe	Code function: 0_2_02082FF8 push 60B44389h; retf	0_2_02083012
Source: C:\Users\user\AppData\Roaming\esiffai	Code function: 6_2_00403253 push eax; ret	6_2_0040332D
Source: C:\Users\user\AppData\Roaming\esiffai	Code function: 6_2_00401C64 push es; retf	6_2_00401C83
Source: C:\Users\user\AppData\Roaming\esiffai	Code function: 6_2_0040332A push eax; ret	6_2_0040332D
Source: C:\Users\user\AppData\Roaming\esiffai	Code function: 6_2_00402F91 push 60B44389h; retf	6_2_00402FAB
Source: C:\Users\user\AppData\Roaming\esiffai	Code function: 6_2_0042E371 push ecx; ret	6_2_0042E384
Source: C:\Users\user\AppData\Roaming\esiffai	Code function: 6_2_004C1CCB push es; retf	6_2_004C1CEA
Source: C:\Users\user\AppData\Roaming\esiffai	Code function: 6_2_004C2FF8 push 60B44389h; retf	6_2_004C3012
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Code function: 7_2_0040DCB0 push eax; ret	7_2_0040DCC5
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Code function: 7_2_00403461 push ecx; ret	7_2_00403474
Source: C:\Users\user\AppData\Local\Temp\58CA.exe	Code function: 9_2_04AB54BD push cs; ret	9_2_04AB54BE
Source: C:\Users\user\AppData\Local\Temp\58CA.exe	Code function: 9_2_049C32EF push ebx; iretd	9_2_049C32F7
Source: C:\Users\user\AppData\Local\Temp\58CA.exe	Code function: 9_2_04A7D80A push 5A36841Dh; retf	9_2_04A7D825
Source: C:\Users\user\AppData\Local\Temp\58CA.exe	Code function: 9_2_0490ADA3 push esi; retf	9_2_0490ADA4
Source: C:\Users\user\AppData\Local\Temp\58CA.exe	Code function: 9_2_04A7D7ED push ebp; retf	9_2_04A7D7EE
Source: C:\Users\user\AppData\Local\Temp\58CA.exe	Code function: 9_2_04AB57F8 push edx; retf	9_2_04AB57F9
Source: C:\Users\user\AppData\Local\Temp\58CA.exe	Code function: 9_2_04A1770A pushad ; ret	9_2_04A1770C
Source: C:\Users\user\AppData\Local\Temp\5C46.exe	Code function: 10_2_0040A3BD push eax; retf	10_2_0040A3BE
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 15_2_04F251F7 push FFFFFF81h; ret	15_2_04F251F9
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 15_2_04F214FA push es; ret	15_2_04F214FB
Source: C:\Users\user\AppData\Local\Temp\5C46.exe	Code function: 16_2_0040A3BD push eax; retf	16_2_0040A3BE

Source: v6SEx6rJ3E.exe	Static PE information: section name: .text entropy: 7.018049816976223
Source: D358.exe.2.dr	Static PE information: section name: .text entropy: 7.78984089955939
Source: 58CA.exe.2.dr	Static PE information: section name: .text entropy: 7.998107518145983
Source: 6000.dll.2.dr	Static PE information: section name: .text entropy: 7.999618113556256
Source: BD27.exe.2.dr	Static PE information: section name: .text entropy: 7.773797138068393
Source: DFB4.exe.2.dr	Static PE information: section name: .text entropy: 7.983145525918928
Source: esiffai.2.dr	Static PE information: section name: .text entropy: 7.018049816976223
Source: afiffai.2.dr	Static PE information: section name: .text entropy: 7.773797138068393
Source: csrss.exe.17.dr	Static PE information: section name: .text entropy: 7.998107518145983
Source: syncUpd[1].exe.21.dr	Static PE information: section name: .text entropy: 7.777048885069988
Source: nsh9BCF.tmp.21.dr	Static PE information: section name: .text entropy: 7.777048885069988
Source: ksverify.exe.32.dr	Static PE information: section name: .text entropy: 7.634660741045521
Source: DeliveryStatusFields_65.exe.34.dr	Static PE information: section name: .text entropy: 7.634660741045521

Persistence and Installation Behavior

Contains functionality to infect the boot sector

Source: C:\Users\user\AppData\Local\Temp\5C46.exe	Code function: CreateFileA,DeviceIoControl, \\.\PHYSICALDRIVE0	10_2_00408951
Source: C:\Users\user\AppData\Local\Temp\5C46.exe	Code function: CreateFileA,DeviceIoControl, PHYSICALDRIVE0	10_2_00408951
Source: C:\Users\user\AppData\Local\Temp\5C46.exe	Code function: CreateFileA,DeviceIoControl, \\.\PHYSICALDRIVE0	10_2_00408958
Source: C:\Users\user\AppData\Local\Temp\5C46.exe	Code function: CreateFileA,DeviceIoControl, PHYSICALDRIVE0	10_2_00408958
Source: C:\Users\user\AppData\Local\Temp\5C46.exe	Code function: CreateFileA,DeviceIoControl, \\.\PHYSICALDRIVE0	10_2_0040895B
Source: C:\Users\user\AppData\Local\Temp\5C46.exe	Code function: CreateFileA,DeviceIoControl, PHYSICALDRIVE0	10_2_0040895B
Source: C:\Users\user\AppData\Local\Temp\5C46.exe	Code function: FindCloseChangeNotification,CreateFileA,DeviceIoControl, \\.\PHYSICALDRIVE0	16_2_0040895B
Source: C:\Users\user\AppData\Local\Temp\5C46.exe	Code function: FindCloseChangeNotification,CreateFileA,DeviceIoControl, PHYSICALDRIVE0	16_2_0040895B
Source: C:\Users\user\AppData\Local\Temp\5C46.exe	Code function: FindCloseChangeNotification,CreateFileA,DeviceIoControl, \\.\PHYSICALDRIVE0	16_2_00408951
Source: C:\Users\user\AppData\Local\Temp\5C46.exe	Code function: FindCloseChangeNotification,CreateFileA,DeviceIoControl, PHYSICALDRIVE0	16_2_00408951
Source: C:\Users\user\AppData\Local\Temp\5C46.exe	Code function: FindCloseChangeNotification,CreateFileA,DeviceIoControl, \\.\PHYSICALDRIVE0	16_2_00408958
Source: C:\Users\user\AppData\Local\Temp\5C46.exe	Code function: FindCloseChangeNotification,CreateFileA,DeviceIoControl, PHYSICALDRIVE0	16_2_00408958

Drops PE files with benign system names

Source: C:\Users\user\AppData\Local\Temp\58CA.exe

File created: C:\ProgramData\Drivers\csrss.exe

Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Key Signatures verification\ksverify.exe	File created: C:\ProgramData\DeliveryStatusFields_65\DeliveryStatusFields_65.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp	File created: C:\Users\user\AppData\Local\Temp\is-66LSP.tmp\_isetup\_RegDLL.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp	File created: C:\Users\user\AppData\Local\Key Signatures verification\swresample-3.dll (copy)	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Roaming\esiffai	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp	File created: C:\Users\user\AppData\Local\Key Signatures verification\is-M5A95.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\99FE.exe	File created: C:\Users\user\AppData\Local\Temp\is-7LVCL.tmp\99FE.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp	File created: C:\Users\user\AppData\Local\Key Signatures verification\libbz2-1.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp	File created: C:\Users\user\AppData\Local\Temp\is-66LSP.tmp\_isetup\_iscrypt.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp	File created: C:\Users\user\AppData\Local\Key Signatures verification\is-HN3OD.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp	File created: C:\Users\user\AppData\Local\Key Signatures verification\libiconv-2.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\InstallSetup4.exe	File created: C:\Users\user\AppData\Local\Temp\nse94C9.tmp\INetC.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp	File created: C:\Users\user\AppData\Local\Key Signatures verification\avformat-58.dll (copy)	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\3ADF.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\99FE.exe	File created: C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp	File created: C:\Users\user\AppData\Local\Key Signatures verification\is-L82B0.tmp	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\58CA.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp	File created: C:\ProgramData\softokn3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp	File created: C:\Users\user\AppData\Local\Key Signatures verification\is-MTO63.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp	File created: C:\Users\user\AppData\Local\Key Signatures verification\is-G7N1I.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp	File created: C:\Users\user\AppData\Local\Key Signatures verification\libogg-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp	File created: C:\Users\user\AppData\Local\Temp\is-66LSP.tmp\_isetup\_isdecmp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp	File created: C:\Users\user\AppData\Local\Key Signatures verification\is-1OHA3.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp	File created: C:\Users\user\AppData\Local\Key Signatures verification\libwinpthread-1.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp	File created: C:\Users\user\AppData\Local\Key Signatures verification\avcodec-58.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp	File created: C:\Users\user\AppData\Local\Key Signatures verification\zlib1.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp	File created: C:\Users\user\AppData\Local\Key Signatures verification\libvorbis-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\58CA.exe	File created: C:\ProgramData\Drivers\csrss.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\5C46.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\6000.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\InstallSetup4.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\syncUpd[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp	File created: C:\Users\user\AppData\Local\Key Signatures verification\is-RHOK0.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp	File created: C:\Users\user\AppData\Local\Temp\is-66LSP.tmp\_isetup\_shfoldr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp	File created: C:\Users\user\AppData\Local\Temp\is-66LSP.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp	File created: C:\Users\user\AppData\Local\Key Signatures verification\unins000.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp	File created: C:\Users\user\AppData\Local\Key Signatures verification\avutil-56.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp	File created: C:\Users\user\AppData\Local\Key Signatures verification\is-N956R.tmp	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Roaming\afiffai	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\52CE.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp	File created: C:\Users\user\AppData\Local\Key Signatures verification\libgcc_s_dw2-1.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp	File created: C:\Users\user\AppData\Local\Key Signatures verification\is-52MI6.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp	File created: C:\Users\user\AppData\Local\Key Signatures verification\is-U0S2N.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp	File created: C:\Users\user\AppData\Local\Key Signatures verification\ksverify.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\8B96.exe	File created: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp	File created: C:\Users\user\AppData\Local\Key Signatures verification\is-G0QLS.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp	File created: C:\Users\user\AppData\Local\Key Signatures verification\is-8QNGU.tmp	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\DFB4.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\InstallSetup4.exe	File created: C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp	File created: C:\Users\user\AppData\Local\Key Signatures verification\is-3DVHE.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp	File created: C:\Users\user\AppData\Local\Key Signatures verification\libvorbisenc-2.dll (copy)	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\BD27.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\8B96.exe	File created: C:\Users\user\AppData\Local\Temp\InstallSetup4.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\InstallSetup4.exe	File created: C:\Users\user\AppData\Local\Temp\BroomSetup.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\7147.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp	File created: C:\Users\user\AppData\Local\Key Signatures verification\SDL2.dll (copy)	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\D358.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp	File created: C:\Users\user\AppData\Local\Key Signatures verification\is-R4VT6.tmp	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\99FE.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp	File created: C:\Users\user\AppData\Local\Key Signatures verification\is-JBCJU.tmp	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\8B96.exe	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp	File created: C:\ProgramData\mozglue.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp	File created: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp	File created: C:\ProgramData\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Key Signatures verification\ksverify.exe	File created: C:\ProgramData\DeliveryStatusFields_65\DeliveryStatusFields_65.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp	File created: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\58CA.exe	File created: C:\ProgramData\Drivers\csrss.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp	File created: C:\ProgramData\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp	File created: C:\ProgramData\softokn3.dll	Jump to dropped file

Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Roaming\esiffai			Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Roaming\afiffai			Jump to dropped file

Boot Survival

Contains functionality to infect the boot sector

Source: C:\Users\user\AppData\Local\Temp\5C46.exe	Code function: CreateFileA,DeviceIoControl, \\.\PHYSICALDRIVE0	10_2_00408951
Source: C:\Users\user\AppData\Local\Temp\5C46.exe	Code function: CreateFileA,DeviceIoControl, PHYSICALDRIVE0	10_2_00408951
Source: C:\Users\user\AppData\Local\Temp\5C46.exe	Code function: CreateFileA,DeviceIoControl, \\.\PHYSICALDRIVE0	10_2_00408958
Source: C:\Users\user\AppData\Local\Temp\5C46.exe	Code function: CreateFileA,DeviceIoControl, PHYSICALDRIVE0	10_2_00408958
Source: C:\Users\user\AppData\Local\Temp\5C46.exe	Code function: CreateFileA,DeviceIoControl, \\.\PHYSICALDRIVE0	10_2_0040895B
Source: C:\Users\user\AppData\Local\Temp\5C46.exe	Code function: CreateFileA,DeviceIoControl, PHYSICALDRIVE0	10_2_0040895B
Source: C:\Users\user\AppData\Local\Temp\5C46.exe	Code function: FindCloseChangeNotification,CreateFileA,DeviceIoControl, \\.\PHYSICALDRIVE0	16_2_0040895B
Source: C:\Users\user\AppData\Local\Temp\5C46.exe	Code function: FindCloseChangeNotification,CreateFileA,DeviceIoControl, PHYSICALDRIVE0	16_2_0040895B
Source: C:\Users\user\AppData\Local\Temp\5C46.exe	Code function: FindCloseChangeNotification,CreateFileA,DeviceIoControl, \\.\PHYSICALDRIVE0	16_2_00408951
Source: C:\Users\user\AppData\Local\Temp\5C46.exe	Code function: FindCloseChangeNotification,CreateFileA,DeviceIoControl, PHYSICALDRIVE0	16_2_00408951
Source: C:\Users\user\AppData\Local\Temp\5C46.exe	Code function: FindCloseChangeNotification,CreateFileA,DeviceIoControl, \\.\PHYSICALDRIVE0	16_2_00408958
Source: C:\Users\user\AppData\Local\Temp\5C46.exe	Code function: FindCloseChangeNotification,CreateFileA,DeviceIoControl, PHYSICALDRIVE0	16_2_00408958

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\user\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F

Source: C:\Users\user\AppData\Local\Temp\58CA.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run CSRSS			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\58CA.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run CSRSS			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Deletes itself after installation

Source: C:\Windows\explorer.exe

File deleted: c:\users\user\desktop\v6sex6rj3e.exe

Jump to behavior

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Roaming\esiffai:Zone.Identifier read attributes \| delete			Jump to behavior
Source: C:\Windows\explorer.exe	File opened: C:\Users\user\AppData\Roaming\afiffai:Zone.Identifier read attributes \| delete			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\5C46.exe	Registry key monitored for changes: HKEY_CURRENT_USER_Classes			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp	Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\58CA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\58CA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\58CA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\58CA.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8B96.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\8B96.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\8B96.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\8B96.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\8B96.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\8B96.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\8B96.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\8B96.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\8B96.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\8B96.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\8B96.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\8B96.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\8B96.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\8B96.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\8B96.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\8B96.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallSetup4.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallSetup4.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallSetup4.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallSetup4.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\InstallSetup4.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\99FE.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-7LVCL.tmp\99FE.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-7LVCL.tmp\99FE.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-7LVCL.tmp\99FE.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\99FE.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX

Malware Analysis System Evasion

Checks if the current machine is a virtual machine (disk enumeration)

Source: C:\Users\user\Desktop\v6SEx6rJ3E.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\v6SEx6rJ3E.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\v6SEx6rJ3E.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\v6SEx6rJ3E.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\v6SEx6rJ3E.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\Desktop\v6SEx6rJ3E.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\esiffai	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\esiffai	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\esiffai	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\esiffai	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\esiffai	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Roaming\esiffai	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BD27.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Local\Temp\BD27.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Local\Temp\BD27.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Local\Temp\BD27.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Local\Temp\BD27.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\AppData\Local\Temp\BD27.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI

Query firmware table information (likely to detect VMs)

Source: C:\Users\user\AppData\Local\Temp\52CE.exe	System information queried: FirmwareTableInformation			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7147.exe	System information queried: FirmwareTableInformation

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: v6SEx6rJ3E.exe, 00000000.00000002.2122393465.000000000047E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ASWHOOK
Source: esiffai, 00000006.00000002.2364316209.000000000059E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ASWHOOK%

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\AppData\Local\Temp\7147.exe

RDTSC instruction interceptor: First address: 00000000009C5985 second address: 00000000009C5989 instructions: 0x00000000 rdtsc 0x00000002 rol cl, 1 0x00000004 rdtsc

Source: C:\Users\user\AppData\Local\Temp\8B96.exe	Memory allocated: 1560000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\8B96.exe	Memory allocated: 3240000 memory reserve \| memory write watch
Source: C:\Users\user\AppData\Local\Temp\8B96.exe	Memory allocated: 5240000 memory reserve \| memory write watch

Source: C:\Users\user\AppData\Local\Temp\5C46.exe	Thread delayed: delay time: 600000			Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8B96.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 419	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 777	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 781	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 1935	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 777	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 755	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\58CA.exe	Window / User API: threadDelayed 2957	Jump to behavior
Source: C:\Users\user\AppData\Local\Key Signatures verification\ksverify.exe	Window / User API: threadDelayed 3277
Source: C:\Users\user\AppData\Local\Key Signatures verification\ksverify.exe	Window / User API: threadDelayed 724

Source: C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\freebl3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Key Signatures verification\swresample-3.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-66LSP.tmp\_isetup\_RegDLL.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Key Signatures verification\is-M5A95.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Key Signatures verification\libbz2-1.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-66LSP.tmp\_isetup\_iscrypt.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Key Signatures verification\is-HN3OD.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Key Signatures verification\libiconv-2.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\nss3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\msvcp140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\InstallSetup4.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nse94C9.tmp\INetC.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Key Signatures verification\avformat-58.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Key Signatures verification\is-L82B0.tmp	Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\3ADF.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp	Dropped PE file which has not been started: C:\ProgramData\softokn3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Key Signatures verification\is-MTO63.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\softokn3[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp	Dropped PE file which has not been started: C:\ProgramData\nss3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Key Signatures verification\is-G7N1I.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Key Signatures verification\libogg-0.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-66LSP.tmp\_isetup\_isdecmp.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Key Signatures verification\is-1OHA3.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Key Signatures verification\libwinpthread-1.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Key Signatures verification\avcodec-58.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp	Dropped PE file which has not been started: C:\ProgramData\freebl3.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Key Signatures verification\zlib1.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Key Signatures verification\libvorbis-0.dll (copy)	Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\6000.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Key Signatures verification\is-RHOK0.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-66LSP.tmp\_isetup\_shfoldr.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Key Signatures verification\unins000.exe (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-66LSP.tmp\_isetup\_setup64.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Key Signatures verification\avutil-56.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Key Signatures verification\is-N956R.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Key Signatures verification\libgcc_s_dw2-1.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Key Signatures verification\is-52MI6.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Key Signatures verification\is-U0S2N.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\vcruntime140[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\mozglue[1].dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Key Signatures verification\is-G0QLS.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Key Signatures verification\is-8QNGU.tmp	Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\DFB4.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Key Signatures verification\is-3DVHE.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Key Signatures verification\libvorbisenc-2.dll (copy)	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Key Signatures verification\SDL2.dll (copy)	Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\D358.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Key Signatures verification\is-R4VT6.tmp	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Key Signatures verification\is-JBCJU.tmp	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\52CE.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep

graph_7-11022

Source: C:\Users\user\AppData\Local\Temp\5C46.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_10-4426

Source: C:\Windows\explorer.exe TID: 2032	Thread sleep time: -77700s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 356	Thread sleep time: -78100s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 3548	Thread sleep time: -31400s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 2032	Thread sleep time: -193500s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52CE.exe TID: 4368	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\5C46.exe TID: 3472	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\58CA.exe TID: 6324	Thread sleep time: -295700s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\58CA.exe TID: 6128	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7147.exe TID: 1088	Thread sleep time: -150000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\8B96.exe TID: 6528	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Key Signatures verification\ksverify.exe TID: 1364	Thread sleep count: 3277 > 30
Source: C:\Users\user\AppData\Local\Key Signatures verification\ksverify.exe TID: 1364	Thread sleep time: -6554000s >= -30000s
Source: C:\Users\user\AppData\Local\Key Signatures verification\ksverify.exe TID: 6044	Thread sleep count: 84 > 30
Source: C:\Users\user\AppData\Local\Key Signatures verification\ksverify.exe TID: 6044	Thread sleep time: -5040000s >= -30000s
Source: C:\Users\user\AppData\Local\Key Signatures verification\ksverify.exe TID: 1364	Thread sleep count: 724 > 30
Source: C:\Users\user\AppData\Local\Key Signatures verification\ksverify.exe TID: 1364	Thread sleep time: -1448000s >= -30000s

Source: C:\Users\user\AppData\Local\Temp\5C46.exe

File opened: PHYSICALDRIVE0

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name FROM Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Key Signatures verification\ksverify.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Key Signatures verification\ksverify.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\5C46.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8B96.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Key Signatures verification\ksverify.exe	Thread delayed: delay time: 60000

Source: C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\
Source: C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\
Source: C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\
Source: C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\
Source: C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\
Source: C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\

Source: explorer.exe, 00000002.00000000.2115057118.000000000962B000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWystem32\DriverStore\en-US\msmouse.inf_locv
Source: 52CE.exe, 00000007.00000003.2440250020.0000000002F3B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696487552f
Source: explorer.exe, 00000002.00000000.2115395626.00000000098AD000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}RoamingCom
Source: 52CE.exe, 00000007.00000003.2440250020.0000000002F3B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696487552}
Source: explorer.exe, 00000002.00000000.2110827133.0000000000D99000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: #CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000002.00000000.2115057118.000000000978C000.00000004.00000001.00020000.00000000.sdmp, 52CE.exe, 00000007.00000003.2506090974.0000000000841000.00000004.00000020.00020000.00000000.sdmp, 52CE.exe, 00000007.00000002.2533125014.0000000000841000.00000004.00000020.00020000.00000000.sdmp, 52CE.exe, 00000007.00000003.2357497536.0000000000841000.00000004.00000020.00020000.00000000.sdmp, 52CE.exe, 00000007.00000003.2509088566.0000000000841000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: 52CE.exe, 00000007.00000003.2440250020.0000000002F3B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696487552
Source: 52CE.exe, 00000007.00000003.2440250020.0000000002F3B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
Source: 52CE.exe, 00000007.00000003.2440250020.0000000002F3B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696487552
Source: 52CE.exe, 00000007.00000003.2440250020.0000000002F3B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696487552o
Source: explorer.exe, 00000002.00000000.2112640933.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: 52CE.exe, 00000007.00000003.2440250020.0000000002F3B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696487552
Source: 58CA.exe, 00000011.00000003.3532871492.0000000003A8A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: id ed25519 5uD7nVmCI5DppHHtx2H+7AzbTP39/UvAQinqkc/a/lg
Source: 58CA.exe, 00000011.00000003.3046652708.0000000003A89000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCQ+Mgq8T7UeC/2woYMrFlxjDMFr68VrX2WjJ7YjnLbHGfSDEn0XiQNjKrjsFj8m
Source: explorer.exe, 00000002.00000000.2115395626.00000000098AD000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
Source: 52CE.exe, 00000007.00000003.2440250020.0000000002F3B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696487552
Source: 52CE.exe, 00000007.00000003.2440250020.0000000002F3B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696487552j
Source: 58CA.exe, 00000011.00000003.2983630563.0000000004066000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.2975535401.0000000004064000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.2979330924.0000000004066000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.2978592045.0000000004065000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.3051950204.000000000404A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: PQ/eu0c4u95RZ6TmTu+WZ4LJtRUpLXPiL1ZfpdLJeM-C5dXEmveX9PwxXgUPF4U6FMl3F8VIsboaJ6hjvtSgGo-C63wNXTxzvJ+jLG7gJ5m1rmT5v79H79KNAxGgo6VYlg-C7cnQAGlejt1hpPwPlDnQWMkF2nbblKyL6IFPUnnuF0-C7nPAHSKdgTZWSuoyS+IUZjNxl3Ifiwa0hgcEbxLAs4-C8G76E+8OJ3ZoTGg3R4lltQl+HtTQas+2O/fvjnpxw4-C8iE4No6Ao1AbDy5e0Bb64yADnLzcPdoIEb9KO0ydxo-C8mI0xzKZ+Dg8wR6+0MKjc90nOnAxwfV+VkMtkU5LbM-C80XaRl58JfpNt7xwwaXcOy4d2dK7MDAoFJpoU81of0-C9XRCxlKlA5ie0wMKPxPx67OqcDqlSytBzwLMgrsIPU-C9fHUhS0eF8DwD9SyYmQ4NBE9vQiqlXRCA+d/BcrwRs-C9vIZCnMJmqNLuDuLLYIFMo2p6R8aAbihjBfxn1pS5U-C/MgwKh1A1B7pXrR0jdaOfgv9FBvqWE8MzodS8FzgX8-C/M0nUcNOqhtu5xgIpwNai0c20hDe1snxZbWnOkKVqY-C/M6CYketF1rJvQ7g5JHFC6gN1Y1cVwKiBmLvMY6Ubo-C/Rn6cJAGrMaCsCPvTNPg44MyTUOzS5BbbhwGK0tSBM-C/vixaMTi7J+xAM9wYnx+P32o/s6mgMmPwIvUiX36K8-DAtmA78uDNuO0o2iMyslSofp9yhuaYWptuFVUM8aZOM-DBGEI0d2nK+5z2zoFEc3g20jZNeL34k0pEu+IUeoIBg-DBPYdlzpHPsMkszozPcRsIjXTvJ95Vh5WLMy5FngNpU-DBc8py5NMSxwJKrQ9VL68gaFQg/A7HtzsfhWSVWkae8-DBwfxscGJLmMOWuIsOQNBiikQCP0PqhPGOE5gNuXzfU-DCIxQwua3/EJZ7ZD4k8xxkNf6v2t7B7iDo9XEjbVEiE-DCJ4s7V9k6NuEbuDoT/sQRyj9T8LBfHq512nC/HG/9Q-DFBtUaHshpTBSR0bGr0nnoV3594Xk3PgV6akcK9ghUQ-DFTksGxHP97O1gRKIEwIkDXkpEpED+N9AMHY16Ck1ZM-DGIDO36tO70cI3JqsaGJvv+ppuPKUE0fh4sPA8NKF7s-DGdxndamk5Jqv8o5iCujLEqy9RfmyZ7TKaPD3QMWaSM-DHCVpJXTz1cvN+GT8hCOpGC87lnbeop1+YyCnOoblRs-DHcDSk2r6AaviaqDTJ5i2JCJt9IbE1daCuEQmAqFz0A-DIPd9uaUNiizVshcl/CML1joozZmMQJRqqgGwSSK26I-DIkez2g/VsTGAXfD0FYNQD2+51CxIwFH9q449JUbDgA-DI2W5Zx2gTNI7TL7IEipIFbZClC4xGm1NQ/zQaegHjI-DI4jRQvxrxrrltj/7uce9eLrch7ftWahGfSkhe4bQBE-DJULMWZR1JsrLvorstf2PYWfnp3kklwGssqBHNUpvKI-DJf+BwrzYFMrNrE++sxx15eeFBIK6xp0S6/r0dSAMA4-DJ1riowsnvTjmazwrAXknE1n4UGb8znkuSN/mou/uD8-DKbptS44RJ9ko7Ka26lQybJh6jUvjm82V2ZVje4ENRM-DKf472P10A1m05KU51D7Nn/+/pFg5cqgOxxGMcjFlPc-DKnov33Obolq1hkV7OwVYIAM5P65e1uz1/ZQSVV3KxM-DLiAUDMXIAnquNuKfIswlnNruf+chTJLjjFgbIi5ioA-DMiAQd9ulovnJDthZA5DwpwvsygO9m3rfoZXNYZObyE-DNMG5FYjvwkD38MVLq0jQYtoKT0rsQniXSD02yXAZRE-DNMf9tkpaaJ61qiRlDruH92p/l+kkDSYMQfN7QdDqqM-DNeqngpVZ7oT19abTd9zBzpHsEsQ7a+lH5XB0JwUZhA-DO78JiSm1o5rA8zZn86BBS+dWeqr2i0BAST5urklVv4-DQCNFf9u4eG19ydm/NWd8ZP4NLevjt7YhjGjEfh0huM-DQkgo69ToL2ge3pf7BaTeRGyS45izawpIErMgr2i4bY-DSrbHmkwdH0y7xWG600a5Dvl0tYtAdvCtOAT890wF5I-DTa8gpDGjrB662XCEgz2FV++Ddbjr0KXqLFwrOyx6Ag-DUl7uu1fAo4JlC76pLmOxEB/NWZK8rrnYRLrvlkgmjI-DVYTKiSMszEHC53QSMagU0Yxrip8Pmvmo6zS54ed2u8-DVueDh8+v7trfJ+yFaQ7pn1ll7OHW2l0skbvFtjzM0E-DWPS/fEaMHN/OOAM1vcWq6km4g/aPnOEzi2+e3vj07c-DW08xGkAqOL77ywTd/J1+HB3uzN5fxsrscZKjXayjYU-DXVhiwlpV3NUbvpZRLvEUU8dkdtbTokTRp5nPf6o394-DXXGJWzQJ8u6ztj1yId3cw9wa0YjaNzNG/Tli+tqBmA-DbAUgdYJx4+O9K+dWXfrKIxfQxpZE+Z871xiq5qCp4Q-Db/nifHA/8nTQNMydHosI5rRKJZh/AeIjoifarurUGw-DcXgwY3C+I3b6ejjUt0wLNJ0VNThMPqXf9eLvSgoVio-DcqtQYFoZP86fhBrikAev4yQD3k56xzcjXcEGOa7Oh8-Dctrfp66XCvn04511LX9gARcA4snVE5NM+7Cj+Ishxc-DczYp7AwJi5Wt+ZyH4IbcLguyvUOiWxmTAdDh1Y7I/s-Dc/oRpvx4U9eoN8Fm4I8h6P3f7q6Af+G58JmP3QPg9M-DdWyHTYsGsOxrXbRxQZXiC5k+jNeusEv/Ef9dRl2qrw-DdhRsALdv4BIQNauoTTPeucEuxScWV2qrUKp3rBTc90-DeVq9ufV3AqQjXOqut16dJ/SFjo3MNjoPtFJ0xbCivs-DfCdZ4PzcnqIhrTRn31s33PYpX8zcoc9x33ZxRyrHhk-DgsWuA2wk
Source: 52CE.exe, 00000007.00000003.2440250020.0000000002F3B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696487552x
Source: 58CA.exe, 00000011.00000003.2959484573.0000000003B36000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.2959949994.0000000003C99000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: m UmVW9JP3JpLzwoz36YtcTnDnWTf7ggvQEMuK44kS0i0
Source: explorer.exe, 00000002.00000000.2117697353.000000000C474000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: me#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94
Source: 52CE.exe, 00000007.00000003.2440250020.0000000002F3B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696487552
Source: 58CA.exe, 00000011.00000003.3042557818.0000000003A8C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: MIGJAoGBANISBQMG9FQEmUYbqSHKCMVy6pp7Lg62kDV5bh2nFFvTob4Cf4Z3gvXv
Source: 52CE.exe, 00000007.00000003.2440250020.0000000002F3B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696487552h
Source: 58CA.exe, 00000011.00000003.2969930160.0000000002F09000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.2970615844.00000000039BA000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.2970828579.0000000002F3D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: >7:qEmu\|Z
Source: 52CE.exe, 00000007.00000003.2440250020.0000000002F3B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696487552t
Source: 58CA.exe, 00000011.00000003.3042557818.0000000003A8C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Fi/NaU/VvYUxcVTz4vaYs2NRFcShZgtsVKBQ39+vmcICB7VZbxFYSGTVNsAYOU0j
Source: 58CA.exe, 00000011.00000003.3491176059.0000000003A84000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 3slkxq7yNULTu3/VEyTYIpH/jPctGwWTKlWVMcIrS5TmYT5ymrA/AgMBAAE=
Source: 58CA.exe, 00000011.00000003.2959484573.0000000003B36000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.2959949994.0000000003C99000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.2963025040.0000000003F52000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: m DI4jRQvxrxrrltj/7uce9eLrch7ftWahGfSkhe4bQBE
Source: 5C46.exe, 00000010.00000002.2443219855.0000000002944000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: K,<=;;?9:VMcI;8
Source: explorer.exe, 00000002.00000000.2117072939.000000000C354000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}@r
Source: explorer.exe, 00000002.00000000.2110827133.0000000000D99000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: 52CE.exe, 00000007.00000003.2440250020.0000000002F3B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
Source: 58CA.exe, 00000011.00000003.2983630563.0000000004066000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.2975535401.0000000004064000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.2979330924.0000000004066000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.2978592045.0000000004065000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.3051950204.000000000404A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: /eu0c4u95RZ6TmTu+WZ4LJtRUpLXPiL1ZfpdLJeM-C5dXEmveX9PwxXgUPF4U6FMl3F8VIsboaJ6hjvtSgGo-C63wNXTxzvJ+jLG7gJ5m1rmT5v79H79KNAxGgo6VYlg-C7cnQAGlejt1hpPwPlDnQWMkF2nbblKyL6IFPUnnuF0-C7nPAHSKdgTZWSuoyS+IUZjNxl3Ifiwa0hgcEbxLAs4-C8G76E+8OJ3ZoTGg3R4lltQl+HtTQas+2O/fvjnpxw4-C8iE4No6Ao1AbDy5e0Bb64yADnLzcPdoIEb9KO0ydxo-C8mI0xzKZ+Dg8wR6+0MKjc90nOnAxwfV+VkMtkU5LbM-C80XaRl58JfpNt7xwwaXcOy4d2dK7MDAoFJpoU81of0-C9XRCxlKlA5ie0wMKPxPx67OqcDqlSytBzwLMgrsIPU-C9fHUhS0eF8DwD9SyYmQ4NBE9vQiqlXRCA+d/BcrwRs-C9vIZCnMJmqNLuDuLLYIFMo2p6R8aAbihjBfxn1pS5U-C/MgwKh1A1B7pXrR0jdaOfgv9FBvqWE8MzodS8FzgX8-C/M0nUcNOqhtu5xgIpwNai0c20hDe1snxZbWnOkKVqY-C/M6CYketF1rJvQ7g5JHFC6gN1Y1cVwKiBmLvMY6Ubo-C/Rn6cJAGrMaCsCPvTNPg44MyTUOzS5BbbhwGK0tSBM-C/vixaMTi7J+xAM9wYnx+P32o/s6mgMmPwIvUiX36K8-DAtmA78uDNuO0o2iMyslSofp9yhuaYWptuFVUM8aZOM-DBGEI0d2nK+5z2zoFEc3g20jZNeL34k0pEu+IUeoIBg-DBPYdlzpHPsMkszozPcRsIjXTvJ95Vh5WLMy5FngNpU-DBc8py5NMSxwJKrQ9VL68gaFQg/A7HtzsfhWSVWkae8-DBwfxscGJLmMOWuIsOQNBiikQCP0PqhPGOE5gNuXzfU-DCIxQwua3/EJZ7ZD4k8xxkNf6v2t7B7iDo9XEjbVEiE-DCJ4s7V9k6NuEbuDoT/sQRyj9T8LBfHq512nC/HG/9Q-DFBtUaHshpTBSR0bGr0nnoV3594Xk3PgV6akcK9ghUQ-DFTksGxHP97O1gRKIEwIkDXkpEpED+N9AMHY16Ck1ZM-DGIDO36tO70cI3JqsaGJvv+ppuPKUE0fh4sPA8NKF7s-DGdxndamk5Jqv8o5iCujLEqy9RfmyZ7TKaPD3QMWaSM-DHCVpJXTz1cvN+GT8hCOpGC87lnbeop1+YyCnOoblRs-DHcDSk2r6AaviaqDTJ5i2JCJt9IbE1daCuEQmAqFz0A-DIPd9uaUNiizVshcl/CML1joozZmMQJRqqgGwSSK26I-DIkez2g/VsTGAXfD0FYNQD2+51CxIwFH9q449JUbDgA-DI2W5Zx2gTNI7TL7IEipIFbZClC4xGm1NQ/zQaegHjI-DI4jRQvxrxrrltj/7uce9eLrch7ftWahGfSkhe4bQBE-DJULMWZR1JsrLvorstf2PYWfnp3kklwGssqBHNUpvKI-DJf+BwrzYFMrNrE++sxx15eeFBIK6xp0S6/r0dSAMA4-DJ1riowsnvTjmazwrAXknE1n4UGb8znkuSN/mou/uD8-DKbptS44RJ9ko7Ka26lQybJh6jUvjm82V2ZVje4ENRM-DKf472P10A1m05KU51D7Nn/+/pFg5cqgOxxGMcjFlPc-DKnov33Obolq1hkV7OwVYIAM5P65e1uz1/ZQSVV3KxM-DLiAUDMXIAnquNuKfIswlnNruf+chTJLjjFgbIi5ioA-DMiAQd9ulovnJDthZA5DwpwvsygO9m3rfoZXNYZObyE-DNMG5FYjvwkD38MVLq0jQYtoKT0rsQniXSD02yXAZRE-DNMf9tkpaaJ61qiRlDruH92p/l+kkDSYMQfN7QdDqqM-DNeqngpVZ7oT19abTd9zBzpHsEsQ7a+lH5XB0JwUZhA-DO78JiSm1o5rA8zZn86BBS+dWeqr2i0BAST5urklVv4-DQCNFf9u4eG19ydm/NWd8ZP4NLevjt7YhjGjEfh0huM-DQkgo69ToL2ge3pf7BaTeRGyS45izawpIErMgr2i4bY-DSrbHmkwdH0y7xWG600a5Dvl0tYtAdvCtOAT890wF5I-DTa8gpDGjrB662XCEgz2FV++Ddbjr0KXqLFwrOyx6Ag-DUl7uu1fAo4JlC76pLmOxEB/NWZK8rrnYRLrvlkgmjI-DVYTKiSMszEHC53QSMagU0Yxrip8Pmvmo6zS54ed2u8-DVueDh8+v7trfJ+yFaQ7pn1ll7OHW2l0skbvFtjzM0E-DWPS/fEaMHN/OOAM1vcWq6km4g/aPnOEzi2+e3vj07c-DW08xGkAqOL77ywTd/J1+HB3uzN5fxsrscZKjXayjYU-DXVhiwlpV3NUbvpZRLvEUU8dkdtbTokTRp5nPf6o394-DXXGJWzQJ8u6ztj1yId3cw9wa0YjaNzNG/Tli+tqBmA-DbAUgdYJx4+O9K+dWXfrKIxfQxpZE+Z871xiq5qCp4Q-Db/nifHA/8nTQNMydHosI5rRKJZh/AeIjoifarurUGw-DcXgwY3C+I3b6ejjUt0wLNJ0VNThMPqXf9eLvSgoVio-DcqtQYFoZP86fhBrikAev4yQD3k56xzcjXcEGOa7Oh8-Dctrfp66XCvn04511LX9gARcA4snVE5NM+7Cj+Ishxc-DczYp7AwJi5Wt+ZyH4IbcLguyvUOiWxmTAdDh1Y7I/s-Dc/oRpvx4U9eoN8Fm4I8h6P3f7q6Af+G58JmP3QPg9M-DdWyHTYsGsOxrXbRxQZXiC5k+jNeusEv/Ef9dRl2qrw-DdhRsALdv4BIQNauoTTPeucEuxScWV2qrUKp3rBTc90-DeVq9ufV3AqQjXOqut16dJ/SFjo3MNjoPtFJ0xbCivs-DfCdZ4PzcnqIhrTRn31s33PYpX8zcoc9x33ZxRyrHhk-DgsWuA2wkVR
Source: 52CE.exe, 00000007.00000003.2440250020.0000000002F3B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696487552\|UE
Source: 52CE.exe, 00000007.00000003.2440250020.0000000002F3B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696487552u
Source: explorer.exe, 00000002.00000000.2117072939.000000000C354000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: 52CE.exe, 00000007.00000003.2440250020.0000000002F3B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696487552x
Source: explorer.exe, 00000002.00000000.2117072939.000000000C354000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}@
Source: 52CE.exe, 00000007.00000002.2528051168.00000000007FE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWXJ
Source: 52CE.exe, 00000007.00000003.2440250020.0000000002F3B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552
Source: 52CE.exe, 00000007.00000003.2440120843.0000000002F48000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: - GDCDYNVMware20,11696487552p
Source: 52CE.exe, 00000007.00000003.2440250020.0000000002F3B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696487552d
Source: 52CE.exe, 00000007.00000003.2440250020.0000000002F3B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696487552]
Source: explorer.exe, 00000002.00000000.2115395626.00000000097F3000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000002.00000000.2115057118.000000000973C000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWws
Source: 58CA.exe, 00000011.00000003.3670619421.0000000003A85000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: an6zYaGMDELrubWA6FhgFsrtk9CuIiIJYZhvenKIZdE2mgMRErUH3EbfjlSKpYro
Source: 52CE.exe, 00000007.00000003.2440250020.0000000002F3B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
Source: explorer.exe, 00000002.00000000.2115057118.0000000009605000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: NXTVMWare
Source: 52CE.exe, 00000007.00000003.2440250020.0000000002F3B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
Source: 52CE.exe, 00000007.00000003.2440250020.0000000002F3B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
Source: explorer.exe, 00000002.00000000.2110827133.0000000000D99000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000W
Source: 52CE.exe, 00000007.00000003.2440250020.0000000002F3B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
Source: 52CE.exe, 00000007.00000003.2440250020.0000000002F3B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
Source: 52CE.exe, 00000007.00000003.2440250020.0000000002F3B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696487552s
Source: 52CE.exe, 00000007.00000003.2440250020.0000000002F3B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696487552
Source: explorer.exe, 00000002.00000000.2115395626.00000000098AD000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}lnkramW6
Source: 52CE.exe, 00000007.00000003.2440250020.0000000002F3B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696487552t
Source: 52CE.exe, 00000007.00000003.2440250020.0000000002F3B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696487552x
Source: 52CE.exe, 00000007.00000003.2440250020.0000000002F3B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696487552}
Source: explorer.exe, 00000002.00000000.2110827133.0000000000D99000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: 52CE.exe, 00000007.00000003.2440250020.0000000002F3B000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552

Source: C:\Users\user\AppData\Local\Temp\5C46.exe

API call chain: ExitProcess graph end node

graph_16-4393

Source: C:\Users\user\Desktop\v6SEx6rJ3E.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\v6SEx6rJ3E.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Source: C:\Users\user\Desktop\v6SEx6rJ3E.exe	System information queried: CodeIntegrityInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\esiffai	System information queried: CodeIntegrityInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BD27.exe	System information queried: CodeIntegrityInformation

Source: C:\Users\user\Desktop\v6SEx6rJ3E.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\esiffai	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\58CA.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\58CA.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BD27.exe	Process queried: DebugPort

Source: C:\Users\user\AppData\Local\Temp\5C46.exe

Code function: 10_2_00409543 GetWindowsDirectoryW,NtAllocateVirtualMemory,EnterCriticalSection,RtlInitUnicodeString,RtlInitUnicodeString,LeaveCriticalSection,LdrEnumerateLoadedModules,

10_2_00409543

Source: C:\Users\user\AppData\Local\Temp\52CE.exe

Code function: 7_2_00404C24 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

7_2_00404C24

Source: C:\Users\user\Desktop\v6SEx6rJ3E.exe

Code function: 0_2_00428960 LoadLibraryW,GetProcAddress,VirtualProtect,

0_2_00428960

Source: C:\Users\user\Desktop\v6SEx6rJ3E.exe	Code function: 0_2_0049025A push dword ptr fs:[00000030h]	0_2_0049025A
Source: C:\Users\user\Desktop\v6SEx6rJ3E.exe	Code function: 0_2_0208092B mov eax, dword ptr fs:[00000030h]	0_2_0208092B
Source: C:\Users\user\Desktop\v6SEx6rJ3E.exe	Code function: 0_2_02080D90 mov eax, dword ptr fs:[00000030h]	0_2_02080D90
Source: C:\Users\user\AppData\Roaming\esiffai	Code function: 6_2_004C092B mov eax, dword ptr fs:[00000030h]	6_2_004C092B
Source: C:\Users\user\AppData\Roaming\esiffai	Code function: 6_2_004C0D90 mov eax, dword ptr fs:[00000030h]	6_2_004C0D90
Source: C:\Users\user\AppData\Roaming\esiffai	Code function: 6_2_005B0F62 push dword ptr fs:[00000030h]	6_2_005B0F62
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Code function: 7_2_0040B000 mov edx, dword ptr fs:[00000030h]	7_2_0040B000
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Code function: 7_2_0045F188 mov eax, dword ptr fs:[00000030h]	7_2_0045F188
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Code function: 7_2_0045F1A8 mov ecx, dword ptr fs:[00000030h]	7_2_0045F1A8
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Code function: 7_2_0078FDA0 mov ecx, dword ptr fs:[00000030h]	7_2_0078FDA0
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Code function: 7_2_0078FD80 mov eax, dword ptr fs:[00000030h]	7_2_0078FD80
Source: C:\Users\user\AppData\Local\Temp\58CA.exe	Code function: 9_2_049050A3 push dword ptr fs:[00000030h]	9_2_049050A3
Source: C:\Users\user\AppData\Local\Temp\58CA.exe	Code function: 9_2_04AC0042 push dword ptr fs:[00000030h]	9_2_04AC0042
Source: C:\Users\user\AppData\Local\Temp\5C46.exe	Code function: 10_2_0040AEA4 mov eax, dword ptr fs:[00000030h]	10_2_0040AEA4
Source: C:\Users\user\AppData\Local\Temp\5C46.exe	Code function: 10_2_00407D21 mov eax, dword ptr fs:[00000030h]	10_2_00407D21
Source: C:\Users\user\AppData\Local\Temp\5C46.exe	Code function: 16_2_00407D21 mov eax, dword ptr fs:[00000030h]	16_2_00407D21
Source: C:\Users\user\AppData\Local\Temp\5C46.exe	Code function: 16_2_0040AEA4 mov eax, dword ptr fs:[00000030h]	16_2_0040AEA4

Source: C:\Users\user\Desktop\v6SEx6rJ3E.exe

Code function: 0_2_004293E0 GetTickCount,GetLastError,GetConsoleAliasesA,CreateDirectoryW,PulseEvent,FindResourceW,InterlockedIncrement,DestroyCursor,SetDefaultCommConfigA,FreeEnvironmentStringsA,GetCurrentDirectoryA,EnumDateFormatsExW,GetStartupInfoW,GetModuleHandleExA,OpenJobObjectA,GetConsoleAliasesLengthW,WideCharToMultiByte,GetLocaleInfoA,GlobalUnfix,SystemTimeToTzSpecificLocalTime,SetCurrentDirectoryA,MoveFileExW,OpenWaitableTimerW,CompareStringW,GetProcessHeap,DuplicateToken,

0_2_004293E0

Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

Process token adjusted: Debug

Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Code function: 7_2_00404C24 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_2_00404C24
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Code function: 7_2_004040F4 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_2_004040F4
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Code function: 7_2_004020BA SetUnhandledExceptionFilter,	7_2_004020BA
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Code function: 7_2_0040974E __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_0040974E

Source: C:\Users\user\AppData\Local\Temp\8B96.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion

Benign windows process drops PE files

Source: C:\Windows\explorer.exe

File created: 3ADF.exe.2.dr

Jump to dropped file

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 109.175.29.39 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 186.147.159.149 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 172.67.173.86 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 91.215.85.120 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 185.172.128.19 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 141.8.192.6 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 91.92.244.44 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 189.232.10.46 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 103.20.213.70 443	Jump to behavior

Contains functionality to inject code into remote processes

Source: C:\Users\user\AppData\Local\Temp\58CA.exe

Code function: 9_2_04AC0110 VirtualAlloc,CreateProcessA,VirtualFree,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtUnmapViewOfSection,VirtualAllocEx,NtWriteVirtualMemory,NtWriteVirtualMemory,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,ExitProcess,

9_2_04AC0110

Creates a thread in another existing process (thread injection)

Source: C:\Users\user\Desktop\v6SEx6rJ3E.exe	Thread created: C:\Windows\explorer.exe EIP: 8761A88	Jump to behavior
Source: C:\Users\user\AppData\Roaming\esiffai	Thread created: unknown EIP: 2F31A88	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BD27.exe	Thread created: unknown EIP: 2F819F0

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Local\Temp\58CA.exe	Memory written: C:\Users\user\AppData\Local\Temp\58CA.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\ProgramData\Drivers\csrss.exe	Memory written: C:\ProgramData\Drivers\csrss.exe base: 400000 value starts with: 4D5A

LummaC encrypted strings found

Source: 52CE.exe	String found in binary or memory: sofahuntingslidedine.shop
Source: 52CE.exe	String found in binary or memory: culturesketchfinanciall.shop
Source: 52CE.exe	String found in binary or memory: triangleseasonbenchwj.shop
Source: 52CE.exe	String found in binary or memory: modestessayevenmilwek.shop
Source: 52CE.exe	String found in binary or memory: liabilityarrangemenyit.shop
Source: 52CE.exe	String found in binary or memory: claimconcessionrebe.shop
Source: 52CE.exe	String found in binary or memory: secretionsuitcasenioise.shop
Source: 52CE.exe	String found in binary or memory: gemcreedarticulateod.shop

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\v6SEx6rJ3E.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Users\user\Desktop\v6SEx6rJ3E.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read	Jump to behavior
Source: C:\Users\user\AppData\Roaming\esiffai	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\esiffai	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\BD27.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write
Source: C:\Users\user\AppData\Local\Temp\BD27.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read

Sample uses process hollowing technique

Source: C:\ProgramData\Drivers\csrss.exe

Section unmapped: unknown base address: 400000

Source: C:\Users\user\AppData\Local\Temp\58CA.exe	Process created: C:\Users\user\AppData\Local\Temp\58CA.exe C:\Users\user\AppData\Local\Temp\58CA.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\8B96.exe	Process created: C:\Users\user\AppData\Local\Temp\InstallSetup4.exe "C:\Users\user\AppData\Local\Temp\InstallSetup4.exe"
Source: C:\Users\user\AppData\Local\Temp\8B96.exe	Process created: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe "C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"
Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe	Process created: C:\Windows\System32\cmd.exe C:\Windows\Sysnative\cmd.exe /C fodhelper
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\chcp.com chcp 1251
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\user\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
Source: C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\fodhelper.exe fodhelper
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\fodhelper.exe "C:\Windows\system32\fodhelper.exe"
Source: C:\Windows\System32\fodhelper.exe	Process created: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe "C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"
Source: C:\ProgramData\Drivers\csrss.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe	Process created: unknown unknown

Source: C:\Users\user\AppData\Local\Temp\5C46.exe

Code function: 10_2_004082B6 CheckTokenMembership,AllocateAndInitializeSid,FreeSid,

10_2_004082B6

Source: explorer.exe, 00000002.00000000.2111135370.00000000013A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: IProgram Manager
Source: explorer.exe, 00000002.00000000.2112499753.00000000048E0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2111135370.00000000013A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000002.00000000.2111135370.00000000013A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000002.00000000.2110827133.0000000000D69000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: +Progman
Source: explorer.exe, 00000002.00000000.2111135370.00000000013A0000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock
Source: explorer.exe, 00000002.00000000.2115395626.00000000098AD000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd31A

Source: C:\Users\user\Desktop\v6SEx6rJ3E.exe	Code function: GetTickCount,GetLastError,GetConsoleAliasesA,CreateDirectoryW,PulseEvent,FindResourceW,InterlockedIncrement,DestroyCursor,SetDefaultCommConfigA,FreeEnvironmentStringsA,GetCurrentDirectoryA,EnumDateFormatsExW,GetStartupInfoW,GetModuleHandleExA,OpenJobObjectA,GetConsoleAliasesLengthW,WideCharToMultiByte,GetLocaleInfoA,GlobalUnfix,SystemTimeToTzSpecificLocalTime,SetCurrentDirectoryA,MoveFileExW,OpenWaitableTimerW,CompareStringW,GetProcessHeap,DuplicateToken,	0_2_004293E0
Source: C:\Users\user\AppData\Roaming\esiffai	Code function: GetTickCount,GetLastError,GetConsoleAliasesA,CreateDirectoryW,PulseEvent,FindResourceW,InterlockedIncrement,DestroyCursor,SetDefaultCommConfigA,FreeEnvironmentStringsA,GetCurrentDirectoryA,EnumDateFormatsExW,GetStartupInfoW,GetModuleHandleExA,OpenJobObjectA,GetConsoleAliasesLengthW,WideCharToMultiByte,GetLocaleInfoA,GlobalUnfix,SystemTimeToTzSpecificLocalTime,SetCurrentDirectoryA,MoveFileExW,OpenWaitableTimerW,CompareStringW,GetProcessHeap,DuplicateToken,	6_2_004293E0
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Code function: VirtualAlloc,LoadLibraryA,GetProcAddress,GetProcAddress,___crtGetLocaleInfoEx,lstrlenW,CreateThread,Sleep,WaitForSingleObject,	7_2_0040B000
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Code function: ___crtGetLocaleInfoEx,	7_2_0040BC8C
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Code function: GetLocaleInfoA,	7_2_00409E93

Source: C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0
Source: C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp	Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\58CA.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7147.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7147.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7147.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7147.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7147.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7147.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7147.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\8B96.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\8B96.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\v6SEx6rJ3E.exe

Code function: 0_2_00429330 FreeEnvironmentStringsA,ReadEventLogA,CreateNamedPipeA,LocalFileTimeToFileTime,

0_2_00429330

Source: C:\Users\user\AppData\Local\Temp\52CE.exe

Code function: 7_2_0040360C GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

7_2_0040360C

Source: C:\Users\user\AppData\Local\Temp\52CE.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected Glupteba

Source: Yara match	File source: 44.2.288c47bbc1871b439df19ff4df68f076.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.288c47bbc1871b439df19ff4df68f076.exe.4f60e67.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 44.3.288c47bbc1871b439df19ff4df68f076.exe.58d0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.288c47bbc1871b439df19ff4df68f076.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 44.2.288c47bbc1871b439df19ff4df68f076.exe.4fe0e67.15.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.3.288c47bbc1871b439df19ff4df68f076.exe.5850000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000016.00000002.2669166825.00000000053A3000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000002.2695084948.0000000000843000.00000040.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.2663525231.0000000005D12000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000002.2739842815.0000000005423000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.2535351079.0000000005C92000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.2661056946.0000000000843000.00000040.00000001.01000000.0000000F.sdmp, type: MEMORY

Yara detected LummaC Stealer

Source: Yara match

File source: Process Memory Space: 52CE.exe PID: 2784, type: MEMORYSTR

Yara detected SmokeLoader

Source: Yara match	File source: 38.2.BD27.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.BD27.exe.2bd0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.BD27.exe.2bc0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2122757186.00000000020B1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2363904788.00000000004D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.2625881100.0000000002BD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2122714644.0000000002090000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.2680038796.0000000002BD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2364285288.0000000000551000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.2680205009.0000000002C11000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY

Yara detected Socks5Systemz

Source: Yara match	File source: 00000023.00000002.4721026220.0000000000B21000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.4714471412.00000000008BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Yara detected Stealc

Source: Yara match	File source: 30.2.nsh9BCF.tmp.2b70e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.3.nsh9BCF.tmp.4760000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.nsh9BCF.tmp.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.nsh9BCF.tmp.2b70e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.nsh9BCF.tmp.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001E.00000002.3306141637.0000000002B70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.3308661443.0000000002BE5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.2588311330.0000000004760000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.3301685410.0000000000400000.00000040.00000001.01000000.00000015.sdmp, type: MEMORY

Yara detected Vidar stealer

Source: Yara match

File source: 30.2.nsh9BCF.tmp.2b70e67.1.unpack, type: UNPACKEDPE

Found many strings related to Crypto-Wallets (likely being stolen)

Source: 52CE.exe, 00000007.00000003.2506090974.0000000000841000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Electrum\wallets
Source: 52CE.exe, 00000007.00000003.2506090974.0000000000841000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB[
Source: 52CE.exe, 00000007.00000003.2506090974.0000000000841000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: 52CE.exe, 00000007.00000002.2533125014.0000000000823000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Exodus
Source: 52CE.exe, 00000007.00000002.2537116838.00000000021C8000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: AYvapp-store.jsonvWallets/BinanceC:\Users\user\AppData\Roaming\Binance*}ov%appdata%\Binance8
Source: 52CE.exe, 00000007.00000003.2506090974.0000000000841000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Ethereum
Source: 52CE.exe, 00000007.00000002.2537116838.00000000021C8000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: nv[XvAYvAYvWallets/CoinomiC:\Users\user\AppData\Local\Coinomi\Coinomi\wallets%localappdata%\Coinomi\Coinomi\walletsv[XvAYvAYvWallets/AtomicvC:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbv%appdata%\atomic\Local Storage\leveldbv*[XvAYvAYvWallets/Ledger Live
Source: 52CE.exe, 00000007.00000002.2533125014.0000000000823000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: keystore
Source: 52CE.exe, 00000007.00000002.2537116838.00000000021C8000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: evC:\Users\user\AppData\Roaming\Ledger Live}ov%appdata%\Ledger Live

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Local\Temp\7147.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg
Source: C:\Users\user\AppData\Local\Temp\7147.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci
Source: C:\Users\user\AppData\Local\Temp\7147.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\logins.json
Source: C:\Users\user\AppData\Local\Temp\7147.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe
Source: C:\Users\user\AppData\Local\Temp\7147.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
Source: C:\Users\user\AppData\Local\Temp\7147.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln
Source: C:\Users\user\AppData\Local\Temp\7147.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae
Source: C:\Users\user\AppData\Local\Temp\7147.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb
Source: C:\Users\user\AppData\Local\Temp\7147.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh
Source: C:\Users\user\AppData\Local\Temp\7147.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb
Source: C:\Users\user\AppData\Local\Temp\7147.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cert9.db
Source: C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite
Source: C:\Users\user\AppData\Local\Temp\7147.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh
Source: C:\Users\user\AppData\Local\Temp\7147.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo
Source: C:\Users\user\AppData\Local\Temp\7147.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb
Source: C:\Users\user\AppData\Local\Temp\7147.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld
Source: C:\Users\user\AppData\Local\Temp\7147.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm
Source: C:\Users\user\AppData\Local\Temp\7147.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\formhistory.sqlite
Source: C:\Users\user\AppData\Local\Temp\7147.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec
Source: C:\Users\user\AppData\Local\Temp\7147.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk
Source: C:\Users\user\AppData\Local\Temp\7147.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo
Source: C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\7147.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla
Source: C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite-wal
Source: C:\Users\user\AppData\Local\Temp\7147.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn
Source: C:\Users\user\AppData\Local\Temp\7147.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\0absryc3.default\key4.db
Source: C:\Users\user\AppData\Local\Temp\7147.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp
Source: C:\Users\user\AppData\Local\Temp\7147.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa
Source: C:\Users\user\AppData\Local\Temp\7147.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi
Source: C:\Users\user\AppData\Local\Temp\7147.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj
Source: C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite-wal
Source: C:\Users\user\AppData\Local\Temp\7147.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph
Source: C:\Users\user\AppData\Local\Temp\7147.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno
Source: C:\Users\user\AppData\Local\Temp\7147.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp
Source: C:\Users\user\AppData\Local\Temp\7147.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
Source: C:\Users\user\AppData\Local\Temp\7147.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd
Source: C:\Users\user\AppData\Local\Temp\7147.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad
Source: C:\Users\user\AppData\Local\Temp\7147.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\CURRENT
Source: C:\Users\user\AppData\Local\Temp\7147.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm
Source: C:\Users\user\AppData\Local\Temp\7147.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log
Source: C:\Users\user\AppData\Local\Temp\7147.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec
Source: C:\Users\user\AppData\Local\Temp\7147.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf
Source: C:\Users\user\AppData\Local\Temp\7147.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac
Source: C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\7147.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch
Source: C:\Users\user\AppData\Local\Temp\7147.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account
Source: C:\Users\user\AppData\Local\Temp\7147.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles
Source: C:\Users\user\AppData\Local\Temp\7147.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne
Source: C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite-shm
Source: C:\Users\user\AppData\Local\Temp\7147.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk
Source: C:\Users\user\AppData\Local\Temp\7147.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma
Source: C:\Users\user\AppData\Local\Temp\7147.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Users\user\AppData\Local\Temp\7147.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb
Source: C:\Users\user\AppData\Local\Temp\7147.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc
Source: C:\Users\user\AppData\Local\Temp\7147.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk
Source: C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite
Source: C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History-journal
Source: C:\Users\user\AppData\Local\Temp\7147.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn
Source: C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite-shm
Source: C:\Users\user\AppData\Local\Temp\7147.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm
Source: C:\Users\user\AppData\Local\Temp\7147.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad
Source: C:\Users\user\AppData\Local\Temp\7147.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil
Source: C:\Users\user\AppData\Local\Temp\7147.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge
Source: C:\Users\user\AppData\Local\Temp\7147.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao
Source: C:\Users\user\AppData\Local\Temp\7147.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig
Source: C:\Users\user\AppData\Local\Temp\7147.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid
Source: C:\Users\user\AppData\Local\Temp\7147.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih
Source: C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\7147.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd
Source: C:\Users\user\AppData\Local\Temp\7147.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd
Source: C:\Users\user\AppData\Local\Temp\7147.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp
Source: C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\7147.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba
Source: C:\Users\user\AppData\Local\Temp\7147.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno
Source: C:\Users\user\AppData\Local\Temp\7147.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\MANIFEST-000001
Source: C:\Users\user\AppData\Local\Temp\7147.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj
Source: C:\Users\user\AppData\Local\Temp\7147.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap
Source: C:\Users\user\AppData\Local\Temp\7147.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm
Source: C:\Users\user\AppData\Local\Temp\7147.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh
Source: C:\Users\user\AppData\Local\Temp\7147.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
Source: C:\Users\user\AppData\Local\Temp\7147.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc
Source: C:\Users\user\AppData\Local\Temp\7147.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\key4.db
Source: C:\Users\user\AppData\Local\Temp\7147.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn
Source: C:\Users\user\AppData\Local\Temp\7147.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje
Source: C:\Users\user\AppData\Local\Temp\7147.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG
Source: C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\7147.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default
Source: C:\Users\user\AppData\Local\Temp\7147.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm
Source: C:\Users\user\AppData\Local\Temp\7147.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf
Source: C:\Users\user\AppData\Local\Temp\7147.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG.old
Source: C:\Users\user\AppData\Local\Temp\7147.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj
Source: C:\Users\user\AppData\Local\Temp\7147.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb
Source: C:\Users\user\AppData\Local\Temp\7147.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Tries to steal Crypto Currency Wallets

Source: C:\Users\user\AppData\Local\Temp\52CE.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7147.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Users\user\AppData\Local\Temp\7147.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\7147.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Users\user\AppData\Local\Temp\7147.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Users\user\AppData\Local\Temp\7147.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\7147.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\7147.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Users\user\AppData\Local\Temp\7147.exe	File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Users\user\AppData\Local\Temp\7147.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001
Source: C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002
Source: C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003
Source: C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004

Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Directory queried: C:\Users\user\Documents\EOWRVPQCCS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Directory queried: C:\Users\user\Documents\GIGIYTFFYT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Directory queried: C:\Users\user\Documents\LSBIHQFDVT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Directory queried: C:\Users\user\Documents\MXPXCVPDVN	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Directory queried: C:\Users\user\Documents\PIVFAGEAAV	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Directory queried: C:\Users\user\Documents\QCOILOQIKC	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Directory queried: C:\Users\user\Documents\SFPUSAFIOL	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Directory queried: C:\Users\user\Documents\SQRKHNBNYN	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Directory queried: C:\Users\user\Documents\SQSJKEBWDT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Directory queried: C:\Users\user\Documents\ZQIXMVQGAH	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Directory queried: C:\Users\user\Documents\EOWRVPQCCS	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Directory queried: C:\Users\user\Documents\LSBIHQFDVT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Directory queried: C:\Users\user\Documents\MXPXCVPDVN	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Directory queried: C:\Users\user\Documents\SFPUSAFIOL	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Directory queried: C:\Users\user\Documents\UOOJJOZIRH	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Directory queried: C:\Users\user\Documents\LSBIHQFDVT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Directory queried: C:\Users\user\Documents\SQSJKEBWDT	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\52CE.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7147.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\7147.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\7147.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\7147.exe	Directory queried: C:\Users\user\Documents\EOWRVPQCCS
Source: C:\Users\user\AppData\Local\Temp\7147.exe	Directory queried: C:\Users\user\Documents\PIVFAGEAAV
Source: C:\Users\user\AppData\Local\Temp\7147.exe	Directory queried: C:\Users\user\Documents\QCOILOQIKC
Source: C:\Users\user\AppData\Local\Temp\7147.exe	Directory queried: C:\Users\user\Documents\SFPUSAFIOL
Source: C:\Users\user\AppData\Local\Temp\7147.exe	Directory queried: C:\Users\user\Documents\SQSJKEBWDT
Source: C:\Users\user\AppData\Local\Temp\7147.exe	Directory queried: C:\Users\user\Documents\UOOJJOZIRH
Source: C:\Users\user\AppData\Local\Temp\7147.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\7147.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\7147.exe	Directory queried: C:\Users\user\Documents\EOWRVPQCCS
Source: C:\Users\user\AppData\Local\Temp\7147.exe	Directory queried: C:\Users\user\Documents\GIGIYTFFYT
Source: C:\Users\user\AppData\Local\Temp\7147.exe	Directory queried: C:\Users\user\Documents\UOOJJOZIRH
Source: C:\Users\user\AppData\Local\Temp\7147.exe	Directory queried: C:\Users\user\Documents\PIVFAGEAAV
Source: C:\Users\user\AppData\Local\Temp\7147.exe	Directory queried: C:\Users\user\Documents\SQSJKEBWDT
Source: C:\Users\user\AppData\Local\Temp\7147.exe	Directory queried: C:\Users\user\Documents\ZQIXMVQGAH
Source: C:\Users\user\AppData\Local\Temp\7147.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\7147.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\7147.exe	Directory queried: C:\Users\user\Documents\MXPXCVPDVN
Source: C:\Users\user\AppData\Local\Temp\7147.exe	Directory queried: C:\Users\user\Documents\SQRKHNBNYN
Source: C:\Users\user\AppData\Local\Temp\7147.exe	Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\7147.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT
Source: C:\Users\user\AppData\Local\Temp\7147.exe	Directory queried: C:\Users\user\Documents\SFPUSAFIOL
Source: C:\Users\user\AppData\Local\Temp\7147.exe	Directory queried: C:\Users\user\Documents\SQRKHNBNYN
Source: C:\Users\user\AppData\Local\Temp\7147.exe	Directory queried: C:\Users\user\Documents\SQSJKEBWDT
Source: C:\Users\user\AppData\Local\Temp\7147.exe	Directory queried: C:\Users\user\Documents\ZQIXMVQGAH

Source: Yara match	File source: 30.2.nsh9BCF.tmp.2b70e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.nsh9BCF.tmp.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000012.00000003.2882836255.00000000017BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2887800762.00000000017BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.3301685410.000000000043C000.00000040.00000001.01000000.00000015.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.2885033991.00000000017BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000003.2883808615.00000000017BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 52CE.exe PID: 2784, type: MEMORYSTR

Remote Access Functionality

Yara detected Glupteba

Source: Yara match	File source: 44.2.288c47bbc1871b439df19ff4df68f076.exe.400000.6.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.288c47bbc1871b439df19ff4df68f076.exe.4f60e67.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 44.3.288c47bbc1871b439df19ff4df68f076.exe.58d0000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.288c47bbc1871b439df19ff4df68f076.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 44.2.288c47bbc1871b439df19ff4df68f076.exe.4fe0e67.15.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.3.288c47bbc1871b439df19ff4df68f076.exe.5850000.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000016.00000002.2669166825.00000000053A3000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000002.2695084948.0000000000843000.00000040.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000003.2663525231.0000000005D12000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002C.00000002.2739842815.0000000005423000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000003.2535351079.0000000005C92000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.2661056946.0000000000843000.00000040.00000001.01000000.0000000F.sdmp, type: MEMORY

Yara detected LummaC Stealer

Source: Yara match

File source: Process Memory Space: 52CE.exe PID: 2784, type: MEMORYSTR

Yara detected SmokeLoader

Source: Yara match	File source: 38.2.BD27.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.3.BD27.exe.2bd0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 38.2.BD27.exe.2bc0e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2122757186.00000000020B1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2363904788.00000000004D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000003.2625881100.0000000002BD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2122714644.0000000002090000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.2680038796.0000000002BD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2364285288.0000000000551000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000026.00000002.2680205009.0000000002C11000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY

Yara detected Socks5Systemz

Source: Yara match	File source: 00000023.00000002.4721026220.0000000000B21000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.4714471412.00000000008BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Yara detected Stealc

Source: Yara match	File source: 30.2.nsh9BCF.tmp.2b70e67.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.3.nsh9BCF.tmp.4760000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.nsh9BCF.tmp.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.nsh9BCF.tmp.2b70e67.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 30.2.nsh9BCF.tmp.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000001E.00000002.3306141637.0000000002B70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.3308661443.0000000002BE5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.2588311330.0000000004760000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.3301685410.0000000000400000.00000040.00000001.01000000.00000015.sdmp, type: MEMORY

Yara detected Vidar stealer

Source: Yara match

File source: 30.2.nsh9BCF.tmp.2b70e67.1.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	21 Windows Management Instrumentation	1 Scripting	1 Abuse Elevation Control Mechanism	1 Disable or Modify Tools	2 OS Credential Dumping	1 System Time Discovery	Remote Services	11 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	3 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	12 File and Directory Discovery	Remote Desktop Protocol	41 Data from Local System	1 Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Shared Modules	1 Scheduled Task/Job	1 Access Token Manipulation	1 Abuse Elevation Control Mechanism	Security Account Manager	146 System Information Discovery	SMB/Windows Admin Shares	1 Email Collection	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 Exploitation for Client Execution	1 Registry Run Keys / Startup Folder	613 Process Injection	2 Obfuscated Files or Information	NTDS	1 Query Registry	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	2 Command and Scripting Interpreter	1 Bootkit	1 Scheduled Task/Job	22 Software Packing	LSA Secrets	661 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	1 Scheduled Task/Job	RC Scripts	1 Registry Run Keys / Startup Folder	1 DLL Side-Loading	Cached Domain Credentials	261 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	1 PowerShell	Startup Items	Startup Items	1 File Deletion	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	111 Masquerading	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	261 Virtualization/Sandbox Evasion	/etc/passwd and /etc/shadow	2 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	1 Access Token Manipulation	Network Sniffing	1 Remote System Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	613 Process Injection	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption
Gather Victim Org Information	DNS Server	Compromise Software Supply Chain	Windows Command Shell	Scheduled Task	Scheduled Task	1 Hidden Files and Directories	Keylogging	Process Discovery	Taint Shared Content	Screen Capture	DNS	Exfiltration Over Physical Medium	Resource Hijacking
Determine Physical Locations	Virtual Private Server	Compromise Hardware Supply Chain	Unix Shell	Systemd Timers	Systemd Timers	1 Regsvr32	GUI Input Capture	Permission Groups Discovery	Replication Through Removable Media	Email Collection	Proxy	Exfiltration over USB	Network Denial of Service
Business Relationships	Server	Trusted Relationship	Visual Basic	Container Orchestration Job	Container Orchestration Job	1 Bootkit	Web Portal Capture	Local Groups	Component Object Model and Distributed COM	Local Email Collection	Internal Proxy	Commonly Used Port	Direct Network Flood

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
v6SEx6rJ3E.exe	55%	ReversingLabs	Win32.Trojan.Generic
v6SEx6rJ3E.exe	42%	Virustotal		Browse
v6SEx6rJ3E.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\ProgramData\DeliveryStatusFields_65\DeliveryStatusFields_65.exe	100%	Avira	HEUR/AGEN.1324712
C:\ProgramData\Drivers\csrss.exe	100%	Avira	HEUR/AGEN.1312689
C:\ProgramData\DeliveryStatusFields_65\DeliveryStatusFields_65.exe	100%	Joe Sandbox ML
C:\ProgramData\Drivers\csrss.exe	100%	Joe Sandbox ML
C:\ProgramData\DeliveryStatusFields_65\DeliveryStatusFields_65.exe	44%	Virustotal		Browse
C:\ProgramData\Drivers\csrss.exe	66%	ReversingLabs	Win32.Trojan.Smokeloader
C:\ProgramData\Drivers\csrss.exe	55%	Virustotal		Browse
C:\ProgramData\freebl3.dll	0%	ReversingLabs
C:\ProgramData\mozglue.dll	0%	ReversingLabs
C:\ProgramData\msvcp140.dll	0%	ReversingLabs
C:\ProgramData\nss3.dll	0%	ReversingLabs
C:\ProgramData\softokn3.dll	0%	ReversingLabs
C:\ProgramData\vcruntime140.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Key Signatures verification\SDL2.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Local\Key Signatures verification\avcodec-58.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Local\Key Signatures verification\avformat-58.dll (copy)	3%	ReversingLabs
C:\Users\user\AppData\Local\Key Signatures verification\avutil-56.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Local\Key Signatures verification\is-1OHA3.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Key Signatures verification\is-3DVHE.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Key Signatures verification\is-52MI6.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Key Signatures verification\is-8QNGU.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Key Signatures verification\is-G0QLS.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Key Signatures verification\is-G7N1I.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Key Signatures verification\is-HN3OD.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Key Signatures verification\is-JBCJU.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Key Signatures verification\is-L82B0.tmp	3%	ReversingLabs
C:\Users\user\AppData\Local\Key Signatures verification\is-M5A95.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Key Signatures verification\is-N956R.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Key Signatures verification\is-R4VT6.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Key Signatures verification\is-RHOK0.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Key Signatures verification\is-U0S2N.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Key Signatures verification\libbz2-1.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Local\Key Signatures verification\libgcc_s_dw2-1.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Local\Key Signatures verification\libiconv-2.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Local\Key Signatures verification\libogg-0.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Local\Key Signatures verification\libvorbis-0.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Local\Key Signatures verification\libvorbisenc-2.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Local\Key Signatures verification\libwinpthread-1.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Local\Key Signatures verification\swresample-3.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Local\Key Signatures verification\zlib1.dll (copy)	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\freebl3[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\mozglue[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\msvcp140[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\nss3[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\softokn3[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\vcruntime140[1].dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\syncUpd[1].exe	32%	ReversingLabs
C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe	71%	ReversingLabs	Win32.Trojan.Smokeloader
C:\Users\user\AppData\Local\Temp\3ADF.exe	26%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Local\Temp\52CE.exe	53%	ReversingLabs	Win32.Trojan.LummaStealer
C:\Users\user\AppData\Local\Temp\58CA.exe	66%	ReversingLabs	Win32.Trojan.Smokeloader
C:\Users\user\AppData\Local\Temp\5C46.exe	87%	ReversingLabs	Win32.Trojan.Pitou
C:\Users\user\AppData\Local\Temp\6000.dll	32%	ReversingLabs	Win32.Trojan.Smokeloader
C:\Users\user\AppData\Local\Temp\7147.exe	34%	ReversingLabs
C:\Users\user\AppData\Local\Temp\8B96.exe	79%	ReversingLabs	ByteCode-MSIL.Trojan.Smokeloader
C:\Users\user\AppData\Local\Temp\BroomSetup.exe	21%	ReversingLabs	Win32.Trojan.Generic
C:\Users\user\AppData\Local\Temp\D358.exe	84%	ReversingLabs	Win32.Trojan.Smokeloader
C:\Users\user\AppData\Local\Temp\DFB4.exe	37%	ReversingLabs
C:\Users\user\AppData\Local\Temp\InstallSetup4.exe	66%	ReversingLabs	Win32.Trojan.Nemesis
C:\Users\user\AppData\Local\Temp\is-66LSP.tmp\_isetup\_RegDLL.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-66LSP.tmp\_isetup\_iscrypt.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-66LSP.tmp\_isetup\_isdecmp.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-66LSP.tmp\_isetup\_setup64.tmp	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-66LSP.tmp\_isetup\_shfoldr.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-7LVCL.tmp\99FE.tmp	3%	ReversingLabs
C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp	3%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nse94C9.tmp\INetC.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp	32%	ReversingLabs
C:\Users\user\AppData\Roaming\esiffai	55%	ReversingLabs	Win32.Trojan.Generic

Source	Detection	Scanner	Label	Link
https://word.office.comM	0%	URL Reputation	safe
http://185.172.128.79/3886d2276f6914c4.php	0%	URL Reputation	safe
https://outlook.come	0%	URL Reputation	safe
http://schemas.micro	0%	URL Reputation	safe
https://claimconcessionrebe.shop/9g	100%	Avira URL Cloud	phishing
triangleseasonbenchwj.shop	100%	Avira URL Cloud	malware
http://cassiosssionunu.me/index.php	0%	Avira URL Cloud	safe
sofahuntingslidedine.shop	100%	Avira URL Cloud	phishing
http://buriatiarutuhuob.net/index.php	0%	Avira URL Cloud	safe
http://buriatiarutuhuob.net/index.php	13%	Virustotal		Browse
http://cassiosssionunu.me/index.php	13%	Virustotal		Browse
sofahuntingslidedine.shop	12%	Virustotal		Browse
triangleseasonbenchwj.shop	18%	Virustotal		Browse
claimconcessionrebe.shop	14%	Virustotal		Browse
liabilityarrangemenyit.shop	10%	Virustotal		Browse
liabilityarrangemenyit.shop	100%	Avira URL Cloud	malware
https://claimconcessionrebe.shop/api	100%	Avira URL Cloud	phishing
https://excel.office.com-	0%	Avira URL Cloud	safe
https://claimconcessionrebe.shop/	100%	Avira URL Cloud	phishing
claimconcessionrebe.shop	100%	Avira URL Cloud	phishing
https://sabotage.net	0%	Avira URL Cloud	safe
https://www.blankbeauty.com/Walmart?povid=GlobalNav_rWeb_Beauty_TrendinginBeauty_BlankBeautyCustomNa	0%	Avira URL Cloud	safe
https://claimconcessionrebe.shop/api	15%	Virustotal		Browse
https://sabotage.net	0%	Virustotal		Browse
https://claimconcessionrebe.shop/	0%	Virustotal		Browse

Name	Malicious	Antivirus Detection	Reputation
http://185.172.128.79/3886d2276f6914c4.php	true	URL Reputation: safe	unknown
http://buriatiarutuhuob.net/index.php	true	13%, Virustotal, Browse Avira URL Cloud: safe	unknown
triangleseasonbenchwj.shop	true	18%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://cassiosssionunu.me/index.php	true	13%, Virustotal, Browse Avira URL Cloud: safe	unknown
sofahuntingslidedine.shop	true	12%, Virustotal, Browse Avira URL Cloud: phishing	unknown
liabilityarrangemenyit.shop	true	10%, Virustotal, Browse Avira URL Cloud: malware	unknown
claimconcessionrebe.shop	true	14%, Virustotal, Browse Avira URL Cloud: phishing	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	52CE.exe, 00000007.00000003.2358962427.0000000002F28000.00000004.00000800.00020000.00000000.sdmp, 52CE.exe, 00000007.00000003.2358835967.0000000002F2B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://i5.walmartimages.com/dfw/4ff9c6c9-e091/k2-_5abd632e-14d1-44b2-8361-fd23d6198365.v1.jpg	58CA.exe, 00000011.00000003.4063841358.0000000033806000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096532907.0000000033088000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096136090.0000000033ACA000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	52CE.exe, 00000007.00000003.2358962427.0000000002F28000.00000004.00000800.00020000.00000000.sdmp, 52CE.exe, 00000007.00000003.2358835967.0000000002F2B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV	explorer.exe, 00000002.00000000.2112640933.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false		high
https://i5.walmartimages.com/dfw/4ff9c6c9-49a1/k2-_34929c48-8885-4b5f-9448-b9abc7b04116.v1.jpg	58CA.exe, 00000011.00000003.4063841358.0000000033806000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096532907.0000000033088000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096136090.0000000033ACA000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://i5.walmartimages.com/seo/Animals-Plush-Toy-Lunar-Year-Plush-Dragon-for-Couch-Lunar-New-Year-	58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.walmart.com/shop/clothing-and-accessories/new-arrivals?povid=GlobalNav_rWeb_ClothingShoe	58CA.exe, 00000011.00000003.4063841358.0000000033806000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096532907.0000000033088000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096136090.0000000033ACA000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.msn.com:443/v1/news/Feed/Windows?	explorer.exe, 00000002.00000000.2112640933.00000000073E5000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.2115057118.000000000973C000.00000004.00000001.00020000.00000000.sdmp	false		high
https://word.office.comM	explorer.exe, 00000002.00000000.2117072939.000000000C048000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.walmart.com/cp/xbox-series-x/9206773?povid=GlobalNav_rWeb_Kids_VideoGames_Xbox_Control	58CA.exe, 00000011.00000003.4063841358.0000000033806000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096532907.0000000033088000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4061553467.000000002B9CF000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096136090.0000000033ACA000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4060926865.0000000029D0A000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://i5.walmartimages.com/seo/Twin-Mattress-Nisien-10-Inch-Hybrid-Mattress-Box-Gel-Memory-Foam-Ma	58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://i5.walmartimages.com/asr/f29c5883-ea93-47b7-91e0-83e553f6521a.c5e444bea30956531d283c6fa6273d	58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://player.vimeo.com/progressive_redirect/playback/853528055/rendition/1080p/file.mp4?loc=extern	58CA.exe, 00000011.00000003.4063841358.0000000033806000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096532907.0000000033088000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4061553467.000000002B9CF000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096136090.0000000033ACA000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://i5.walmartimages.com/dfw/4ff9c6c9-84db/k2-_5d160174-ff31-4dd5-851c-dc710eec781e.v1.jpg	58CA.exe, 00000011.00000003.4063841358.0000000033806000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096532907.0000000033088000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4061553467.000000002B9CF000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096136090.0000000033ACA000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://i5.walmartimages.com/seo/5ft-Artificial-Eucalyptus-Silk-Plants-Pot-Faux-Plastic-Tree-Durable	58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.walmart.com/browse/home/kids-characters/4044_1154295_6561064?povid=GlobalNav_rWeb_Kids_K	58CA.exe, 00000011.00000003.4063841358.0000000033806000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096532907.0000000033088000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4061553467.000000002B9CF000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096136090.0000000033ACA000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4060926865.0000000029D0A000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://i5.walmartimages.com/dfw/4ff9c6c9-da61/k2-_56a58d5c-0b26-46ec-b335-1b9f0cdaed17.v1.jpg	58CA.exe, 00000011.00000003.4063841358.0000000033806000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096532907.0000000033088000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096136090.0000000033ACA000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://i5.walmartimages.com/seo/YDZJY-Walking-Pad-Walking-Treadmill-Under-Desk-Treadmill-2-in-1-for	58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://i5.walmartimages.com/seo/INGALIK-Twin-Mattress-Topper-Extra-Thick-Cooling-Pad-Cover-400TC-Co	58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://claimconcessionrebe.shop/9g	52CE.exe, 00000007.00000003.2357497536.0000000000829000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
https://i5.walmartimages.com/dfw/4ff9c6c9-9674/k2-_cd6b8be4-8bfb-47bc-9843-49e8ed571106.v1.jpg	58CA.exe, 00000011.00000003.4063841358.0000000033806000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096532907.0000000033088000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096136090.0000000033ACA000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://wns.windows.com/e	explorer.exe, 00000002.00000000.2115395626.00000000099AB000.00000004.00000001.00020000.00000000.sdmp	false		high
https://i5.walmartimages.com/dfw/4ff9c6c9-dfbc/k2-_d1dfad32-2c36-47c1-a247-158d770058e7.v1.jpg	58CA.exe, 00000011.00000003.4063841358.0000000033806000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096532907.0000000033088000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096136090.0000000033ACA000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.autoitscript.com/autoit3/J	explorer.exe, 00000002.00000000.2117072939.000000000C3BE000.00000004.00000001.00020000.00000000.sdmp	false		high
https://i5.walmartimages.com/dfw/4ff9c6c9-6a8d/k2-_4f147c7f-478b-4e25-96c7-22fbcda3cf40.v1.jpg	58CA.exe, 00000011.00000003.4063841358.0000000033806000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096532907.0000000033088000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096136090.0000000033ACA000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.walmart.com/browse/premium-beauty/premium-makeup/7924299_1417743?povid=GlobalNav_rWeb_Be	58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings	explorer.exe, 00000002.00000000.2112640933.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false		high
https://i5.walmartimages.com/dfw/4ff9c6c9-b684/k2-_a080ff7f-9bb4-4033-9402-ee665c58fac7.v1.jpg	58CA.exe, 00000011.00000003.4063841358.0000000033806000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096532907.0000000033088000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4061553467.000000002B9CF000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096136090.0000000033ACA000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	52CE.exe, 00000007.00000003.2358962427.0000000002F28000.00000004.00000800.00020000.00000000.sdmp, 52CE.exe, 00000007.00000003.2358835967.0000000002F2B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.walmart.com/browse/party-occasions/football-party-occasions/2637_7336515?povid=GlobalNav	58CA.exe, 00000011.00000003.4063841358.0000000033806000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096532907.0000000033088000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096136090.0000000033ACA000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://i5.walmartimages.com/dfw/4ff9c6c9-f2d4/k2-_132eead8-ed1f-4151-b38a-ba0c55c03322.v1.jpg	58CA.exe, 00000011.00000003.4063841358.0000000033806000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096532907.0000000033088000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096136090.0000000033ACA000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://i5.walmartimages.com/dfw/4ff9c6c9-db33/k2-_76752a43-1765-455e-85d2-16a450d8ff5a.v1.jpg	58CA.exe, 00000011.00000003.4063841358.0000000033806000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096532907.0000000033088000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096136090.0000000033ACA000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/travel/news/you-can-t-beat-bobby-flay-s-phoenix-airport-restaurant-one-of-	explorer.exe, 00000002.00000000.2112640933.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.ecosia.org/newtab/	52CE.exe, 00000007.00000003.2358835967.0000000002F2B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://i5.walmartimages.com/seo/WhatsBedding-2-Pieces-Bed-in-a-Bag-Comforter-Set-Duvet-Insert-Rever	58CA.exe, 00000011.00000003.4063841358.0000000033806000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096532907.0000000033088000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096136090.0000000033ACA000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://i5.walmartimages.com/dfw/4ff9c6c9-364a/k2-_5c4cbd98-0f51-4e00-9c26-3335227d3b53.v1.jpg	58CA.exe, 00000011.00000003.4063841358.0000000033806000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096532907.0000000033088000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4061553467.000000002B9CF000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096136090.0000000033ACA000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://i5.walmartimages.com/asr/c227e160-1b31-45fb-a3aa-2aaa922c5e36.4d06f03e1717d33bdf57e44e398c99	58CA.exe, 00000011.00000003.4063841358.0000000033806000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096532907.0000000033088000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4061553467.000000002B9CF000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096136090.0000000033ACA000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.walmart.com/browse/beauty/travel-size-beauty/1085666_8097138?povid=GlobalNav_rWeb_Beauty	58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.walmart.com/shop/deals/electronics?povid=GlobalNav_rWeb_Deals_Deals_Electronics	58CA.exe, 00000011.00000003.4063841358.0000000033806000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096532907.0000000033088000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096136090.0000000033ACA000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://i5.walmartimages.com/dfw/4ff9c6c9-6897/k2-_9d771225-ddc0-4ae4-8302-1921a8ace961.v1.jpg	58CA.exe, 00000011.00000003.4063841358.0000000033806000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096532907.0000000033088000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096136090.0000000033ACA000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.walmart.com/cp/outdoor-toys/14521?povid=GlobalNav_rWeb_Kids_KidsSportsOutdoors_OutdoorTo	58CA.exe, 00000011.00000003.4063841358.0000000033806000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096532907.0000000033088000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4061553467.000000002B9CF000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096136090.0000000033ACA000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4060926865.0000000029D0A000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.walmart.com/browse/home/all-folding-furniture/4044_103150_2506585_5247588?povid=GlobalNa	58CA.exe, 00000011.00000003.4063841358.0000000033806000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096532907.0000000033088000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096136090.0000000033ACA000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://outlook.come	explorer.exe, 00000002.00000000.2117072939.000000000C048000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp	explorer.exe, 00000002.00000000.2115395626.00000000099AB000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the	explorer.exe, 00000002.00000000.2112640933.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false		high
https://i5.walmartimages.com/dfw/4ff9c6c9-64b9/k2-_6b3d48c1-0664-4310-b44c-1da866885771.v1.jpg	58CA.exe, 00000011.00000003.4063841358.0000000033806000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096532907.0000000033088000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096136090.0000000033ACA000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.walmart.com/cp/sports/4161?povid=GlobalNav_rWeb_Kids_KidsSportsOutdoors_ShopAllSports_Co	58CA.exe, 00000011.00000003.4063841358.0000000033806000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096532907.0000000033088000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4061553467.000000002B9CF000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096136090.0000000033ACA000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4060926865.0000000029D0A000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/news/politics/kevin-mccarthy-s-ouster-as-house-speaker-could-cost-gop-its-	explorer.exe, 00000002.00000000.2112640933.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false		high
https://i5.walmartimages.com/dfw/4ff9c6c9-a099/k2-_6958c2af-b8a0-4fce-86a5-2b62a23d0e62.v1.jpg	58CA.exe, 00000011.00000003.4063841358.0000000033806000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096532907.0000000033088000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4061553467.000000002B9CF000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096136090.0000000033ACA000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://i5.walmartimages.com/dfw/4ff9c6c9-4677/k2-_80471a98-6b3c-478c-854f-db226c97af19.v1.jpg	58CA.exe, 00000011.00000003.4063841358.0000000033806000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096532907.0000000033088000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4061553467.000000002B9CF000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096136090.0000000033ACA000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.walmart.com/cp/preschool-toys/1077545?povid=GlobalNav_rWeb_Kids_KidsToys_PreschoolToy_Co	58CA.exe, 00000011.00000003.4063841358.0000000033806000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096532907.0000000033088000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4061553467.000000002B9CF000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096136090.0000000033ACA000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4060926865.0000000029D0A000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.walmart.com/cp/nintendo-switch/4646529?povid=GlobalNav_rWeb_Kids_VideoGames_Nintendo_Con	58CA.exe, 00000011.00000003.4063841358.0000000033806000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096532907.0000000033088000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4061553467.000000002B9CF000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096136090.0000000033ACA000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4060926865.0000000029D0A000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://i5.walmartimages.com/dfw/4ff9c6c9-f903/k2-_593c15ba-e773-49f3-9de3-d36778997619.v1.jpg	58CA.exe, 00000011.00000003.4063841358.0000000033806000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096532907.0000000033088000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096136090.0000000033ACA000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://i5.walmartimages.com/seo/Restored-Apple-iPhone-11-64GB-Verizon-GSM-Unlocked-T-Mobile-AT-T-4G	58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.walmart.com/browse/electronics/streaming-devices/3944_77622_7549938_1229631_1085065?povi	58CA.exe, 00000011.00000003.4063841358.0000000033806000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096532907.0000000033088000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096136090.0000000033ACA000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.walmart.com/cp/kids-bedding/1156114?povid=GlobalNav_rWeb_Kids_KidsRooms_KidsBedding_Cont	58CA.exe, 00000011.00000003.4063841358.0000000033806000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096532907.0000000033088000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4061553467.000000002B9CF000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096136090.0000000033ACA000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4060926865.0000000029D0A000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://i5.walmartimages.com/dfw/4ff9c6c9-a6f3/k2-_26dabc42-d17d-4b93-aa58-dcd5a9ed744b.v1.jpg	58CA.exe, 00000011.00000003.4063841358.0000000033806000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096532907.0000000033088000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096136090.0000000033ACA000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.walmart.com/shop/game-time-bulk-items?povid=GlobalNav_rWeb_GameTime_BulkSupplies	58CA.exe, 00000011.00000003.4063841358.0000000033806000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096532907.0000000033088000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096136090.0000000033ACA000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	false		high
http://schemas.micro	explorer.exe, 00000002.00000000.2113359732.0000000007B50000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.2111255061.00000000028A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.2113369969.0000000007B60000.00000002.00000001.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
https://i5.walmartimages.com/dfw/4ff9c6c9-bf80/k2-_98fd2df6-c703-4e47-8269-1d2b66df2faf.v1.jpg	58CA.exe, 00000011.00000003.4063841358.0000000033806000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096532907.0000000033088000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096136090.0000000033ACA000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://i5.walmartimages.com/dfw/4ff9c6c9-1920/k2-_eba01adf-bf8c-43f3-9f0d-b1ab61dda095.v1.jpg	58CA.exe, 00000011.00000003.4063841358.0000000033806000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096532907.0000000033088000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096136090.0000000033ACA000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.walmart.com/cp/castrol/3373615?povid=GlobalNav_rWeb_AutoTires_FeaturedBrands_Castrol	58CA.exe, 00000011.00000003.4063841358.0000000033806000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096532907.0000000033088000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4061553467.000000002B9CF000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096136090.0000000033ACA000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4060926865.0000000029D0A000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://i5.walmartimages.com/dfw/4ff9c6c9-4e0f/k2-_7fcd9674-3427-4927-b9fa-b1195d69a7d4.v1.jpg	58CA.exe, 00000011.00000003.4063841358.0000000033806000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096532907.0000000033088000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096136090.0000000033ACA000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://i5.walmartimages.com/seo/Airtight-Pantry-Storage-Canisters-for-Flour-Sugar-Pantrystar-2-Pcs-	58CA.exe, 00000011.00000003.4063841358.0000000033806000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096532907.0000000033088000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4061553467.000000002B9CF000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096136090.0000000033ACA000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://i5.walmartimages.com/dfw/4ff9c6c9-4a23/k2-_7caf0f79-3f76-4cb0-8ea4-5849e1657bae.v1.jpg	58CA.exe, 00000011.00000003.4063841358.0000000033806000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096532907.0000000033088000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096136090.0000000033ACA000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.walmart.com/browse/food/shop-all-game-time-food/976759_1567409_3282877_6093905?povid=Glo	58CA.exe, 00000011.00000003.4063841358.0000000033806000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096532907.0000000033088000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096136090.0000000033ACA000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://claimconcessionrebe.shop/api	52CE.exe, 00000007.00000003.2357497536.0000000000841000.00000004.00000020.00020000.00000000.sdmp, 52CE.exe, 00000007.00000003.2451172289.00000000008A9000.00000004.00000020.00020000.00000000.sdmp, 52CE.exe, 00000007.00000003.2473453710.00000000008AB000.00000004.00000020.00020000.00000000.sdmp, 52CE.exe, 00000007.00000002.2536018433.00000000008AB000.00000004.00000020.00020000.00000000.sdmp, 52CE.exe, 00000007.00000003.2404960865.00000000008B5000.00000004.00000020.00020000.00000000.sdmp, 52CE.exe, 00000007.00000003.2370596947.00000000008AC000.00000004.00000020.00020000.00000000.sdmp, 52CE.exe, 00000007.00000003.2508519144.00000000008AB000.00000004.00000020.00020000.00000000.sdmp, 52CE.exe, 00000007.00000003.2509088566.0000000000841000.00000004.00000020.00020000.00000000.sdmp	false	15%, Virustotal, Browse Avira URL Cloud: phishing	unknown
https://www.walmart.com/browse/home/shop-kitchen-appliances/4044_90548_90546_5175115?facet=facet_pro	58CA.exe, 00000011.00000003.4063841358.0000000033806000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096532907.0000000033088000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096136090.0000000033ACA000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/news/politics/republicans-already-barred-trump-from-being-speaker-of-the-h	explorer.exe, 00000002.00000000.2112640933.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/news/politics/trump-campaign-says-he-raised-more-than-45-million-in-3rd-qu	explorer.exe, 00000002.00000000.2112640933.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.walmart.com/cp/kids-bikes-riding-toys/133073?povid=GlobalNav_rWeb_Kids_KidsSportsOutdoor	58CA.exe, 00000011.00000003.4063841358.0000000033806000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096532907.0000000033088000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4061553467.000000002B9CF000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096136090.0000000033ACA000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4060926865.0000000029D0A000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	52CE.exe, 00000007.00000003.2358835967.0000000002F2B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://excel.office.com-	explorer.exe, 00000002.00000000.2117072939.000000000C048000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://i5.walmartimages.com/seo/HOBIBEAR-Women-s-Snow-Boots-Anti-Slip-Waterproof-Warm-Winter-Shoes_	58CA.exe, 00000011.00000003.4063841358.0000000033806000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096532907.0000000033088000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096136090.0000000033ACA000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.walmart.com/shop/deals/electronics/apple	58CA.exe, 00000011.00000003.4063841358.0000000033806000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096532907.0000000033088000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4061553467.000000002B9CF000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096136090.0000000033ACA000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMhz-dark	explorer.exe, 00000002.00000000.2112640933.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false		high
https://claimconcessionrebe.shop/	52CE.exe, 00000007.00000003.2509088566.0000000000841000.00000004.00000020.00020000.00000000.sdmp, 52CE.exe, 00000007.00000003.2508897548.00000000008D0000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: phishing	unknown
https://www.msn.com/en-us/news/us/biden-administration-waives-26-federal-laws-to-allow-border-wall-c	explorer.exe, 00000002.00000000.2112640933.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.walmart.com/cp/playstation-5/3475115?povid=GlobalNav_rWeb_Kids_VideoGames_Playstation_Co	58CA.exe, 00000011.00000003.4063841358.0000000033806000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096532907.0000000033088000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4061553467.000000002B9CF000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096136090.0000000033ACA000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4060926865.0000000029D0A000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.msn.com/en-us/weather/topstories/california-s-reservoirs-runneth-over-in-astounding-reve	explorer.exe, 00000002.00000000.2112640933.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.blankbeauty.com/Walmart?povid=GlobalNav_rWeb_Beauty_TrendinginBeauty_BlankBeautyCustomNa	58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.walmart.com/browse/beauty-by-top-brands/equate-beauty/1085666_3316357_8168824?povid=Glob	58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://sabotage.net	58CA.exe, 00000011.00000003.2969930160.0000000002F09000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.2959484573.0000000003B36000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.2959949994.0000000003C99000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.2963025040.0000000003F52000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.walmart.com/browse/home/kids-room-decor/4044_1154295_1156072?povid=GlobalNav_rWeb_Kids_K	58CA.exe, 00000011.00000003.4063841358.0000000033806000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096532907.0000000033088000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4061553467.000000002B9CF000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096136090.0000000033ACA000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4060926865.0000000029D0A000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.walmart.com/cp/outdoor-play/14521?povid=GlobalNav_rWeb_Kids_KidsSportsOutdoors_ShopAllOu	58CA.exe, 00000011.00000003.4063841358.0000000033806000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096532907.0000000033088000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4061553467.000000002B9CF000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096136090.0000000033ACA000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4060926865.0000000029D0A000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://i5.walmartimages.com/seo/Slsy-Folding-Bed-Cot-with-3-3-Inch-Mattress-75-28-Folding-Camping-C	58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.walmart.com/browse/7924299?facet=fulfillment_speed%3AToday	58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.walmart.com/browse/toys/toys-for-kids-5-to-7-years/4171_3318550_617941?povid=GlobalNav_r	58CA.exe, 00000011.00000003.4063841358.0000000033806000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096532907.0000000033088000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4061553467.000000002B9CF000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096136090.0000000033ACA000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4060926865.0000000029D0A000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.msn.com:443/en-us/feed	explorer.exe, 00000002.00000000.2112640933.00000000073E5000.00000004.00000001.00020000.00000000.sdmp	false		high
https://www.walmart.com/browse/sports-outdoors/nfl-shop-all/4125_1063984_1423455_7175574?povid=Globa	58CA.exe, 00000011.00000003.4063841358.0000000033806000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096532907.0000000033088000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096136090.0000000033ACA000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.walmart.com/shop/deals?povid=GlobalNav_rWeb_Deals_Deals_ShopAll	58CA.exe, 00000011.00000003.4063841358.0000000033806000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096532907.0000000033088000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4096136090.0000000033ACA000.00000004.00000020.00020000.00000000.sdmp, 58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	false		high
https://bookends.cdn.vpsvc.com/html/statics/dep-share/v8_bundle-faf089dc.js	58CA.exe, 00000011.00000003.4030191989.000000003C58F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.walmart.com/browse/premium-bath-body/premium-sun-care-sunscreens/7924299_3571844_9069144	58CA.exe, 00000011.00000003.4062648503.0000000031BCD000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
104.21.69.233	unknown	United States	13335	CLOUDFLARENETUS	false
108.177.122.27	unknown	United States	15169	GOOGLEUS	false
17.32.194.37	unknown	United States	714	APPLE-ENGINEERINGUS	false
17.32.194.36	unknown	United States	714	APPLE-ENGINEERINGUS	false
104.45.22.140	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
17.32.194.38	unknown	United States	714	APPLE-ENGINEERINGUS	false
104.20.23.50	unknown	United States	13335	CLOUDFLARENETUS	false
208.91.204.104	unknown	United States	36841	ZAYO-NSVUS	false
54.230.31.74	unknown	United States	16509	AMAZON-02US	false
185.132.180.251	unknown	Netherlands	52129	PROOFPOINT-ASN-EUGB	false
96.17.42.200	unknown	United States	16625	AKAMAI-ASUS	false
23.214.188.185	unknown	United States	16625	AKAMAI-ASUS	false
172.66.42.232	unknown	United States	13335	CLOUDFLARENETUS	false
77.88.21.249	unknown	Russian Federation	13238	YANDEXRU	false
15.204.219.238	unknown	United States	71	HP-INTERNET-ASUS	false
104.22.6.158	unknown	United States	13335	CLOUDFLARENETUS	false
13.248.169.48	unknown	United States	16509	AMAZON-02US	false
172.67.4.254	unknown	United States	13335	CLOUDFLARENETUS	false
192.157.56.142	unknown	Canada	55286	SERVER-MANIACA	false
13.249.120.75	unknown	United States	16509	AMAZON-02US	false
104.18.100.225	unknown	United States	13335	CLOUDFLARENETUS	false
185.220.100.248	unknown	Germany	205100	F3NETZEDE	false
172.64.152.43	unknown	United States	13335	CLOUDFLARENETUS	false
42.62.48.103	unknown	China	23724	CHINANET-IDC-BJ-APIDCChinaTelecommunicationsCorporation	false
151.101.65.124	unknown	United States	54113	FASTLYUS	false
185.172.128.19	unknown	Russian Federation	50916	NADYMSS-ASRU	true
66.212.230.32	unknown	United States	14537	CL-1379-14537US	false
104.16.217.241	unknown	United States	13335	CLOUDFLARENETUS	false
104.18.35.8	unknown	United States	13335	CLOUDFLARENETUS	false
151.101.65.252	unknown	United States	54113	FASTLYUS	false
23.203.244.213	unknown	United States	16625	AKAMAI-ASUS	false
3.163.101.31	unknown	United States	16509	AMAZON-02US	false
23.212.97.152	unknown	United States	20940	AKAMAI-ASN1EU	false
16.182.68.173	unknown	United States	unknown	unknown	false
3.13.150.146	unknown	United States	16509	AMAZON-02US	false
23.7.44.230	unknown	United States	16625	AKAMAI-ASUS	false
54.90.195.6	unknown	United States	14618	AMAZON-AESUS	false
38.147.122.254	unknown	United States	54133	UNMETEREDCA	false
13.234.53.11	unknown	United States	16509	AMAZON-02US	false
164.90.197.162	unknown	United States	14061	DIGITALOCEAN-ASNUS	false
54.231.170.21	unknown	United States	16509	AMAZON-02US	false
199.232.193.89	unknown	United States	54113	FASTLYUS	false
195.130.217.201	unknown	United Kingdom	42427	MIMECAST-UKGB	false
104.16.202.229	unknown	United States	13335	CLOUDFLARENETUS	false
3.163.101.45	unknown	United States	16509	AMAZON-02US	false
217.69.139.180	unknown	Russian Federation	47764	MAILRU-ASMailRuRU	false
44.194.34.121	unknown	United States	14618	AMAZON-AESUS	false
103.153.229.249	unknown	unknown	134687	TWIDC-AS-APTWIDCLimitedHK	false
104.21.58.31	unknown	United States	13335	CLOUDFLARENETUS	false
54.230.31.113	unknown	United States	16509	AMAZON-02US	false
35.186.224.25	unknown	United States	15169	GOOGLEUS	false
23.200.87.73	unknown	United States	20940	AKAMAI-ASN1EU	false
217.108.192.177	unknown	France	3215	FranceTelecom-OrangeFR	false
162.159.138.232	unknown	United States	13335	CLOUDFLARENETUS	false
76.223.54.146	unknown	United States	16509	AMAZON-02US	false
67.231.145.181	unknown	United States	26211	PROOFPOINT-ASN-US-WESTUS	false
18.64.236.108	unknown	United States	3	MIT-GATEWAYSUS	false
195.130.217.211	unknown	United Kingdom	42427	MIMECAST-UKGB	false
172.64.151.50	unknown	United States	13335	CLOUDFLARENETUS	false
23.203.101.122	unknown	United States	3257	GTT-BACKBONEGTTDE	false
141.98.234.31	unknown	Russian Federation	41011	CH-NET-ASRO	false
172.253.62.27	unknown	United States	15169	GOOGLEUS	false
104.20.14.19	unknown	United States	13335	CLOUDFLARENETUS	false
217.70.178.1	unknown	France	29169	GANDI-ASDomainnameregistrar-httpwwwgandinetFR	false
141.8.192.6	unknown	Russian Federation	35278	SPRINTHOSTRU	true
18.160.60.103	unknown	United States	3	MIT-GATEWAYSUS	false
104.16.104.112	unknown	United States	13335	CLOUDFLARENETUS	false
5.42.64.33	unknown	Russian Federation	39493	RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU	false
35.168.45.10	unknown	United States	14618	AMAZON-AESUS	false
18.64.236.76	unknown	United States	3	MIT-GATEWAYSUS	false
34.218.145.143	unknown	United States	16509	AMAZON-02US	false
52.70.83.182	unknown	United States	14618	AMAZON-AESUS	false
104.22.15.224	unknown	United States	13335	CLOUDFLARENETUS	false
3.163.101.8	unknown	United States	16509	AMAZON-02US	false
18.64.236.73	unknown	United States	3	MIT-GATEWAYSUS	false
104.214.223.106	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
167.89.115.46	unknown	United States	11377	SENDGRIDUS	false
51.83.156.66	unknown	France	16276	OVHFR	false
52.217.173.245	unknown	United States	16509	AMAZON-02US	false
104.26.3.117	unknown	United States	13335	CLOUDFLARENETUS	false
85.184.96.0	unknown	Malta	47171	UNIBET-ASMT	false
34.149.46.130	unknown	United States	2686	ATGS-MMD-ASUS	false
104.22.1.142	unknown	United States	13335	CLOUDFLARENETUS	false
91.220.42.211	unknown	United Kingdom	42427	MIMECAST-UKGB	false
31.13.88.1	unknown	Ireland	32934	FACEBOOKUS	false
31.13.65.1	unknown	Ireland	32934	FACEBOOKUS	false
188.40.28.11	unknown	Germany	24940	HETZNER-ASDE	false
40.126.7.35	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
52.101.68.36	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
76.76.21.21	unknown	United States	16509	AMAZON-02US	false
66.254.114.33	unknown	United States	29789	REFLECTEDUS	false
162.159.205.23	unknown	United States	13335	CLOUDFLARENETUS	false
40.126.7.32	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
52.85.87.252	unknown	United States	16509	AMAZON-02US	false
144.76.167.28	unknown	Germany	24940	HETZNER-ASDE	false
104.20.22.50	unknown	United States	13335	CLOUDFLARENETUS	false
51.83.156.77	unknown	France	16276	OVHFR	false
23.200.87.230	unknown	United States	20940	AKAMAI-ASN1EU	false
104.22.7.158	unknown	United States	13335	CLOUDFLARENETUS	false
23.36.10.171	unknown	United States	20940	AKAMAI-ASN1EU	false

General Information

Joe Sandbox version:	39.0.0 Ruby
Analysis ID:	1384598
Start date and time:	2024-02-01 09:41:58 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 14m 36s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	44
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	2
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	v6SEx6rJ3E.exe renamed because original name is a hash value
Original Sample Name:	10f4053998fd9c03a187fe7f75a36697.exe
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winEXE@69/121@0/100
EGA Information:	Successful, ratio: 87.5%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): Conhost.exe, dllhost.exe, consent.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryDirectoryFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Skipping network analysis since amount of network traffic is too extensive

Simulations

Behavior and APIs

Time	Type	Description
09:43:00	API Interceptor	184189x Sleep call for process: explorer.exe modified
09:43:07	Task Scheduler	Run new task: Firefox Default Browser Agent F5132FE5DF367A6C path: C:\Users\user\AppData\Roaming\esiffai
09:43:10	API Interceptor	6x Sleep call for process: 52CE.exe modified
09:43:20	API Interceptor	1x Sleep call for process: 5C46.exe modified
09:43:27	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run CSRSS "C:\ProgramData\Drivers\csrss.exe"
09:43:31	API Interceptor	7x Sleep call for process: 288c47bbc1871b439df19ff4df68f076.exe modified
09:43:34	Task Scheduler	Run new task: MalayamaraUpdate path: "C:\Users\user\AppData\Local\Temp\Updater.exe"
09:43:37	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run CSRSS "C:\ProgramData\Drivers\csrss.exe"
09:43:52	API Interceptor	7x Sleep call for process: 7147.exe modified
09:44:02	Task Scheduler	Run new task: Firefox Default Browser Agent A196CE16602AE710 path: C:\Users\user\AppData\Roaming\afiffai
09:44:03	API Interceptor	3326x Sleep call for process: 58CA.exe modified
09:44:11	API Interceptor	5986x Sleep call for process: ksverify.exe modified
09:44:37	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
13.248.169.48	a5hbkmGD7N.exe	Get hash	malicious	Pushdo	Browse	www.otena.com/
	file.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.glovegpt.com/ce10/?lv7T7b-=xgTPoZP+wGaD3fYSeGX70ZdeG9KI5pd7X2NwVM4gmAPT+uhONMVhMD5uawLSBeZjB36e&U48pU2=ghcPOpDPXB44VLF
	http://catsdegree.com	Get hash	malicious	Unknown	Browse	catsdegree.com/
	x21iMpR0I1.exe	Get hash	malicious	FormBook	Browse	www.consultingconsultants.com/de74/?kxl0dl=HcqrJas7Hw8+ahuoUtQYWCwyAFBxHXNXOqic7snQN/jDIetBVFmu2W59sOhBMZZ5RnMs&jTF4=DhOx3
	PO_88874637463836483.xls	Get hash	malicious	FormBook	Browse	www.consultingconsultants.com/de74/?oPL8bZE=HcqrJatPbA9KHx7bKdQYWCwyAFBxHXNXOq6Mnv7RJfjCIvBHSV3igSB/vrZXX950ZUBcPQ==&2dt=Lxll6n0PHP_xoRr0
	SOLICITUD DE OFERTA.exe	Get hash	malicious	FormBook	Browse	www.projectsupdate.com/hi5f/?EPTX=1bGTxft0Kt5p-r4P&3fqLR=jQsp53na0BVlIP1WEGzhGvLghMb60HFcVyKrksP3rYPIcugbhXddbCpyKnsGWK0fmeT0
	fattura proforma pdf.exe.xz	Get hash	malicious	DBatLoader, FormBook	Browse	www.norcliffecapital.com/qh1n/?9r1P22=T0tMpnQR+CCNu9MjU4UanwmC36sE1+z6hCH6pS8eLcffZ5xQtTS4unwvOmPruwf8bbd/AZqyYQ==&Q2J=FhL0-T
	0TZSA1YPDb.exe	Get hash	malicious	FormBook	Browse	www.sairam.tech/ppr3/?ZNll=38QcXQtVwTLpnoddu/DoMagU5DI49YDLuVjqRY3MArHaquI9VsSc7DCKDItnX6TaQ/h5qxIkAcCUnErz5psiP/coex6nZER0fWop1fzldF+F&dF5l=EfnD
	iW3QlUK3wG.exe	Get hash	malicious	FormBook	Browse	www.sairam.tech/ppr3/?GrP8=38QcXQtVwTLpnoddu/DoMagU5DI49YDLuVjqRY3MArHaquI9VsSc7DCKDItnX6TaQ/h5qxIkAcCUnErz5psiP/coex6nZER0fWop1fzldF+F&3bS=88epahP0J
	vUsaFL3sWj.exe	Get hash	malicious	FormBook	Browse	www.sairam.tech/ppr3/?yHr=38QcXQtVwTLpnoddu/DoMagU5DI49YDLuVjqRY3MArHaquI9VsSc7DCKDItnX6TaQ/h5qxIkAcCUnErz5psiP9YPD3uiYhF4fGop1bb0Ql+F&3B3=QJfhe
77.88.21.249	tFGPgPkxgo.exe	Get hash	malicious	LummaC, Glupteba, LummaC Stealer, SmokeLoader, Socks5Systemz, Stealc	Browse
	file.exe	Get hash	malicious	Glupteba, Petite Virus, SmokeLoader, Socks5Systemz, Stealc	Browse
	SSmamWOS7L.exe	Get hash	malicious	Glupteba, SmokeLoader, Stealc	Browse
	B843BuO7i3.exe	Get hash	malicious	Glupteba, RedLine, SmokeLoader	Browse
	file.exe	Get hash	malicious	RedLine, SmokeLoader	Browse
	IDzTyPghZg.exe	Get hash	malicious	Unknown	Browse
	gEkl9O5tiu.exe	Get hash	malicious	Phorpiex	Browse
	file.exe	Get hash	malicious	Phorpiex, Xmrig	Browse
	Purchase order #459980FDS657.exe	Get hash	malicious	AgentTesla	Browse
	file.log.exe	Get hash	malicious	Unknown	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AMAZON-02US	De0RycaUHH.exe	Get hash	malicious	LummaC, Glupteba, LummaC Stealer, SmokeLoader, Stealc	Browse	52.25.92.0
	tFGPgPkxgo.exe	Get hash	malicious	LummaC, Glupteba, LummaC Stealer, SmokeLoader, Socks5Systemz, Stealc	Browse	3.135.157.0
	https://storage.googleapis.com/edusa/algonquincollege.html#4cCRYb398kcWP32jndkfhfjyc4MIWDSMDNXLSZCFF1708863VSUP299741N9	Get hash	malicious	Phisher	Browse	18.155.192.106
	https://encr.pw/I92KJ?token=a4b16e51-4b3c-428e-ac42-318df7d4ca9c	Get hash	malicious	Unknown	Browse	13.249.120.63
	mGPooGpl9I.elf	Get hash	malicious	Gafgyt	Browse	34.249.145.219
	FgTs8pZZqK.elf	Get hash	malicious	Gafgyt	Browse	54.171.230.55
	PqyrXWg453.elf	Get hash	malicious	Gafgyt, Mirai	Browse	54.217.10.153
	Rgb2UT2fqz.elf	Get hash	malicious	Gafgyt	Browse	34.249.145.219
	shindearm7.elf	Get hash	malicious	Mirai, Okiru	Browse	54.171.230.55
	iata-dg-autocheck.apk	Get hash	malicious	Unknown	Browse	34.252.119.253
MICROSOFT-CORP-MSN-AS-BLOCKUS	tFGPgPkxgo.exe	Get hash	malicious	LummaC, Glupteba, LummaC Stealer, SmokeLoader, Socks5Systemz, Stealc	Browse	52.101.9.5
	https://storage.googleapis.com/edusa/algonquincollege.html#4cCRYb398kcWP32jndkfhfjyc4MIWDSMDNXLSZCFF1708863VSUP299741N9	Get hash	malicious	Phisher	Browse	204.79.197.203
	POTsl35.bat.exe	Get hash	malicious	Remcos, DBatLoader	Browse	13.107.137.11
	bTs5.exe	Get hash	malicious	Njrat	Browse	191.233.28.7
	bTs4.exe	Get hash	malicious	AsyncRAT	Browse	191.233.28.7
	https://nam.safelink.emails.azure.net/redirect/?destination=https%3A%2F%2Fwww.microsoft.com%2Fworkplace-discount-program%3Ftoken%3D19c888ec-6402-49e1-a9ae-e189ed3e4cb9%26ocid%3Deml_OrganicEligibility_cons_officehup_acq_hup_poceligibility&p=bT1mNjU4NjMyYy0xNjE2LTRmNmMtODUyMy00NDI2YTllMzZiZjAmcz0wMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAmdT1hZW8mbD13b3JrcGxhY2UtZGlzY291bnQtcHJvZ3JhbQ%3D%3D	Get hash	malicious	Unknown	Browse	13.69.239.72
	LCXN2KCldu.elf	Get hash	malicious	Gafgyt	Browse	104.147.194.199
	SecuriteInfo.com.Win32.TrojanX-gen.20653.11930.exe	Get hash	malicious	Amadey, Fabookie, LummaC Stealer, PureLog Stealer, RedLine, RisePro Stealer, Stealc	Browse	20.75.60.91
	SecuriteInfo.com.Win32.RansomX-gen.986.4839.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	13.107.137.11
	bTsx.exe	Get hash	malicious	Njrat	Browse	191.233.28.7
CLOUDFLARENETUS	De0RycaUHH.exe	Get hash	malicious	LummaC, Glupteba, LummaC Stealer, SmokeLoader, Stealc	Browse	172.67.190.111
	Setup (1).exe	Get hash	malicious	Unknown	Browse	104.18.27.149
	http://gatenbysanderrson.com	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse	104.17.2.184
	8DC05M2LD0.exe	Get hash	malicious	LummaC, Babuk, Clipboard Hijacker, Djvu, LummaC Stealer, PureLog Stealer, RisePro Stealer	Browse	172.67.139.220
	DzVuoFusnL.exe	Get hash	malicious	LummaC, Glupteba, LummaC Stealer, SmokeLoader, Stealc	Browse	104.21.58.31
	fcRqhN4nqd.exe	Get hash	malicious	LummaC, Clipboard Hijacker, LummaC Stealer, SmokeLoader	Browse	172.67.141.14
	38gmTjpc3Y.exe	Get hash	malicious	LummaC, Glupteba, LummaC Stealer, SmokeLoader, Socks5Systemz, Stealc	Browse	104.21.80.24
	tFGPgPkxgo.exe	Get hash	malicious	LummaC, Glupteba, LummaC Stealer, SmokeLoader, Socks5Systemz, Stealc	Browse	104.18.40.191
	WDK87YadKo.exe	Get hash	malicious	LummaC, Clipboard Hijacker, LummaC Stealer, SmokeLoader	Browse	104.21.40.254
	yx06d6oCh3.exe	Get hash	malicious	LummaC, Clipboard Hijacker, LummaC Stealer, SmokeLoader	Browse	104.21.40.254
CLOUDFLARENETUS	De0RycaUHH.exe	Get hash	malicious	LummaC, Glupteba, LummaC Stealer, SmokeLoader, Stealc	Browse	172.67.190.111
	Setup (1).exe	Get hash	malicious	Unknown	Browse	104.18.27.149
	http://gatenbysanderrson.com	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse	104.17.2.184
	8DC05M2LD0.exe	Get hash	malicious	LummaC, Babuk, Clipboard Hijacker, Djvu, LummaC Stealer, PureLog Stealer, RisePro Stealer	Browse	172.67.139.220
	DzVuoFusnL.exe	Get hash	malicious	LummaC, Glupteba, LummaC Stealer, SmokeLoader, Stealc	Browse	104.21.58.31
	fcRqhN4nqd.exe	Get hash	malicious	LummaC, Clipboard Hijacker, LummaC Stealer, SmokeLoader	Browse	172.67.141.14
	38gmTjpc3Y.exe	Get hash	malicious	LummaC, Glupteba, LummaC Stealer, SmokeLoader, Socks5Systemz, Stealc	Browse	104.21.80.24
	tFGPgPkxgo.exe	Get hash	malicious	LummaC, Glupteba, LummaC Stealer, SmokeLoader, Socks5Systemz, Stealc	Browse	104.18.40.191
	WDK87YadKo.exe	Get hash	malicious	LummaC, Clipboard Hijacker, LummaC Stealer, SmokeLoader	Browse	104.21.40.254
	yx06d6oCh3.exe	Get hash	malicious	LummaC, Clipboard Hijacker, LummaC Stealer, SmokeLoader	Browse	104.21.40.254

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\ProgramData\DeliveryStatusFields_65\DeliveryStatusFields_65.exe	De0RycaUHH.exe	Get hash	malicious	LummaC, Glupteba, LummaC Stealer, SmokeLoader, Stealc	Browse
	DzVuoFusnL.exe	Get hash	malicious	LummaC, Glupteba, LummaC Stealer, SmokeLoader, Stealc	Browse
	38gmTjpc3Y.exe	Get hash	malicious	LummaC, Glupteba, LummaC Stealer, SmokeLoader, Socks5Systemz, Stealc	Browse
	tFGPgPkxgo.exe	Get hash	malicious	LummaC, Glupteba, LummaC Stealer, SmokeLoader, Socks5Systemz, Stealc	Browse
C:\ProgramData\freebl3.dll	De0RycaUHH.exe	Get hash	malicious	LummaC, Glupteba, LummaC Stealer, SmokeLoader, Stealc	Browse
	DzVuoFusnL.exe	Get hash	malicious	LummaC, Glupteba, LummaC Stealer, SmokeLoader, Stealc	Browse
	38gmTjpc3Y.exe	Get hash	malicious	LummaC, Glupteba, LummaC Stealer, SmokeLoader, Socks5Systemz, Stealc	Browse
	tFGPgPkxgo.exe	Get hash	malicious	LummaC, Glupteba, LummaC Stealer, SmokeLoader, Socks5Systemz, Stealc	Browse
	KFHX2S263Y.exe	Get hash	malicious	Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Amadey, Fabookie, Glupteba, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Glupteba, GuLoader, Socks5Systemz, Stealc	Browse
	file.exe	Get hash	malicious	Babuk, Djvu, RedLine, SmokeLoader, Stealc, Vidar, Xmrig	Browse
	SecuriteInfo.com.Win32.PWSX-gen.23950.2214.exe	Get hash	malicious	Stealc, Vidar	Browse
	file.exe	Get hash	malicious	Glupteba, RedLine, SmokeLoader, Stealc, Vidar, Xmrig	Browse
C:\ProgramData\Drivers\csrss.exe	De0RycaUHH.exe	Get hash	malicious	LummaC, Glupteba, LummaC Stealer, SmokeLoader, Stealc	Browse
	DzVuoFusnL.exe	Get hash	malicious	LummaC, Glupteba, LummaC Stealer, SmokeLoader, Stealc	Browse
	38gmTjpc3Y.exe	Get hash	malicious	LummaC, Glupteba, LummaC Stealer, SmokeLoader, Socks5Systemz, Stealc	Browse
	tFGPgPkxgo.exe	Get hash	malicious	LummaC, Glupteba, LummaC Stealer, SmokeLoader, Socks5Systemz, Stealc	Browse

Created / dropped Files

C:\ProgramData\AEBKKECBGIIJJKECGIJE

Download File

Process:	C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\BAEHIEBGHDAFIEBGIEHJECGCGC

Download File

Process:	C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6732424250451717
Encrypted:	false
SSDEEP:	24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
MD5:	CFFF4E2B77FC5A18AB6323AF9BF95339
SHA1:	3AA2C2115A8EB4516049600E8832E9BFFE0C2412
SHA-256:	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
SHA-512:	0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\BGHIDGCAFCBAAAAAFHDAEHCFIE

Download File

Process:	C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 6, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 6
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.8508558324143882
Encrypted:	false
SSDEEP:	24:TLlF1kwNbXYFpFNYcw+6UwcQVXH5fBaJvWKC0ABndzGrW7swaE:TxFawNLopFgU10XJBaEKQxdgQsw
MD5:	933D6D14518371B212F36C3835794D75
SHA1:	92D056D912B3C0260D379330D3CC0359B57A322B
SHA-256:	55390EE61FB85370A8A7F51A8DD5374F7B1801D1D7DF09D6A90CDD74ED6E7D1E
SHA-512:	EAC706D8A579500EADA26FB9883E1F3CE9112A03F38EE78B11B393AB0A3285945F8E06EB406BFC17D1CB540F840E435E515FABFC265399CE6F5193980FDE3F2C
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\BKJKJEHJJDAKECBFCGIDBGCAEG

Download File

Process:	C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp
File Type:	SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	5242880
Entropy (8bit):	0.0357803477377646
Encrypted:	false
SSDEEP:	192:58rJQaXoMXp0VW9FxWwJU0VnQphI1mJ/8GJK:58r54w0VW3xWB0VaI4
MD5:	76D181A334D47872CD2E37135CC83F95
SHA1:	B563370B023073CE6E0F63671AA4AF169ABBF4E1
SHA-256:	52D831CC6F56C3A25EB9238AAF25348E1C4A3D361DFE7F99DB1D37D89A0057FD
SHA-512:	23E0D43E4785E5686868D5448628718720C5A8D9328EE814CB77807260F7CDA2D01C5DEE8F58B5713F4F09319E6CB7AB24725078C01322BAE04777418A49A9F7
Malicious:	false
Preview:	SQLite format 3......@ ...................&...................K..................................j.....-a>.~...\|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\CAEHJEBKFCAKKFIEHDBFIEHDHI

Download File

Process:	C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	0.08235737944063153
Encrypted:	false
SSDEEP:	12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
MD5:	369B6DD66F1CAD49D0952C40FEB9AD41
SHA1:	D05B2DE29433FB113EC4C558FF33087ED7481DD4
SHA-256:	14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
SHA-512:	771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\CBFBGCGI

Download File

Process:	C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.1239949490932863
Encrypted:	false
SSDEEP:	384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
MD5:	271D5F995996735B01672CF227C81C17
SHA1:	7AEAACD66A59314D1CBF4016038D3A0A956BAF33
SHA-256:	9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
SHA-512:	62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\CZQKSDDMWR.docx

Download File

Process:	C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.700739677288544
Encrypted:	false
SSDEEP:	24:ppydEKvTSBiqFHi8v+wyNV+fxloGJjN3y5j1xTEC3ugbIvso8wFjas:rmEKvMiYC8Wwyr88GFAH/UvsuZl
MD5:	57582F5B6AE65D8DFCBD4A26382C6138
SHA1:	DC27AD5E54D1BDCCA4EC0D54ED1FB5A3235E9842
SHA-256:	7918D6E76741E42934BB32547E2D7EA395304AEA3383C0E6B7FCF82ACE125749
SHA-512:	6D75F68E608CB12378605F06C74F2F0414486072CC25961A1EA421B94EA5827F92110B902C2190E04AAE2D79152B0AB9B5B1ACECDCAAADD93A6F25028DD1E060
Malicious:	false
Preview:	CZQKSDDMWRVXFLQDZCLIIZCHKUTASMCLXARWUFPBFEESBCKPMBKHTZOAVUSGWGQBPZXNCLVHGKNWOAOTOSOFYOKUZEGHVYFBBGTMFWOOTOTSLTKZBTPTBZMUKYOSGWCRRYGDZWOEMUMCRRCZIEIYJAYGXMDKNOLEIKRXPEZKZGIXGYJYIBDXPZGYVGHMUCSHXXAYXQQNWIVOLMGKTXTGEAEKAOKQQSCTUWFEFQMLQUREMQDBYWFEQOMAJXVXIMMKWJJFKSSTMQZNWPBIQBZROXFYPWCYBVRMKUOGMEJJHYTWCOZYZXVANCHSTYZHRBVSORLGLSOWPDGEBVMQLDWKSLQFPEZDXWPZYNPSNTKGPNKUHFMAEGDWSDLCDNYFQZWURNIMQZDJNJPPOXINSGMUVHRDBWXOXDRPWKGITAKUVBIDIBIWIIANONNQUMKNATQWTVSOUCLOFKCCAISNABSKDPLNCYIQIFQMVEHZLIAFYDDSJJTQSUEVQKACGQHHXCYTZJABESDNXLIPGYKWXJZQWYJMSZUZHKYCGKQIKCYIWZOHAVHKCRNACDVNLPEXUPOQVKBGVFKCQDKJPNALRMAYMZRBAGMTICYZEFMXXYLDXTMKSZLDKSKSRQTDUDGFZXFQEHEDXVFBYBNEOVKFLNIRSTGZDIJXNRZEZFJHNPZDGPGECJTHNVMTSURANVWOVRBTYGZGIPOXWTRIHNKWFKCTXVVKOFHISZVHNVVRXJGJEZEJDSCKNIDUQYQWFNDXBQQJAYENVZXKXVUERYEPFEGNWBAJHHQSAFTHXGXMHUHJVQEYGVKPBTQMWUEZMBBSFENGBBVZIYHLXFRDPALQUURINJMTQGTPGJRGIWXIXWOPVDTWDBDNJJVXOPMTWAGMWQFUPMRROBBTRTOQBMZKPGWTYPWAVOKTSPLMOWJJDVZIIDATCEGNLHPVRONAQJFLFUZXJVRXMCGQNRKTYBRGRMKBPVPQSPFOIOHXGEGDHOJP

C:\ProgramData\CZQKSDDMWR.xlsx

Download File

Process:	C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.700739677288544
Encrypted:	false
SSDEEP:	24:ppydEKvTSBiqFHi8v+wyNV+fxloGJjN3y5j1xTEC3ugbIvso8wFjas:rmEKvMiYC8Wwyr88GFAH/UvsuZl
MD5:	57582F5B6AE65D8DFCBD4A26382C6138
SHA1:	DC27AD5E54D1BDCCA4EC0D54ED1FB5A3235E9842
SHA-256:	7918D6E76741E42934BB32547E2D7EA395304AEA3383C0E6B7FCF82ACE125749
SHA-512:	6D75F68E608CB12378605F06C74F2F0414486072CC25961A1EA421B94EA5827F92110B902C2190E04AAE2D79152B0AB9B5B1ACECDCAAADD93A6F25028DD1E060
Malicious:	false
Preview:	CZQKSDDMWRVXFLQDZCLIIZCHKUTASMCLXARWUFPBFEESBCKPMBKHTZOAVUSGWGQBPZXNCLVHGKNWOAOTOSOFYOKUZEGHVYFBBGTMFWOOTOTSLTKZBTPTBZMUKYOSGWCRRYGDZWOEMUMCRRCZIEIYJAYGXMDKNOLEIKRXPEZKZGIXGYJYIBDXPZGYVGHMUCSHXXAYXQQNWIVOLMGKTXTGEAEKAOKQQSCTUWFEFQMLQUREMQDBYWFEQOMAJXVXIMMKWJJFKSSTMQZNWPBIQBZROXFYPWCYBVRMKUOGMEJJHYTWCOZYZXVANCHSTYZHRBVSORLGLSOWPDGEBVMQLDWKSLQFPEZDXWPZYNPSNTKGPNKUHFMAEGDWSDLCDNYFQZWURNIMQZDJNJPPOXINSGMUVHRDBWXOXDRPWKGITAKUVBIDIBIWIIANONNQUMKNATQWTVSOUCLOFKCCAISNABSKDPLNCYIQIFQMVEHZLIAFYDDSJJTQSUEVQKACGQHHXCYTZJABESDNXLIPGYKWXJZQWYJMSZUZHKYCGKQIKCYIWZOHAVHKCRNACDVNLPEXUPOQVKBGVFKCQDKJPNALRMAYMZRBAGMTICYZEFMXXYLDXTMKSZLDKSKSRQTDUDGFZXFQEHEDXVFBYBNEOVKFLNIRSTGZDIJXNRZEZFJHNPZDGPGECJTHNVMTSURANVWOVRBTYGZGIPOXWTRIHNKWFKCTXVVKOFHISZVHNVVRXJGJEZEJDSCKNIDUQYQWFNDXBQQJAYENVZXKXVUERYEPFEGNWBAJHHQSAFTHXGXMHUHJVQEYGVKPBTQMWUEZMBBSFENGBBVZIYHLXFRDPALQUURINJMTQGTPGJRGIWXIXWOPVDTWDBDNJJVXOPMTWAGMWQFUPMRROBBTRTOQBMZKPGWTYPWAVOKTSPLMOWJJDVZIIDATCEGNLHPVRONAQJFLFUZXJVRXMCGQNRKTYBRGRMKBPVPQSPFOIOHXGEGDHOJP

C:\ProgramData\DeliveryStatusFields_65\DeliveryStatusFields_65.exe

Download File

Process:	C:\Users\user\AppData\Local\Key Signatures verification\ksverify.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	3011887
Entropy (8bit):	6.3447286295556085
Encrypted:	false
SSDEEP:	49152:UBd317wTswMFUGbYK44yywHwBGMaDZtYuydXFd2X:UBd3q4NbYKjyywHwBEDvYNd1d2X
MD5:	75BC189F3B2906887761C60E480B7CCF
SHA1:	5D6DCFFBC20CEC4056F123AF0A05FD0AEC00A8F7
SHA-256:	84FE81E96ADEA7140A714181417137D54695F489A1AA4900A6875E76D8B26046
SHA-512:	8FE6720A908D054FF3CF6F82E86C1E17ADC785DC0835C9F495D497EAC300F5A7AAB81EA797B287E618FA6CEF06C48BB056398FA48FE28F2BB5807974581AA780
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Virustotal, Detection: 44%, Browse
Joe Sandbox View:	Filename: De0RycaUHH.exe, Detection: malicious, Browse Filename: DzVuoFusnL.exe, Detection: malicious, Browse Filename: 38gmTjpc3Y.exe, Detection: malicious, Browse Filename: tFGPgPkxgo.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..u...u...u.......t.......~.......w...u...S...u...........f...C...t......t...Richu...........................PE..L......e.....................0....................@.......................... ....................................................... ...............................................................................................................text...<........................... ..`.rdata...9.......@..................@..@.data.... ..........................@....rsrc........ ......................@..@_wma6....@....../5..................`...........................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Drivers\csrss.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\58CA.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1902592
Entropy (8bit):	7.96578241790919
Encrypted:	false
SSDEEP:	24576:aIIgn56xKQZ9UvBEJLMJEyvAa5GNBLEMSp/zQZuIwd7SuMAFagdmUypRKjen0CQI:jI+Q9LUU7cpMBMkwIwdtMxpgjeGaf
MD5:	1274287F7DAA409EEA3E07059CF8FD51
SHA1:	A1DF35B30CCD295C319F5E3778F8BF0DEDC996F6
SHA-256:	EAB7F930DC57ABA040449BF4A2A9E2481873AA897A2305D7BE3C3E36765E2843
SHA-512:	136DA364C7733F6243EEBD74CA914714E65B60ACA86A5C96A4751803D40E5C729BD032BDC879F880A083501A544213A5BCE6920057AEB3742B19D7562F0E479E
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 66% Antivirus: Virustotal, Detection: 55%, Browse
Joe Sandbox View:	Filename: De0RycaUHH.exe, Detection: malicious, Browse Filename: DzVuoFusnL.exe, Detection: malicious, Browse Filename: 38gmTjpc3Y.exe, Detection: malicious, Browse Filename: tFGPgPkxgo.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................................PE..L...)t\|d......................n.............. ....@.........................................................................lD..<........x...........................!..............................(=..@............ ..p............................text............................... ..`.rdata...,... ......................@..@.data...\|.m..P...L...B..............@....rsrc....x.......z..................@..@................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\EWZCVGNOWT.docx

Download File

Process:	C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.690071120548773
Encrypted:	false
SSDEEP:	24:Hpi2eIMaeHmnj0AhtUkcnKCORSCQH8qvLrUo:Hs2e4njIkc6xQH8qvv5
MD5:	8F49644C9029260CF4D4802C90BA5CED
SHA1:	0A49DD925EF88BDEA0737A4151625525E247D315
SHA-256:	C666CACFDB412CE2BC653F9E2F19484DE94216D950F8C304D1F1F8ADD2EE32CE
SHA-512:	CA63EE1758AFE40FB8569FB3FF5A52BED8A593DC163F5F2462CEBFE1EA4F3F7AB4561435912279C4371944F7C63068D7474AB9F38492F34567E10E5188338C7E
Malicious:	false
Preview:	EWZCVGNOWTCRGCAHGHIARWHBREQUWUMDZTEFKOZTBZKDHTGWOMOMXQJLCILTVOXJTWXEZRFVVOJJDUXCZNNWMUHQTYLHFYPOOBFJLGZGDSYZASNMWULDKVPIBSBESQVOBWTJCIQCCRZOQSMEFZAEOCFIPUXIHTROYFKQUTFSAUWBWISJHTVIQQEEIJVJHOBGZOPHDRBICMJCZJYKKJVLBUSHZHJSFDMYEGPBFRDSFIJIUADWYUWFSOFGQCFBFZHQMDWRKPFVNPDGQDAXYWPQENYPVCKPJTHAOXRLVMNFIOJBVFWANBCOTBENTFVQZCFBFDBMQUHCCCHMMQUOWSBCZYACVCNJFQKUCOMHGVNGGVDACUHMUYLJZQAKUNMISIRRZWDKBKSCPQEZJBHYOZZAXJVBHPFZNDXVHGWHNSVWMYZWRVIDTUCEOPZZRDVHTZKWHATLUHBDJSDWLCXQNXOWYUDQGZJKCAXDTIVXTBCQYHDKCAAFPJFSMAIFXPBWZRPFPKSDNBTLCMBJVBNHSANLTYRSVYQCPKAVQBYOUIOKJPCSLSZRHROXWWPPNZAAXTNVEINHTCLXLDMDBKYPOGMKCUIRVICNSACARZMRYFMXNDTHABPDGEHGCEAXGZZZNHYOCNFJZCIJNBBNBGAUMIROJJYSLPZARPCRZNPUZHXYZLDLXFPTCUWDLYNUMOSJWAOBYFOHEOOAGSALYXBYBYNOLNVRWYGBMDREEFNSPFBRMCNZKOZYEFYTGCMVSCLNGPIPBUDCPAMQEHOAUUBIQZZVXLYZWJOMBCITZXNLTEPYYRLUUAPJTGKEVKMNIMNQWNLLBUVLJOYGWJXXREBMWKGHQSRPNVJAECVNLXPVKWNPACZWFRCNSRBCRVPAPFJGUCNKUOOMSEURPZQJTKWTBOYFSFQOBHOUCLHWYMZMDGTXJBELWCWSQGBSNYBSEAJYTJCJQBKRUPJLBACULNATKEWAJTPTTOUKYDWVFZCDBMMO

C:\ProgramData\GAOBCVIQIJ.docx

Download File

Process:	C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.701188456968639
Encrypted:	false
SSDEEP:	24:hm3LKgBsTCBI602KGM6Fnd0F02s0LTz4+A7wXBjb9gPY14fmfdBH159l7TZzRQTJ:4mg9IFPGM6OtPc++wXBbV14e71zwv
MD5:	18A3248DC9C539CCD2C8419D200F1C4D
SHA1:	3B2CEE87F3426C4A08959E9861D274663420215C
SHA-256:	27D6BAB3FFA19534FF008BDBC5FF07BE94BA08C909222D5AD4802C4C9E10153E
SHA-512:	F8176C814016D4962693A55A84D2BCC26EE01DE822E76B3D3A6B0ADD48382F8D76B5576742BBCAD16A7779C602B435150C0EBDDE1B1ECBFFD6702ECEFE87133B
Malicious:	false
Preview:	GAOBCVIQIJEAUPWDPRZCCBNOLIBVRPPLZPNDXMXWAHTVVUJJRUSFIWRMMSRKOQHCYSYUBMSXZLUDXPNKIPJHNLIKYINEELPXFAGZSNBZUDCHHIXCDHGYSSWPBQTJTTGUSVAKXUCDJBHFKRHEGHIIDQIBNMNBPTCUQXVDKMCQLDDYJEQLPYWFIVRSVCHHZMWWVQSPTEOWKFBQOCSQTIVDEMIEGVVFLVGTQYKHFAQIQIDWGOQCFBYXUBCCAADXTEQWFNWFUUEWWCZWKOPSJAPHFWQQPXLGACJBTIMAPLNZIUQMQYDMTEGLQKPQSZAOUAAZHEFQNKZLRIVEYLQBXOYRAYPVETHTPJWTKBAQMFVCQHILYBXXCIJUSRNECDEBAPQPACKYMONEQAVFVJSLJHMSFLODHAMDEOOQLMHKTRONKXRUSJGZNIPSFDBPUGOOQDGXVUMBHIHMJBJURQUZFOGURXHYACJUXKOHRQKRDYOEUCWNOZMYOMEIECSMGRXADFNSGHNEYHTEUZESWUPBBTWHMAAHATGKEMQJZGUKFHMOPJNWIZHMNPENYBXIYIQQAAAPIDUTGVYULURYREYTCNKILPPERQGQZJOXIUVLLDJBKFXUJTGVBMXJXFCOCDEASKYTKWQYKXJPQPYIMVFTRDRIZGWDHSNPUPGXIZLQHXDLMDNRJWXSZBGUTMSTDCUAYDTGXGFEGTPPNOUDQYIUIRVWYSBPWRTNAHWZOJNZBMFUMOBETTVAJIKGCUOZZNFQXGHJMEETOIEJZISKBKYAFTPYJUBCNCNXVOJQLDZBVOEERMNSHPDRPHBKXUPBSMXTNRSKCXXOGLQOGPAAXIHATAVXMPGBBSIKATHNAZZHCOKHGTBSCMZLDTZSIPNGBQAQVBLOEZNNOCGBGKUDVAVPXMJZWAFTYFQUZALBMQWWTFBKYRIAXMCLPBVGGEVXGVKQOKGLWBYOFWLKNSBXJMTWCKOJNEQGGGMZAEJRHKRITMKM

C:\ProgramData\IDHDGIEHJJJJEBGDAFHJ

Download File

Process:	C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 2, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	0.8745947603342119
Encrypted:	false
SSDEEP:	96:aZ8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:W8yLG7IwRWf4
MD5:	378391FDB591852E472D99DC4BF837DA
SHA1:	10CB2CDAD4EDCCACE0A7748005F52C5251F6F0E0
SHA-256:	513C63B0E44FFDE2B4E511A69436799A8B59585CB0EB5CCFDA7A9A8F06BA4808
SHA-512:	F099631BEC265A6E8E4F8808270B57FFF28D7CBF75CC6FA046BB516E8863F36E8506C7A38AD682132FCB1134D26326A58F5B588B9EC9604F09FD7155B2AEF2DA
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\IZMFBFKMEB.xlsx

Download File

Process:	C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.695566741548326
Encrypted:	false
SSDEEP:	24:61iSJC9lUfmxZoTgwj7WkGrivJpQ4t468phJvvHIm:6M/lU+x27HleIQ4t4bHIm
MD5:	CA699715DA51DFD5AB81CDA02AFD2CD7
SHA1:	72D44C17A04FAB316BEA20F61A80D7AC787879D4
SHA-256:	BA61F500E1845F2FC03C990DA95B7DD92ED8B7583744C941D37BDD90DA666D21
SHA-512:	497F9D6B6EE52454F4B740A6B765F46EBC10575E9A20B62D76594E1CC4E37868182D18315E05E62A78D5131A5569C95C8989F248E3A8C72BD95A99883DF196D2
Malicious:	false
Preview:	IZMFBFKMEBTITTFFYOGRJOKLUYKYEMJURKRTIEUFEDJKBQPELZNUOXWVNDZJRAOONFPZIJHBCSQXWTLQPDNPIJFFQZDETQFKNDQYRTMSHJIWQXJBNOXAVBJCARKFOKHIBUFVCEOHZTISPCFZSEFFASUHHMDHUBAMSDTGESWVKGUMZNYRLTUEBNLLDQOMZLGIFYUADUMCNGQHUWJKQAWHNDDSWUDEYOPPNFAUERMDDQUABWZCHPIWYDNDHUXDNYSLQSQXHUJRCQMGRZMRHEOVRBHVMIEIIBHEADKNABKWVMULXGOWXFOLUTZDUOKAMBBJKEPASVGVTDOUQMBCJGMPZZSAVFTSOBTVJPGYYQSJQWHRBFXNUHYKYXWZSTJELLKRMBHUVLFEPITLTURHTDAKMVDVNYWADPMNSQACTPRPTZDAYSYQHCRSDUXMKTYASRROVGGBBIXHTORYFNKLOIBCKWHWPTJGKEQOSVXTUUTFZVORIRTKYSUWDEDDGTJHWLZYRYCPYUENHHDNRWCVEAZUDOXSWLHJDIGSALQSCJKGZEXAIJUDAQHXCOAVPDFCQIEHQEFVSBLKSKPDHYCYSPHGVTEDVHAWYWOOWFAJSTOXLDYSHUWZIJQGRICKYUZPXLOZURIDFCEWXUMATNYLUVJTEOTDEYCCRPCVBPHMOLWESOWCICFDWLNMYIPCOLYFBDDSRCSOZZCSIWGDPTAXMSUSNBSGLDTYGEEBZGXKIVMAHAMBSJEUPRTVXERTMYQWIYUTCCWNXDLXQQSMSGHDXMIYKWUXJBHOCOBAEVHTWJOZVUWZIGVYBPSQGRQDABKLPWJJRURTHDJAMMOZSJFGCHHDVYXDYYIUIOZDZJWQLIKTEKOTISNTJFMZOMVLIYUHJEAMEKRMBWXHAYWZVDUJKHILQWXCRKUPFLJKIKWARBWYUOFDHFXEHJWSBCSSQMNJANADKJFCPMBCMQGQXNUCZETZWJFUFSMVAZQXHOGKPFDO

C:\ProgramData\JEHIDHDA

Download File

Process:	C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	1.136471148832945
Encrypted:	false
SSDEEP:	192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c1/k4:MnlyfnGtxnfVuSVumEH1s4
MD5:	37B1FC046E4B29468721F797A2BB968D
SHA1:	50055EF1C50E4C1A7CCF7D00620E95128E4C448B
SHA-256:	7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
SHA-512:	1D8A0F0AE76E5A1CF131F6D2C5156EA4204449942210EF029D5B018464355DBF94E2D8ABD6A5A9CDFE4271DCD22703BF26ECE8FEE902E122184680F1BB001149
Malicious:	false
Preview:	SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\MXPXCVPDVN.docx

Download File

Process:	C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.698669844484375
Encrypted:	false
SSDEEP:	24:7mMbmx9UKbA2JHc6cqYGtPrmwXr33hecYrnpTGwrhq0Lf6iNXQp:JI68rJcqjPSwXzRecYhGKq0LLG
MD5:	4FCF725C73B93BE52C2E1CD48AC3A562
SHA1:	98118BDED7CC2397C19310A914C6CA6B39CC47DE
SHA-256:	3803B68C31F1D6091C8D35F7B737B363C99ABED15B65899869E2A5AFA443D2C4
SHA-512:	8EDB10C8C81284109073EAABDB337F2AF5428AC5A50DE4999B61792D434D099124DF2DB5B2F58E9FC6335EA2E6F474291F8726DEF293A409418CDE6E0D5D7CFC
Malicious:	false
Preview:	MXPXCVPDVNZDMRYXKAXPKZSKXQENMVJGASOKSKKVKMVTFWCKJVQUEHFJLYGAGVTAPSEFWLYDESGESNCQQMFQIJOIYCFNJODSXZOERROXNDWXBZRWZFOKQBPLORLXBDLECIGMCKVUGLWKNMZJBHPGARIQDCSYHCPUKBGABSYSPDCWIMLINBEYVYXKDRVQIRPITEAVGQTKEJGNRGJGNMXLAZZZEOVLCHVHUAHQLECFOLMZPDMGFZOZZRCUGUGQXZRQEEYVPMGAXSRCPXPOCBVPESPOAHTWHHDKCHMXTJCJJDRFYUOIUWGYDNCJXDYQFYCADMQIYTSLSIQVEMFCENTOHNQNWXMKIUOZDFCOFDXWRGCINHQCHYKQMLGTDJSTFEPKLURPPUWEFYLYEFPSNQGBKUZJQDAVMAFGFXHFNGMNUPXAYGABBOYSAPGCMGQZYDGMRINVJWRFASDKOFXOQBOCWTMIFSMCIGFJLECWNXSPKYYMZPZTTKDCIUUBZTJKBGNEDOBUUIKPGSXPUUDSIAYBARDMCGXUVFSTYNWEUHFOSOADWNJSVGVNYVPTFIEGPCWGLEJGVLKBVQHFEPYYRMGWPMKQWLBOAFFRZQRDMFIHCLMXYKGCSNXZKWIKKIILSRZRKNKBMQKPDNBOSZDCMCNAMVOVGTUYRVJHPAMTCIPJHQZLFPQNHPQQTDAETXQMKGTZQPDKQISDDHIQFGGWJPCMAAAGGRYLKNAQHJDFVXQSDDSPCOTQDHQLRMFKVLQAFIBPIEJVVBHAMXWNJDJUFWZAUYOGKLIJAKPXHFCOGJJVGZXSWYIBAKNZMMSVHMHLNHNJCCWYZMEJWSAERLVHQEHUTACSGGGRMLAWNQTJDBBGLANCZUNRXUOYFLZHFFWFLDWPBOZWIRWKAIWLBOQNNKCSLPLMPBIDNPIJQEDKYXMBPUFPZCWHQURUYJBENNRMTLHPICTOSJUUPWITJRCCXDXEHQQYLVPFNZKWXNGEGYNB

C:\ProgramData\NEBFQQYWPS.xlsx

Download File

Process:	C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.692704155467908
Encrypted:	false
SSDEEP:	24:zrCxfe2LWgi+vQ2TVmOkCRMqftTB+IkHJMBxmT+gmPrwxYu:zSLpN5mOhMq1NUHCLm0Mx/
MD5:	D0B81B6D51E4EDDB3769BCE2A5F1538F
SHA1:	08D04E7E91BD584CC92DB2586E3752A6E50FF2A7
SHA-256:	18CE24DD08DD5F5AC0F5CECA3D6551DFDBBD4893A4A9A9A9331E8ADB67061A33
SHA-512:	CB9E881EE3E57B79597C4AD35D24CBF490882CAB222FD687E52B01798E643876D97A51BE67CBB9AC8CD21EAEC8383FF822569E8E523B165607D328FC53E97B80
Malicious:	false
Preview:	NEBFQQYWPSTEXBZIDUTTATZZTFWRABRJBLLCZYJOVRXHUMPDHEGQDWTHPNRIJXJXBUSQEVJKULMLPCAPCSHFUPDJCEAANNYOFDUHLLLHOVFNKNTRVWZEFIUBXRXIMRWXDPWVTFKQMGYNRABMTANRGGSLGEIOAUBQFQTLCZWMEHWOZIIQMRJLAHLXPXNJVCGLENXDTBFKZKJLYBJRCHNDCSDKFOXIBOZTNXJYAJRSBBQPGAKTHVHMQLXYQGBGJEKXNNJBZRONCQRXSXGBODHFEHXLSDNKZKOYGQWTAWCYFZWCAASDECKZAPFZVLHUZNKAOEOFXYACNHCKLJCQBGVLWGGJAXFSREDNBXZVKQXDJSDSXQALVYBQAWFRFADSUOUAJLGHBNXRJZTADMFYSWTEEFNLTNZQFEUIHOMLHDFXIINXAWFLMBVWLQALRTVDAZZJLUPLSSAEVUHCENQHZDZHUFSLZAWTBWUIZXADMDJFNIGCMGZAUDXHJYRRCZLEWREZLOERQDDSEKREDPHBBKIUIEJMDLPLKXBZACMCVBOXPIUSWSAYGLJYPERFESVJDFDUCRRMCERYFAOHUKEWBRHIXVALIOBSUZIVKQJYQBYWWQBTQFSMFCMHHJGZWZAIAVHBXGYJSOQFKNTZPVJPXHVDUHZBGDUQFSTVAISEPGJPRFXXECIDSLUEKKGYCYYRYPCKPELJNUUBXKUPANFFQZXZCHJZGUXECSVNTCLQWVYUIUXXUHBVRWGMIPLLBTOOJWGEFGIBSTEOEUCIBZTYLFTDGDCLFGIIEJZNJQROHSUVDJWKISAIRTACFAGNSREZROONUNTUTBQDAEWKYIKLSDTXHQQYMOCADIFSSOJPAJKIYLOJZORJLSPXKKVUAEDRRGACWHBZIGNBZSFLRWHTOKEKQVLZFXTYGAOTMFRKSVLKIISUBYUBNXKHYRNKANSRGPAEMLRECJWZZUGCQATTLPPBVLBJPOLHBERJWQJMJGFN

C:\ProgramData\NVWZAPQSQL.docx

Download File

Process:	C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.6998645060098685
Encrypted:	false
SSDEEP:	24:FzrJLVfPTlXwAGfwXz0vRDC0aYECjYTixDXXwDyDFdJCSuHFF03T:FRLVHTlXwAGEoVCRYF0EDXgDVFHUj
MD5:	1676F91570425F6566A5746BC8E8427E
SHA1:	0F922133E2BEF0B48C623BEFA0C77361F6FA3900
SHA-256:	534233540B43C2A72D09DBF93858ECD7B5F48376B69182EDBCA9983409F21C87
SHA-512:	07D3CA8902964865FE9909054CF90DA1852678FBE58B1C0A8C2DBA2359A16DCBD43F23142D957DB9C1A8C2A1811EF4FEA74B0016A6F469538366B4FF01C8A146
Malicious:	false
Preview:	NVWZAPQSQLDLCZFLTMOWSKLFWOMMGYWWTZSPFFTDRHOTSSRKDGSJCIGMJJNKHMSAEMKBPGYCFVANNLUHHUMQOHINWJABNFIWWWZXJLCANQSKWMIWKPMVTCWFUMQBAGWZRWHRCMJDSNPGGGNECNQGPIZXLBIMLXMHDDXDKVYPEKRCNITDGJJNAEAATOVDDPBUDYWRPDYWARJTFXBUUZABBVURIWKONIVMPCYVUBTOTCIJJVRWYUNYHAFJZUMVTOIXZGAVVNSRENTVPHFLSLFWBLPFQDMQCJIHRXSQOTPSPDZKXCRBHZXDQIECBJTNIRGCACNADPHRWIVAWGPANEMHGPPPARWYWAOAHPWQLEGOBGVNWVBIFLAEOZYELRFOEZQCQIXCQBUKZGPOQFLHFLCFTYWBDGCWMDWICTICWVZEAQNJOOVCGQZYTBBXQPEYFQMSMETMKKZMRGXXLCDXDEEEJKZAUNEWZONYMVVIZOWQRUQYNOEFMWEVWXFAZRHGHUXGAYODAXDNQONZPVBKRYIOLZJIYSHJSCEPYVMYISKJIWPKVGUQBNLZCUFGXBFZDDRGUMCLJGJPDAZKZLRMDSBFEJQYNNKTHBMJMUHVUOIVZRULJFFYIUMOHUGCJUYZGXKXNIWZUKRIYDZATEOXGMHUPOOBIHEEVPKQEZDDWJHKEKLNTMWMDCFDOYCCDOERYFZNFUDEHYXIBQAVVOHQNIEWZODOFZDFJSWYCJMWWOIZSCZSZBGOIFHRDBXHKMCCLSYNVVXYLWKXEKVHIZEBIBHWMXDXEGZDYWRROMYHTDQVCLXOGVHWHFNIDZOXWTTPAMAKJIYLNQIEDSCCTSBLPHTTGLCIYXXWIBXAGYBACOKOTPPBKACWQBYRTKFMCSSRYQNESLPTLSLCWCSLHOGHNCGUFWMYXDBUFSOKFIDUIBHTQJFIQTVZZVIZEWTBSHJWKQXGUWLFKNDUSKPDSMJNJJNEEOWEHOKTNZWRDNOXWJEK

C:\ProgramData\NVWZAPQSQL.xlsx

Download File

Process:	C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.6998645060098685
Encrypted:	false
SSDEEP:	24:FzrJLVfPTlXwAGfwXz0vRDC0aYECjYTixDXXwDyDFdJCSuHFF03T:FRLVHTlXwAGEoVCRYF0EDXgDVFHUj
MD5:	1676F91570425F6566A5746BC8E8427E
SHA1:	0F922133E2BEF0B48C623BEFA0C77361F6FA3900
SHA-256:	534233540B43C2A72D09DBF93858ECD7B5F48376B69182EDBCA9983409F21C87
SHA-512:	07D3CA8902964865FE9909054CF90DA1852678FBE58B1C0A8C2DBA2359A16DCBD43F23142D957DB9C1A8C2A1811EF4FEA74B0016A6F469538366B4FF01C8A146
Malicious:	false
Preview:	NVWZAPQSQLDLCZFLTMOWSKLFWOMMGYWWTZSPFFTDRHOTSSRKDGSJCIGMJJNKHMSAEMKBPGYCFVANNLUHHUMQOHINWJABNFIWWWZXJLCANQSKWMIWKPMVTCWFUMQBAGWZRWHRCMJDSNPGGGNECNQGPIZXLBIMLXMHDDXDKVYPEKRCNITDGJJNAEAATOVDDPBUDYWRPDYWARJTFXBUUZABBVURIWKONIVMPCYVUBTOTCIJJVRWYUNYHAFJZUMVTOIXZGAVVNSRENTVPHFLSLFWBLPFQDMQCJIHRXSQOTPSPDZKXCRBHZXDQIECBJTNIRGCACNADPHRWIVAWGPANEMHGPPPARWYWAOAHPWQLEGOBGVNWVBIFLAEOZYELRFOEZQCQIXCQBUKZGPOQFLHFLCFTYWBDGCWMDWICTICWVZEAQNJOOVCGQZYTBBXQPEYFQMSMETMKKZMRGXXLCDXDEEEJKZAUNEWZONYMVVIZOWQRUQYNOEFMWEVWXFAZRHGHUXGAYODAXDNQONZPVBKRYIOLZJIYSHJSCEPYVMYISKJIWPKVGUQBNLZCUFGXBFZDDRGUMCLJGJPDAZKZLRMDSBFEJQYNNKTHBMJMUHVUOIVZRULJFFYIUMOHUGCJUYZGXKXNIWZUKRIYDZATEOXGMHUPOOBIHEEVPKQEZDDWJHKEKLNTMWMDCFDOYCCDOERYFZNFUDEHYXIBQAVVOHQNIEWZODOFZDFJSWYCJMWWOIZSCZSZBGOIFHRDBXHKMCCLSYNVVXYLWKXEKVHIZEBIBHWMXDXEGZDYWRROMYHTDQVCLXOGVHWHFNIDZOXWTTPAMAKJIYLNQIEDSCCTSBLPHTTGLCIYXXWIBXAGYBACOKOTPPBKACWQBYRTKFMCSSRYQNESLPTLSLCWCSLHOGHNCGUFWMYXDBUFSOKFIDUIBHTQJFIQTVZZVIZEWTBSHJWKQXGUWLFKNDUSKPDSMJNJJNEEOWEHOKTNZWRDNOXWJEK

C:\ProgramData\SFPUSAFIOL.docx

Download File

Process:	C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.696913287597031
Encrypted:	false
SSDEEP:	24:TEp0dGAR5tKV4V1dnQcncjGi20QoVwGQqh3:20Iw5tKOncjGUwra
MD5:	44ECF9E98785299129B35CBDBCAB909B
SHA1:	4D92AFB00FE614CC8B795F1AF28173DBE76FE7F5
SHA-256:	06E706536CB7D543E6068C98C90721CAD89C23D16D37444F46F9B01C4380DF9E
SHA-512:	1FA347223014BB3AC0106948B07E337B1A98C0BA2D98AC0ADD821D1B3CE9F75681F6383925F5E614F36750C5B9FB92D1C8EEEDC05469FBC6EA3F281D8B52B556
Malicious:	false
Preview:	SFPUSAFIOLDMTRNUTGNTJUWFCWSZSHWEDVXRKVRQQJURAYWLWUUBTIKENFOXKWAEIMQEIZNZNRADQPATZGCMDPRDXLQGZUFJZGZDRTSVNCHAUPMRLPRPZKGVAVXYEVCKEHKMMJGKSJOOUYGYLDDIEYHRSUUPROPBGJMTERPOAVKYFPSCESRJNQZFKBQPUDQDDUMCFWKLZTOAKIRCBYNHNUNDHQGUCZFGLFAWYRAYVDHRMGQXAXAOYSCNPGEKEPCMQBIHRFANOHHAWKRVIORZYSDKULQZFRPSGFVYRDRVLMMPKWJDXUOEBNLILNONKXLMXLVIUCYNNQGCPDXMGSCUEKRTGZJHMNRUEKEIJFJIAHVLHOVPEFBBLWOKZSZSYSSOQIMAXYTLNUMGPOHCVAJUEBTRJRPRJCOTKTDCOEZCJXDLESVDTKVOFQWENRQDQXACWTCILXCPGHHUNHJNQLPPCERJAOCZFIXIHZKTCKZMXYDXVVFZUURETLUVBDNYJHWBIGQTEBATUDWNJLGPYCGIXUBQTVJPDRWVOFIQDYMJOMWUQUNCHQWGETEEEIJZNHHUYACVFRBGSWATTYVHFTURPBDTDDQTWASRBMLCMLRKIGMHWRHHHUVZTGIFNIDBHRKNFOYFIOYERMIXFEIANSZHVUVBFJOQNNJGQUNDLTPKRMYXNUHBOFQLLIDRDFMIAAVQNNXFNDRFBIGEVUSBEJUVVSTEJYKSAUCFDNNJQTSVXAUBHAPFHJIYCNFJQPWEXKMUQRCKERPSFCQKHEDKHHRNWTLAMXHJLOSIZOKYIMDHNEIBAUBKXVXZVXMAZNFTTYQGDGZHKLIHZJNIVHVZHYMNESIMFITKHGIPXKXZDBLBTKTNZDKZTKDHQQJCJDTRVKOCTCXPMDLKSOBGZSQQUTNFYYEOCJVZSZUSESOBKMIJSKKSXTXITISLBTMALAVZEMHXQXVRBZCDKLOKWDYQIEQCKFLKBMPLIQMKDTJPRHOW

C:\ProgramData\SFPUSAFIOL.xlsx

Download File

Process:	C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.696913287597031
Encrypted:	false
SSDEEP:	24:TEp0dGAR5tKV4V1dnQcncjGi20QoVwGQqh3:20Iw5tKOncjGUwra
MD5:	44ECF9E98785299129B35CBDBCAB909B
SHA1:	4D92AFB00FE614CC8B795F1AF28173DBE76FE7F5
SHA-256:	06E706536CB7D543E6068C98C90721CAD89C23D16D37444F46F9B01C4380DF9E
SHA-512:	1FA347223014BB3AC0106948B07E337B1A98C0BA2D98AC0ADD821D1B3CE9F75681F6383925F5E614F36750C5B9FB92D1C8EEEDC05469FBC6EA3F281D8B52B556
Malicious:	false
Preview:	SFPUSAFIOLDMTRNUTGNTJUWFCWSZSHWEDVXRKVRQQJURAYWLWUUBTIKENFOXKWAEIMQEIZNZNRADQPATZGCMDPRDXLQGZUFJZGZDRTSVNCHAUPMRLPRPZKGVAVXYEVCKEHKMMJGKSJOOUYGYLDDIEYHRSUUPROPBGJMTERPOAVKYFPSCESRJNQZFKBQPUDQDDUMCFWKLZTOAKIRCBYNHNUNDHQGUCZFGLFAWYRAYVDHRMGQXAXAOYSCNPGEKEPCMQBIHRFANOHHAWKRVIORZYSDKULQZFRPSGFVYRDRVLMMPKWJDXUOEBNLILNONKXLMXLVIUCYNNQGCPDXMGSCUEKRTGZJHMNRUEKEIJFJIAHVLHOVPEFBBLWOKZSZSYSSOQIMAXYTLNUMGPOHCVAJUEBTRJRPRJCOTKTDCOEZCJXDLESVDTKVOFQWENRQDQXACWTCILXCPGHHUNHJNQLPPCERJAOCZFIXIHZKTCKZMXYDXVVFZUURETLUVBDNYJHWBIGQTEBATUDWNJLGPYCGIXUBQTVJPDRWVOFIQDYMJOMWUQUNCHQWGETEEEIJZNHHUYACVFRBGSWATTYVHFTURPBDTDDQTWASRBMLCMLRKIGMHWRHHHUVZTGIFNIDBHRKNFOYFIOYERMIXFEIANSZHVUVBFJOQNNJGQUNDLTPKRMYXNUHBOFQLLIDRDFMIAAVQNNXFNDRFBIGEVUSBEJUVVSTEJYKSAUCFDNNJQTSVXAUBHAPFHJIYCNFJQPWEXKMUQRCKERPSFCQKHEDKHHRNWTLAMXHJLOSIZOKYIMDHNEIBAUBKXVXZVXMAZNFTTYQGDGZHKLIHZJNIVHVZHYMNESIMFITKHGIPXKXZDBLBTKTNZDKZTKDHQQJCJDTRVKOCTCXPMDLKSOBGZSQQUTNFYYEOCJVZSZUSESOBKMIJSKKSXTXITISLBTMALAVZEMHXQXVRBZCDKLOKWDYQIEQCKFLKBMPLIQMKDTJPRHOW

C:\ProgramData\SQRKHNBNYN.docx

Download File

Process:	C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.699088014379539
Encrypted:	false
SSDEEP:	24:iGmuvXb+mVV5Ule86OuFXvk64KaOMJQaJO7tZAWPN4rOnsK:/muvL+mP5Ule86OuraOMJZOHADqf
MD5:	BF469DD8C21F5160EACD49BB59E9A370
SHA1:	2CE4942C6CD2E22A644BAAFAED41DF9D0773477F
SHA-256:	9ECF07708D59E0B3AE33ED553978F4B2BB806B2FB805296F73F9270C4AE01B84
SHA-512:	FBBB805B4C65902C67F2F432BA20FFF689FABDB3652702FA176369107F688C43923C9D729095F313425847E14B138E61117ED6C03E582F82B6426BBC2C481380
Malicious:	false
Preview:	SQRKHNBNYNETDCILWIKLNRYHJZUPCYVTJJKABYYNVEJZBFJGIUZEFUHCOZZISQELZULMAPFIBUSVGGSXSVZRNJXFVUEIKBQNARELKJEJZTEBGXIFTBGDXBSYFJKFICMLOMHZZSIJMPIXZMQULHAZWNOCSCLWTNJMCGVQAOPYTZVRLCKSUPSMWVOFCPJAONGQBPLMQUTZSFYRIBDZWBXIEDJISMCTGTYKEIXWVDVOGMFUNRJDNEGJLVWNACBBGIIRTAHGUMSLSIZNGTRAUGMZTVGLIAKLLKJGKBMXIFPOYCQXJZKJHTLNZGDCLMXTYOBGFAPOQCJGRAKORKGGWPBOJLOZATKDZYFDSONUZOGBFRDBUKZTVYZGXDEWUOXNWHMOIBVOWNWFGBHSDTQQKXWZEHQLAYIXOVZEEZNESKKWITYPIDCMFHTWVHMHFCGNEBNVBSSQHMRSWLHVMAZERIUFTRXEVZHKRXWOMGETJJFBRLFIBRGLAQKLDFZEGHLZSVAMXMNCCUROXGQOMDQJSKUNOGLGYYTVABESIDHASDRACLOFEWGPYLEORXSYDRDGPGOXHIAISBZBDRNVQJXXIBNBXMDSKXPBSCGKGPASGNOIDKIBFJWUIRQHZLXZQVHUEHMHTRDWKGJVQHWFQEBJIBQLDWQHOQLXSPFPLWPYZROYDAQOOOYKTPVFQXLMLRDYSVXVAWCEGVSHGDVSHONQUAVCBBHJRTIJAYXUILHNGHIXFJPJFAUDIJFORYJZHNAXLWYBLWKCVJLUJIGBYGSEWFJFIROQQXBVEJEPGVYKSDGTPKJAXDLAEHUXWDHSNXZPAKHXDOWTIFIVFZHYQJCDKOBOMCFVMEKARJULRZEOXVQKSLPWYLMLCYLKXCIELPAZNPRENTCWPNMFETAJHSENFDLPGHKVHIIHECDTQGWZMNTMEHNJFXFUGFJMWUXXGOIHOBSONRLSITUXOCRFNCIJNPHZABGDPAFATRMRCPXROMUN

C:\ProgramData\UCKFKZQOSO.xlsx

Download File

Process:	C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.680903838155212
Encrypted:	false
SSDEEP:	24:LKfnNJMa93fwQo8TIs8atjNgmog2cp7Udr/6W55y1L:LKfnXvtcr6j7ogi56Gy1L
MD5:	850E61ACEAEEDDEBC82F3FED7AAC0CD6
SHA1:	E12384A8612E923B86669176314F4C9F0AC2172A
SHA-256:	006F4E69AAB9E31DC50DE046E83EC49E4A5E0AEEC0903B515A89C5981E4B8A33
SHA-512:	C6C576B0612C1F95C57A8C05368D45FF5E5658408977C17AFDE412A4D05ECA6D6DBC27B60693C1CCB539FB5D01843ED7C99761797F380DB2B9B42A97BE72E51D
Malicious:	false
Preview:	UCKFKZQOSOYAJKCAUDETZINFKWHUFTAPXGHSDWMENPXVQLXWSGKIPPLCZBJCMKRLKZYIUCWACLAWDCIADCUMWCJHUBPAFNXTWGRXEQUWVGTGIKSBNSSUPBWITJHRUTEAIBGCELNEBQTGRMKMJUGIMHRBMQNBRWNLWRBOFEWGKPQKMSGPUQAMGXVOWRTXVBPJUMMAWHZWHCLCBOVLZXVXZZRPLPIXDWGDPLDOOPPMMQLFAEQHYRLTIPYWIPVSXWFZUWSOBVRKMUHUGLXGCOAOGZQFIIBQGFEKGCIXPZJRNXBAXGEPYSOLLCBZOHNCXEGUTIVUTVEZDQZUBLEXOQHEIGDLXBEBINONFHDNNMGOAPYIPKZVHFGRSBFPLLNRCDLQKJMGIAZBFEIDWXLGQOLHMQAKNIRZUDNNXWCUXRKIICKZZZNSBKXDUIWTQJGUXJWQQWXXKGNBFFLDEJIZQEWBCXAXRNXNWQLULXCXOPXBSEYGEAENBHGGIQICJATGPKSYFYZEDEJUIJIXXGZAVKHNOTCBDWMBWKBSUNAISXLBFYGQBKVJKBARMQOBXNYUIQYRYMSXYBZIFHTYMYACADROLKBNLWBBAKHAHKUXJXIWJQGLHRBETMZNBSTSATFJHKUWYXDAESPQJYNFUFCCOBBYEMVXBXXVYIIBEBEDPCQIJXWAQBHJFHDRWIXMAWDZVLVWMSCZSDXZMOULAHWKTIXFRTBAAFYCRNWSXWBUKJOZYXSZRXIWGNBWPCDYBQGBVWWIRYIVBXZDBFEAHXXCLADQYGNQEAOOBFTIXIUWCJPBWCWUTRFRDYBIQSVQTDTLHBIRGDLFMYKSXHIYABSQPXWJYYNUBSSITHPWVLORLJYRFQZVVOXGTNWZOIEKLXBIKTVTQMUMJAOSRSYZURVSVCVRVTBFIQAPXEGPNBGPECMCYSLDBUVFNGMLOCCKZYXUBXIXIVPNPCMVKNFJFIUCCMHVJXJSBNOKCQGRXSAZEAPL

C:\ProgramData\UOOJJOZIRH.docx

Download File

Process:	C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.694311754777018
Encrypted:	false
SSDEEP:	24:A8RGU2wNw6pbc5fP6UBtRzjn+4sNp3GYuf5/4dImDNR4+R00JOGJP89a:Aw4w9h+fiUBtJj+44pc3mDL4+R0MVJ/
MD5:	61908250A5348CC047FF15260F730C2B
SHA1:	CBCF34156EAE25B328A926E21008598EE8D1CBDE
SHA-256:	8700BF8369D39FD5DF142F9482CE8860BD8A26A3304EFBC57CBF9E45782C7A3A
SHA-512:	BCAB9A36BF1111B05BC52D8921CAC19ABC0FA18D93EA4EB9866DF4B31624FFCA2FF55A09C5051DC2AECAB18828BA8FDA5F31FA0F1E1B7CDC51DF39041E2A82F3
Malicious:	false
Preview:	UOOJJOZIRHPVBWNJCWUSWUNTMYTRIXAVHMVNTYLIPCAYUDIDHLMFMKJROINQAVRXUZLNINNJJSHFEFPSZPLVVWBUDRECRECFHEVVEZDHIFPUKQTLDLWAAKNHNLRQDSPWEEVMZICDCINAORJHMIUUNNJHMWJLZHCNXQIZIPHJPLEDKWATEVYJSWRRMCEJGQXHFBOGXKHJFORHFMGMLTTZJKPJBYMKZVWGZAIGHCFNXGRNDDLJZMCZBXDTQVGPSMNLFNFDHXXCXDJJUNSVHDRBZEZFIUQIYSJVDHEFPPPROTSFKVYAURVOKTIKGYYSWJMCPHHISKCOIVXEIQWZICSWMZJVHXNBACFJZRIEQPOISHMZILEXPCMYBSQRASRNWPSMMYPWJFEXHUUJQAMZDZSIKVETWBZUQBTDCCOYIIJFYYHXPZIUCZRQQFYTKLLGWQPTPZJIZHUEFVCDUNPMVORWJRIAYGRRAHBFWKSAMTDEVSHQXJBHBMOINFGNSRFJDWPSMFABPWRZHIOIPNMLHKGNVWQJYVTWLEZDGMBOJLNHPJKWMHWBVAEGELRTQORSRZQBNXOXEHQJHOEQVNZZJSGWQGINLWNPWFSJNPGRBFOBAEJAOEEMVKZTQZEVVODQLWGPNPNOPXEXLEESZERAPVAPHAUNNCEHTNMFJYBTYGSNGBIEDWGUTNCJDESWGYITWPGBEFVMZYUYPQOQBFITFPUQTWZNQFLWVTMUIAOXBCINJDYCHTXVFQFJQSMNUTYABAAOGGEUKHMDYKLCSGIBIFQSYOIRBUYVSCPDGMVNAQBKZPEKHNRNDPIHOUUTPJDKDOACRPOMZOQCOIAOBNPJLJIYDLQLQUMPIRAMVWNBCMMWFDLTUGWRDVGNHOOODYTHAGWDMJKRVJZFYCVLFLQUWEILFSEPBEADHBHFVWZGUZKNXQCRSBRLGIVTWCSHGFTTTPQAKFWFDXDYXWAWDKWXXTMSJSVOBRAYZGGBDPJOGLIZ

C:\ProgramData\UOOJJOZIRH.xlsx

Download File

Process:	C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.694311754777018
Encrypted:	false
SSDEEP:	24:A8RGU2wNw6pbc5fP6UBtRzjn+4sNp3GYuf5/4dImDNR4+R00JOGJP89a:Aw4w9h+fiUBtJj+44pc3mDL4+R0MVJ/
MD5:	61908250A5348CC047FF15260F730C2B
SHA1:	CBCF34156EAE25B328A926E21008598EE8D1CBDE
SHA-256:	8700BF8369D39FD5DF142F9482CE8860BD8A26A3304EFBC57CBF9E45782C7A3A
SHA-512:	BCAB9A36BF1111B05BC52D8921CAC19ABC0FA18D93EA4EB9866DF4B31624FFCA2FF55A09C5051DC2AECAB18828BA8FDA5F31FA0F1E1B7CDC51DF39041E2A82F3
Malicious:	false
Preview:	UOOJJOZIRHPVBWNJCWUSWUNTMYTRIXAVHMVNTYLIPCAYUDIDHLMFMKJROINQAVRXUZLNINNJJSHFEFPSZPLVVWBUDRECRECFHEVVEZDHIFPUKQTLDLWAAKNHNLRQDSPWEEVMZICDCINAORJHMIUUNNJHMWJLZHCNXQIZIPHJPLEDKWATEVYJSWRRMCEJGQXHFBOGXKHJFORHFMGMLTTZJKPJBYMKZVWGZAIGHCFNXGRNDDLJZMCZBXDTQVGPSMNLFNFDHXXCXDJJUNSVHDRBZEZFIUQIYSJVDHEFPPPROTSFKVYAURVOKTIKGYYSWJMCPHHISKCOIVXEIQWZICSWMZJVHXNBACFJZRIEQPOISHMZILEXPCMYBSQRASRNWPSMMYPWJFEXHUUJQAMZDZSIKVETWBZUQBTDCCOYIIJFYYHXPZIUCZRQQFYTKLLGWQPTPZJIZHUEFVCDUNPMVORWJRIAYGRRAHBFWKSAMTDEVSHQXJBHBMOINFGNSRFJDWPSMFABPWRZHIOIPNMLHKGNVWQJYVTWLEZDGMBOJLNHPJKWMHWBVAEGELRTQORSRZQBNXOXEHQJHOEQVNZZJSGWQGINLWNPWFSJNPGRBFOBAEJAOEEMVKZTQZEVVODQLWGPNPNOPXEXLEESZERAPVAPHAUNNCEHTNMFJYBTYGSNGBIEDWGUTNCJDESWGYITWPGBEFVMZYUYPQOQBFITFPUQTWZNQFLWVTMUIAOXBCINJDYCHTXVFQFJQSMNUTYABAAOGGEUKHMDYKLCSGIBIFQSYOIRBUYVSCPDGMVNAQBKZPEKHNRNDPIHOUUTPJDKDOACRPOMZOQCOIAOBNPJLJIYDLQLQUMPIRAMVWNBCMMWFDLTUGWRDVGNHOOODYTHAGWDMJKRVJZFYCVLFLQUWEILFSEPBEADHBHFVWZGUZKNXQCRSBRLGIVTWCSHGFTTTPQAKFWFDXDYXWAWDKWXXTMSJSVOBRAYZGGBDPJOGLIZ

C:\ProgramData\ZQIXMVQGAH.xlsx

Download File

Process:	C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp
File Type:	ASCII text, with very long lines (1024), with CRLF line terminators
Category:	dropped
Size (bytes):	1026
Entropy (8bit):	4.702263764575455
Encrypted:	false
SSDEEP:	24:QUkKzRRr64jMMhcqBDi9yWJqsBFhli3VZ6i0:QUkCe4j/hI9yWJnvi3Vf0
MD5:	1680F18135FD9FE517865D4B70BCA69F
SHA1:	CE72CFB81AB690709C2C5BBF40348F829C87813B
SHA-256:	0F4384BA6CC62588912ACEBE97E6E00A03D1145AFAF38BDE22023CA303B22CA0
SHA-512:	E63A46F382399DE9A52F82325302CCFF8184246D4A126EDCC98283B6CBC77D4330A01A704BA4E29144A2A37D6E06F9AF22383A00ACC2394E827DC97748171585
Malicious:	false
Preview:	ZQIXMVQGAHDITDJZGGBRVMLECQSWORTZSLVRPVEGPWPVZTSCUAAOZEHEMQBFXYQHAHJZSDLBFWCHSGHULCPYSYSQXRZJWEBIQXUUBQWRWTEIEYXQNQSWSIFSZRCKKPIEMFCPWGUCQQMTSHZBSZVTRBPCPEJUOTTXWFTZMIACKGYGCKGMCSBDEWSYMPFVNOOLZEARTYUPCWTOBACIPWHFPWORDPLQMNLMUZNAKOQVSKHKIFLPCYEHDDRRDQOYCYQVULYYOTKIZPSPBGJRCSTMNKECWGATNMXDLHHCEVMIAXORCUUBFYRDSANZMOGABCQIQLFHTBGKKNPDKITRXVRKSKNVGMYCWRZQDVIMHLJLZRTYAAEHTNREDULDCWBSZMMNIANUNAFOGWCASXNKHREAUCUWLFKPTBHSSBGWNPWTUBBQMZWBLBJUGDBYRIMWQJRPSOWJXAJGBKZNEPJRNRYUSGQVPTEMKUOEFNAJOSUDQYVKPUJCZGEGCSKJLVBNJUHWENWOTATKRZDPPHLZRTEDRFFPOSXJYWZGCANYHHLHXXVTSSYPKKRRPYFRZWPUNTSEFRSCUYISMVFYBIPXTBGXLELYMXPWVIFHICARYLACSUYONWBWTORCZTHJFSTTFVOFCJFCNAETZOVMYJPCQMLJESIRJYXODJQXZDNJABIYMTRLKATOAVVXTUZSVSRMUIPQSCLFLDHXPUIRKARFNWIVJCRHDPDVWJMVIMIYEVDEIYZXDMZFAKSSTYCAXXIWXKFLTNQLSXXZMPIQZYDSHVASWFVUHVXSYXSNAYZOGEQZXYDMZBHUZSYGXGRDAZTEOKPXEATMDEMGOQLFIBNDPAXRWXZXMBHAXSODDRKSUOGIMMNADLIRGHDFDTKKQAFWAYTUNQJNECGAKAPULJFXENSHPMQGUWBJJTPVTDADKCEVKGQOXSCANLNQNJAWKDBVBIWICEASXDEHDCNCUIOBUKTINVKEPNITJZRLWNHBVANB

C:\ProgramData\freebl3.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	685392
Entropy (8bit):	6.872871740790978
Encrypted:	false
SSDEEP:	12288:4gPbPpxMofhPNN0+RXBrp3M5pzRN4l2SQ+PEu9tUs/abAQb51FW/IzkOfWPO9UN7:4gPbPp9NNP0BgInfW2WMC4M+hW
MD5:	550686C0EE48C386DFCB40199BD076AC
SHA1:	EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB
SHA-256:	EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
SHA-512:	0B7F47AF883B99F9FBDC08020446B58F2F3FA55292FD9BC78FC967DD35BDD8BD549802722DE37668CC89EDE61B20359190EFBFDF026AE2BDC854F4740A54649E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: De0RycaUHH.exe, Detection: malicious, Browse Filename: DzVuoFusnL.exe, Detection: malicious, Browse Filename: 38gmTjpc3Y.exe, Detection: malicious, Browse Filename: tFGPgPkxgo.exe, Detection: malicious, Browse Filename: KFHX2S263Y.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win32.PWSX-gen.23950.2214.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........4......p.....................................................@A........................H...S...............x............F..P/.......#................................... ..................@............................text............................... ..`.rdata....... ......................@..@.data...<F...0......................@....00cfg..............................@..@.rsrc...x...........................@..@.reloc...#.......$..."..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\mozglue.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	608080
Entropy (8bit):	6.833616094889818
Encrypted:	false
SSDEEP:	12288:BlSyAom/gcRKMdRm4wFkRHuyG4RRGJVDjMk/x21R8gY/r:BKgcRKMdRm4wFkVVDGJVv//x21R8br
MD5:	C8FD9BE83BC728CC04BEFFAFC2907FE9
SHA1:	95AB9F701E0024CEDFBD312BCFE4E726744C4F2E
SHA-256:	BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
SHA-512:	FBB446F4A27EF510E616CAAD52945D6C9CC1FD063812C41947E579EC2B54DF57C6DC46237DED80FCA5847F38CBE1747A6C66A13E2C8C19C664A72BE35EB8B040
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........^......................................................j.....@A.........................`...W.....,.... ..................P/...0...A...S..............................h.......................Z.......................text...a........................... ..`.rdata..............................@..@.data...D...........................@....00cfg..............................@..@.tls................................@....rsrc........ ......................@..@.reloc...A...0...B..................@..B................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\msvcp140.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	450024
Entropy (8bit):	6.673992339875127
Encrypted:	false
SSDEEP:	12288:McPa9C9VbL+3Omy5CvyOvzeOKdqhUgiW6QR7t5s03Ooc8dHkC2esGAWf:McPa90Vbky5CvyUeOKn03Ooc8dHkC2eN
MD5:	5FF1FCA37C466D6723EC67BE93B51442
SHA1:	34CC4E158092083B13D67D6D2BC9E57B798A303B
SHA-256:	5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
SHA-512:	4802EF62630C521D83A1D333969593FB00C9B38F82B4D07F70FBD21F495FEA9B3F67676064573D2C71C42BC6F701992989742213501B16087BB6110E337C7546
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1C.._..._..._.)n...._......._...^."._..^..._..\..._..[..._..Z..._.._..._......_..]..._.Rich.._.........................PE..L.....0].........."!.....(..........`........@......................................,.....@A.........................g.......r...........................A.......=..`x..8............................w..@............p.......c..@....................text....&.......(.................. ..`.data...H)...@.......,..............@....idata.......p.......D..............@..@.didat..4............X..............@....rsrc................Z..............@..@.reloc...=.......>...^..............@..B................................................................................................................................................................................................................................................................

C:\ProgramData\nss3.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2046288
Entropy (8bit):	6.787733948558952
Encrypted:	false
SSDEEP:	49152:fECf12gikHlnKGxJRIB+y5nvxnaOSJ3HFNWYrVvE4CQsgzMmQfTU1NrWmy4KoAzh:J7Tf8J1Q+SS5/nr
MD5:	1CC453CDF74F31E4D913FF9C10ACDDE2
SHA1:	6E85EAE544D6E965F15FA5C39700FA7202F3AAFE
SHA-256:	AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
SHA-512:	DD9FF4E06B00DC831439BAB11C10E9B2AE864EA6E780D3835EA7468818F35439F352EF137DA111EFCDF2BB6465F6CA486719451BF6CF32C6A4420A56B1D64571
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................`........................................p......l- ...@A.........................&..........@....P..x...............P/...`..\...................................................\|...\....&..@....................text............................... ..`.rdata..l...........................@..@.data...DR..........................@....00cfg.......@......................@..@.rsrc...x....P......................@..@.reloc..\....`......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\rc65.dat

Download File

Process:	C:\Users\user\AppData\Local\Key Signatures verification\ksverify.exe
File Type:	data
Category:	modified
Size (bytes):	4
Entropy (8bit):	0.8112781244591328
Encrypted:	false
SSDEEP:	3:d:d
MD5:	2AE31D5B0A9E7E9D278F9DD8ED5013D9
SHA1:	1CFEF32EA2C73851C1457C5D1928379008519AE7
SHA-256:	EB024CBF98A5283E37A0276F27AD581605A32D9F82FC84C3C6F4E55264A5AD62
SHA-512:	43C51232C063EFC94C00690A635AB3C0ADAAA23E44DE61FCAA7D2279E6333CAD4EFE2B3287EB90E48D5D8144D72FE46D061BF84D265AFB8650E7959D7FE123EE
Malicious:	false
Preview:	....

C:\ProgramData\resource-a.dat

Download File

Process:	C:\Users\user\AppData\Local\Key Signatures verification\ksverify.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	128
Entropy (8bit):	2.9545817380615236
Encrypted:	false
SSDEEP:	3:SmwW3Fde9UUDrjStGs/:Smze7DPStGM
MD5:	98DDA7FC0B3E548B68DE836D333D1539
SHA1:	D0CB784FA2BBD3BDE2BA4400211C3B613638F1C6
SHA-256:	870555CDCBA1F066D893554731AE99A21AE776D41BCB680CBD6510CB9F420E3D
SHA-512:	E79BD8C2E0426DBEBA8AC2350DA66DC0413F79860611A05210905506FEF8B80A60BB7E76546B0CE9C6E6BC9DDD4BC66FF4C438548F26187EAAF6278F769B3AC1
Malicious:	false
Preview:	30ea4c433b26b5bea4193c311bc4a25098960f3df7dbf2a6175bf7d152ea71ca................................................................

C:\ProgramData\resource-b.dat

Download File

Process:	C:\Users\user\AppData\Local\Key Signatures verification\ksverify.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	128
Entropy (8bit):	1.2701231977328944
Encrypted:	false
SSDEEP:	3:WAmJuXDz8/:HHzc
MD5:	0D6174E4525CFDED5DD1C9440B9DC1E7
SHA1:	173EF30A035CE666278904625EADCFAE09233A47
SHA-256:	458677CDF0E1A4E87D32AB67D6A5EEA9E67CB3545D79A21A0624E6BB5E1087E7
SHA-512:	86DA96385985A1BA3D67A8676A041CA563838F474DF33D82B6ECD90C101703B30747121A6B7281E025A3C11CE28ACCEDFC94DB4E8D38E391199458056C2CD27A
Malicious:	false
Preview:	ccddf9e705966c2f471db9..........................................................................................................

C:\ProgramData\softokn3.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	257872
Entropy (8bit):	6.727482641240852
Encrypted:	false
SSDEEP:	6144:/yF/zX2zfRkU62THVh/T2AhZxv6A31obD6Hq/8jis+FvtVRpsAAs0o8OqTYz+xnU:/yRzX2zfRkX2T1h/SA5PF9m8jJqKYz+y
MD5:	4E52D739C324DB8225BD9AB2695F262F
SHA1:	71C3DA43DC5A0D2A1941E874A6D015A071783889
SHA-256:	74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
SHA-512:	2D4168A69082A9192B9248F7331BD806C260478FF817567DF54F997D7C3C7D640776131355401E4BDB9744E246C36D658CB24B18DE67D8F23F10066E5FE445F6
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................P...............................................Sg....@A........................Dv..S....w..........................P/.......5..8q...............................................{...............................text...&........................... ..`.rdata.............................@..@.data................\|..............@....00cfg..............................@..@.rsrc...............................@..@.reloc...5.......6..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\ts65.dat

Download File

Process:	C:\Users\user\AppData\Local\Key Signatures verification\ksverify.exe
File Type:	ISO-8859 text, with no line terminators
Category:	dropped
Size (bytes):	8
Entropy (8bit):	2.0
Encrypted:	false
SSDEEP:	3:1//n:1Xn
MD5:	C1CF6662D775B8568AA6A09B29812C51
SHA1:	B18F44987AE5ABF4903A41BC75ED290BD5CBDBBC
SHA-256:	42EAC57B8D474D08917EE97474B3052093238AD9FB7C91A6C194205BBFC6EFA0
SHA-512:	7FF26C79FF9A12E83F1F23EEA316CC5785D9870099554B6B3C6CAD68CE509D26FE510A460B11674A17CB1E70F87A56C9331882BB98D00046AA36840966A2E816
Malicious:	false
Preview:	.Y.e....

C:\ProgramData\vcruntime140.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	80880
Entropy (8bit):	6.920480786566406
Encrypted:	false
SSDEEP:	1536:lw2886xv555et/MCsjw0BuRK3jteo3ecbA2W86b+Ld:lw28V55At/zqw+Iq9ecbA2W8H
MD5:	A37EE36B536409056A86F50E67777DD7
SHA1:	1CAFA159292AA736FC595FC04E16325B27CD6750
SHA-256:	8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
SHA-512:	3A7C260646315CF8C01F44B2EC60974017496BD0D80DD055C7E43B707CADBA2D63AAB5E0EFD435670AA77886ED86368390D42C4017FC433C3C4B9D1C47D0F356
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................08e...................................................u............Rich............PE..L...\|.0].........."!.........................................................0.......m....@A.............................................................A... ....... ..8............................ ..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Key Signatures verification\SDL2.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	1007104
Entropy (8bit):	6.652666405660804
Encrypted:	false
SSDEEP:	24576:hEbJuxlv9Sawf3oEYsTXR7fxiGmUDZ/HJkAVJcJdKll6/QTjFZLFGPQRGnx54IC5:zlv9SlEJ8C/KjFnMMvvS4
MD5:	AE58662A16410481B477B78B8D47460B
SHA1:	FB8B1BA166913C18EB00F8CA53439D0F4EE54359
SHA-256:	A23D944BEA101C574875C13883088798CFDA712DE969DD14F529E870A0DE87DA
SHA-512:	93280D9AB366B3DFAE6E40E50984764FAB7BE6CA6BD2B5A24D1182D67F06F9CC50203CC3D01A4232593C0C1AD03DFAE56E119286D10B78D2E3D57B394BDA8778
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...t.%S...........#.....J...Z...4..0........`....tl................................=......... ..........................;... .......`.......................p..Pp...........................P.......................$...............................text...$I.......J..................`.P`.data...H/...`...0...N..............@.`..rdata...............~..............@.`@.bss....P3............................`..edata...;.......<..................@.0@.idata....... ......................@.0..CRT....,....@......................@.0..tls.... ....P......................@.0..rsrc........`......................@.0..reloc..Pp...p...r..................@.0B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Key Signatures verification\avcodec-58.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	5607950
Entropy (8bit):	6.633599482017416
Encrypted:	false
SSDEEP:	98304:8IS8iFbnejXFHVSh3z6+N5NeOYVxtAcPVBgkgrumYE1HpMTdy2/vlCyUIs:85hCFVSh3fN5NeOYVxLPVBcumzJMTdyx
MD5:	90593C11E9997DD4224CF278D5D66323
SHA1:	A89583C180A66FE2C8272F8CCD9876326CB29A1E
SHA-256:	82AA37DDE211EE28B366603CC9C74F0584ED46D57DF7C06447060BFCFF886A07
SHA-512:	93A8CDFD26B4684FBBCB6FF8487E77C4996BD48B58D38FB81FE7E243D1368342F2ED27A1219CB81A9CBED72FDD4061ACE091D95C326A4C3DFF84D59E9A45114A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.........U........#...$..;...U..b$...........<..............................pz.......U...@... .......................x.......x..#....y.p.................... y.8E...........................gN.....................P.x..............................text...t.;.......;.................`.``.data...\.....<.......;.............@.`..rdata.......<.......<.............@.p@/4.......v....O..x....O.............@.0@.bss.....`$..0T.......................`..edata........x.......T.............@.0@.idata...#....x..$... T.............@.0..CRT....,.....x......DT.............@.0..tls..........y......FT.............@.0..rsrc...p.....y......HT.............@.0..reloc..8E... y..F...LT.............@.0B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Key Signatures verification\avformat-58.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	2598926
Entropy (8bit):	6.2658394092546565
Encrypted:	false
SSDEEP:	49152:i5AIqzwPbYgLHcIE0DtbfgQPKaGSR+J8QVPqFk8QCMJn:i5AIqMPbYgLastLzPzGSR+J8QVPq9Q
MD5:	608FC55E2116CDCB88C3CF98B206017A
SHA1:	D73E406A963D160D164D686EA25611E8771ADEBF
SHA-256:	B39CF5A71B85B2CD233093EF7D55B39DB025DA78E080B38C070ACCF1436A2B4F
SHA-512:	8098EDD9C1E399925EC0A07BCD277F8634E72D156A75F9A5AF25809B0AEEA8C592CD45772E756F5546E87868756A28476EC53756EC87D79B242E9F16C4DF983F
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.........'........#...$......'...............................................(.......(...@... .......................&.......&..?...0'......................@'..............................I#.......................&..............................text...............................`.P`.data...<...........................@.`..rdata..x...........................@.`@/4............#.......#.............@.0@.bss....p.....&.......................`..edata........&.......&.............@.0@.idata...?....&..@....&.............@.0..CRT....,.....'.......&.............@.0..tls......... '.......&.............@.0..rsrc........0'.......&.............@.0..reloc.......@'.......&.............@.0B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Key Signatures verification\avutil-56.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	698382
Entropy (8bit):	6.476081490774289
Encrypted:	false
SSDEEP:	12288:Y8ncCX9jvWgnTMfFj/QhZmyF3yBRAotqlFRHEnWiGGLN:YscCNj3TGFTQhgyF3yBRAyqqV5
MD5:	7C4C4A4D5684E8AACDC6B118A601A7BB
SHA1:	64C8CC24339D73909916E303AB08A253DD49FE3F
SHA-256:	D20E213EF79F5F58CF6CA45812648E21612AF6B82F52EEEE044EA050AB32D75E
SHA-512:	DB34326A59C7E5E809DE1DA9C98D5464D753DD554E9C8DDDC32F164BFE9D637A5D5C6AE093905B8CA075B6801FD0D53E34E6400C7F9E1D553E33618A9BAADEEA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#...$.......... ...........................................,.....}.....@... ......................@+..>....+.$.....+.h.....................+.l1..........................d-........................+.4............................text...............................`.P`.data...............................@.`..rdata.............................@.`@/4...........`.......B..............@.0@.bss....4. ..@........................`..edata...>...@+..@..................@.0@.idata..$.....+......^..............@.0..CRT....,.....+......n..............@.0..tls..........+......p..............@.0..rsrc...h.....+......r..............@.0..reloc..l1....+..2...v..............@.0B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Key Signatures verification\is-1OHA3.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	127192
Entropy (8bit):	6.479927027421408
Encrypted:	false
SSDEEP:	1536:/fMTf09hjtHy4xaIqGpnuJY8KYA/hKjUR+YABqKBrnToIfqIOoIOGESvrTEgTWjx:XMA3Fa0sYDY6hKgRvwqOTBf4uGE+rYgE
MD5:	8B2A6E8419A8A4E7D3FD023D97455FB9
SHA1:	2547A1F94FB4F83B7C133A3E285EE11FAA155E84
SHA-256:	7087CDD1ACDFF6CD1B8D821388F430AF3888314B05A5821BB53E67034362F670
SHA-512:	44438F6DD4BECABC2CB3053E2C42877CBDB0F309FE272F67A94AD530CAF1C5E5D49BC394F7D21C4226A4F0EB6D8661C5C7113508EA2F446E0DBEA0D59554D4A4
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........=......#...#.>...................P.....c.........................`......;.....@... .............................. ...............................P......................................................0!...............................text...d=.......>..................`.P`.data...L....P.......B..............@.0..rdata.. S...`...T...D..............@.`@/4.......2.......4..................@.0@.bss....P.............................`..edata..............................@.0@.idata....... ......................@.0..CRT....,....0......................@.0..tls.........@......................@.0..reloc.......P......................@.0B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Key Signatures verification\is-3DVHE.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	68552
Entropy (8bit):	6.1042544770100395
Encrypted:	false
SSDEEP:	768:Jd8ALXCfP6bO/XfLCwiWBot9ZOGLuNTizPm3YRiFVinPHF:X8fq+X9OjZ2APm3YeinPl
MD5:	F06B0761D27B9E69A8F1220846FF12AF
SHA1:	E3A2F4F12A5291EE8DDC7A185DB2699BFFADFE1A
SHA-256:	E85AECC40854203B4A2F4A0249F875673E881119181E3DF2968491E31AD372A4
SHA-512:	5821EA0084524569E07BB18AA2999E3193C97AA52DA6932A7971A61DD03D0F08CA9A2D4F98EB96A603B99F65171F6D495D3E8F2BBB2FC90469C741EF11B514E9
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........V......#...$...........................d................................Y_....@... ..............................0..t....`..P....................p..............................`........................1..H............................text..............................`.P`.data...L...........................@.0..rdata..............................@.0@/4......,3.......4..................@.0@.bss..................................0..edata..............................@.0@.idata..t....0......................@.0..CRT....0....@......................@.0..tls.........P......................@.0..rsrc...P....`......................@.0..reloc.......p......................@.0B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Key Signatures verification\is-52MI6.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	105784
Entropy (8bit):	6.258144336244945
Encrypted:	false
SSDEEP:	1536:2VpMEh4vFu4sry2jkEw0D2cXTY+sgmX18CGLganGc:2Vai3yjEw0DNX03gmqCOD3
MD5:	0C6452935851B7CDB3A365AECD2DD260
SHA1:	83EF3CD7F985ACC113A6DE364BDB376DBF8D2F48
SHA-256:	F8385D08BD44B213FF2A2C360FE01AE8A1EDA5311C7E1FC1A043C524E899A8ED
SHA-512:	5FF21A85EE28665C4E707C7044F122D1BAC8E408A06F8EA16E33A8C9201798D196FA65B24327F208C4FF415E24A5AD2414FE7A91D9C0B0D8CFF88299111F2E1D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........@......#...#.2...................P.....b......................................@... .................................................................@............................k......................<................................text...d0.......2..................`.P`.data...l....P.......6..............@.`..rdata..L....`.......D..............@.`@/4....... ......."...\..............@.0@.bss....P.............................`..edata...............~..............@.0@.idata..............................@.0..CRT....,...........................@.0..tls................................@.0..reloc..@...........................@.0B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Key Signatures verification\is-8QNGU.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	1007104
Entropy (8bit):	6.652666405660804
Encrypted:	false
SSDEEP:	24576:hEbJuxlv9Sawf3oEYsTXR7fxiGmUDZ/HJkAVJcJdKll6/QTjFZLFGPQRGnx54IC5:zlv9SlEJ8C/KjFnMMvvS4
MD5:	AE58662A16410481B477B78B8D47460B
SHA1:	FB8B1BA166913C18EB00F8CA53439D0F4EE54359
SHA-256:	A23D944BEA101C574875C13883088798CFDA712DE969DD14F529E870A0DE87DA
SHA-512:	93280D9AB366B3DFAE6E40E50984764FAB7BE6CA6BD2B5A24D1182D67F06F9CC50203CC3D01A4232593C0C1AD03DFAE56E119286D10B78D2E3D57B394BDA8778
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...t.%S...........#.....J...Z...4..0........`....tl................................=......... ..........................;... .......`.......................p..Pp...........................P.......................$...............................text...$I.......J..................`.P`.data...H/...`...0...N..............@.`..rdata...............~..............@.`@.bss....P3............................`..edata...;.......<..................@.0@.idata....... ......................@.0..CRT....,....@......................@.0..tls.... ....P......................@.0..rsrc........`......................@.0..reloc..Pp...p...r..................@.0B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Key Signatures verification\is-9V348.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp
File Type:	data
Category:	dropped
Size (bytes):	3011887
Entropy (8bit):	6.344728384910284
Encrypted:	false
SSDEEP:	49152:JBd317wTswMFUGbYK44yywHwBGMaDZtYuydXFd2X:JBd3q4NbYKjyywHwBEDvYNd1d2X
MD5:	6F7089C685D7FF1C8D5128138356CEE0
SHA1:	F6B416C32051D6F4396EA5BE03FCD10EABDE3403
SHA-256:	1629C0ED510CF8257F7F47033FD1D9CED16A06ABEA9FA2A5CD25F1F6E8FC18F7
SHA-512:	809A5AFE07951A8974828C4E0AB6A6DC51EBF3581D1BA912D4A88DE61C6668F5B25D4B543EA1731D307E71D47BA11B86E6E711E9760313C5C886910B43A72162
Malicious:	false
Preview:	.Z......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..u...u...u.......t.......~.......w...u...S...u...........f...C...t......t...Richu...........................PE..L......e.....................0....................@.......................... ....................................................... ...............................................................................................................text...<........................... ..`.rdata...9.......@..................@..@.data.... ..........................@....rsrc........ ......................@..@_wma6....@....../5..................`...........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Key Signatures verification\is-BD56K.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	442
Entropy (8bit):	3.8280681998470794
Encrypted:	false
SSDEEP:	12:Q+gZPiv77qlXS8lvlRFo1MonAUNycdlUlaT9SaG:Q+gZPo7GU0vlRq1pnAUNnd+gTAaG
MD5:	09204E71E9F3B624E909FB20DEFE6EF5
SHA1:	2374900EBB8D9BB7127217DAE828A949B8E7938B
SHA-256:	D0755838EFEF3A423FFF51C91B2AEC497EB6C1A2A845534D6918C433E1F95267
SHA-512:	7B6FE24B112EED282D5795F0D2D122CC71539823609F1F3A7A5B3CAFEC8C86F00B310454B0CB607F881DBA99E7F2E55DD6EEDC31A3CC3D1F2B10FE43A923DE8F
Malicious:	false
Preview:	..[.L.A.N.G.U.A.G.E.].....n.a.m.e.1.=.E.n.g.l.i.s.h.....n.a.m.e.2.=.E.s.p.a...o.l.....n.a.m.e.3.=.D.e.u.t.s.c.h.....n.a.m.e.4.=.F.r.a.n...a.i.s.....n.a.m.e.5.=.I.t.a.l.i.a.n.o.....n.a.m.e.6.=..e,g......n.a.m.e.7.=.M.a.g.y.a.r.....n.a.m.e.8.=.T...r.k.....n.a.m.e.9.=.'.D.9.1.(.J.).....n.a.m.e.1.0.=.R.o.m...n.......n.a.m.e.1.1.=.A~.-N.e....f.i.l.e.=.e.n.g.l.i.s.h...i.n.i.....[.P.A.T.H.].....n.a.m.e.=.D.:.\.....[.T.I.M.E.S.].....t.i.m.e.=.0.

C:\Users\user\AppData\Local\Key Signatures verification\is-G0QLS.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	5607950
Entropy (8bit):	6.633599482017416
Encrypted:	false
SSDEEP:	98304:8IS8iFbnejXFHVSh3z6+N5NeOYVxtAcPVBgkgrumYE1HpMTdy2/vlCyUIs:85hCFVSh3fN5NeOYVxLPVBcumzJMTdyx
MD5:	90593C11E9997DD4224CF278D5D66323
SHA1:	A89583C180A66FE2C8272F8CCD9876326CB29A1E
SHA-256:	82AA37DDE211EE28B366603CC9C74F0584ED46D57DF7C06447060BFCFF886A07
SHA-512:	93A8CDFD26B4684FBBCB6FF8487E77C4996BD48B58D38FB81FE7E243D1368342F2ED27A1219CB81A9CBED72FDD4061ACE091D95C326A4C3DFF84D59E9A45114A
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.........U........#...$..;...U..b$...........<..............................pz.......U...@... .......................x.......x..#....y.p.................... y.8E...........................gN.....................P.x..............................text...t.;.......;.................`.``.data...\.....<.......;.............@.`..rdata.......<.......<.............@.p@/4.......v....O..x....O.............@.0@.bss.....`$..0T.......................`..edata........x.......T.............@.0@.idata...#....x..$... T.............@.0..CRT....,.....x......DT.............@.0..tls..........y......FT.............@.0..rsrc...p.....y......HT.............@.0..reloc..8E... y..F...LT.............@.0B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Key Signatures verification\is-G7N1I.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	40974
Entropy (8bit):	6.485702128133584
Encrypted:	false
SSDEEP:	768:kB8JMzjwsTYQgUvXtrs7GtUplYj7SG7MLXm:kmMwsTYwvXhZP77SW
MD5:	F47E78AD658B2767461EA926060BF3DD
SHA1:	9BA8A1909864157FD12DDEE8B94536CEA04D8BD6
SHA-256:	602C2B9F796DA7BA7BF877BF624AC790724800074D0E12FFA6861E29C1A38144
SHA-512:	216FA5AA6027C2896EA5C499638DB7298DFE311D04E1ABAC302D6CE7F8D3ED4B9F4761FE2F4951F6F89716CA8104FA4CE3DFECCDBCA77ED10638328D0F13546B
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#...!.F...................`.....p......................... ......I5........ .................................................................@...........................L........................................................text....E.......F..................`.P`.data...0....`.......J..............@.0..rdata..$&...p...(...L..............@.`@/4......<............t..............@.0@.bss..................................`..edata..............................@.0@.idata..............................@.0..CRT....,...........................@.0..tls................................@.0..reloc..@...........................@.0B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Key Signatures verification\is-HN3OD.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	125637
Entropy (8bit):	6.2640431186303145
Encrypted:	false
SSDEEP:	3072:lRvT0WUWJXNEn9bufmWAHE9pQIAOBmuWR2:DT0WU6E9Kfms9p5guWc
MD5:	6231B452E676ADE27CA0CEB3A3CF874A
SHA1:	F8236DBF9FA3B2835BBB5A8D08DAB3A155F310D1
SHA-256:	9941EEE1CAFFFAD854AB2DFD49BF6E57B181EFEB4E2D731BA7A28F5AB27E91CF
SHA-512:	F5882A3CDED0A4E498519DE5679EA12A0EA275C220E318AF1762855A94BDAC8DC5413D1C5D1A55A7CC31CFEBCF4647DCF1F653195536CE1826A3002CF01AA12C
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........,.....&#...$.d.........................n.........................`............@... .........................u.... ..x............................P....................................................... ...............................text...8b.......d..................`.P`.data...(............h..............@.0..rdata...".......$...j..............@.`@/4.......4.......6..................@.0@.bss..................................0..edata..u...........................@.0@.idata..x.... ......................@.0..CRT....,....0......................@.0..tls.........@......................@.0..reloc.......P......................@.0B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Key Signatures verification\is-JBCJU.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	176200
Entropy (8bit):	6.647007817777345
Encrypted:	false
SSDEEP:	1536:9teve4OMTqM/iKAo+/zO9RhR9aPTxRm1TxStoBtwIbaU+yUsXxTTLRazIxSp/FjU:ze24OM+M/bAWK9Rm1NXwIl+/I9RtqIn
MD5:	6896DC57D056879F929206A0A7692A34
SHA1:	D2F709CDE017C42916172E9178A17EB003917189
SHA-256:	8A7D2DA7685CEDB267BFA7F0AD3218AFA28F4ED2F1029EE920D66EB398F3476D
SHA-512:	CD1A981D5281E8B2E6A8C27A57CDB65ED1498DE21D2B7A62EDC945FB380DEA258F47A9EC9E53BD43D603297635EDFCA95EBCB2A962812CD53C310831242384B8
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........8......#...#.b........................tm......................... ......z.....@... .........................E....................................................................w.......................................................text....a.......b..................`.P`.data...P............f..............@.P..rdata...............h..............@.`@/4...............0...Z..............@.0@.bss..................................0..edata..E...........................@.0@.idata..............................@.0..CRT....,...........................@.0..tls................................@.0..reloc..............................@.0B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Key Signatures verification\is-L82B0.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	2598926
Entropy (8bit):	6.2658394092546565
Encrypted:	false
SSDEEP:	49152:i5AIqzwPbYgLHcIE0DtbfgQPKaGSR+J8QVPqFk8QCMJn:i5AIqMPbYgLastLzPzGSR+J8QVPq9Q
MD5:	608FC55E2116CDCB88C3CF98B206017A
SHA1:	D73E406A963D160D164D686EA25611E8771ADEBF
SHA-256:	B39CF5A71B85B2CD233093EF7D55B39DB025DA78E080B38C070ACCF1436A2B4F
SHA-512:	8098EDD9C1E399925EC0A07BCD277F8634E72D156A75F9A5AF25809B0AEEA8C592CD45772E756F5546E87868756A28476EC53756EC87D79B242E9F16C4DF983F
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.........'........#...$......'...............................................(.......(...@... .......................&.......&..?...0'......................@'..............................I#.......................&..............................text...............................`.P`.data...<...........................@.`..rdata..x...........................@.`@/4............#.......#.............@.0@.bss....p.....&.......................`..edata........&.......&.............@.0@.idata...?....&..@....&.............@.0..CRT....,.....'.......&.............@.0..tls......... '.......&.............@.0..rsrc........0'.......&.............@.0..reloc.......@'.......&.............@.0B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Key Signatures verification\is-M5A95.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	555894
Entropy (8bit):	3.4167624637949925
Encrypted:	false
SSDEEP:	6144:TnOHRuNruVRJ/RbM4YkuYFSwqFux5T8hac1eQ3RcMLQa9gKutRJhuusoAu3FsWVI:2z8wqux5TEacQmRcMcpfLnFQ
MD5:	77A96C1C8E72D12BE4DFA5600A67E0F4
SHA1:	F1A94189F7DA47DB26E332024C255AFAA085A654
SHA-256:	E6A08981AB88E25B892DB826D75EBE4C3A9EC932704F722B3E32E5D9C8CD359C
SHA-512:	267951B1CF2C745DA69265EEF7E921FF4A9F07C49000EB30D3C1793634C6AB61AB3A897E418A56C77C3F8F735AA2844FC6BF564DC2D88C9C0835A37A318AD52B
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........v..$......#...#.:...r...............P.....k......................................@... .................................t............................................................Z.........................\|............................text....8.......:..................`.P`.data...D....P.......>..............@.0..rdata..$....`.......@..............@.`@/4......L....`.......@..............@.0@.bss.........p........................0..edata...............L..............@.0@.idata..t............N..............@.0..CRT....,............R..............@.0..tls.................T..............@.0..reloc........... ...V..............@.0B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Key Signatures verification\is-MTO63.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	720373
Entropy (8bit):	6.507180855614231
Encrypted:	false
SSDEEP:	12288:Vhu7eEcdCP8trP837szHUA6JCzS9Ntc3l3ER6orNjURaFDExyFq:nu7eEYCP8trP837szHUA60SLtcV3E9/O
MD5:	0CB667CD04898DDB032350951D89F0FA
SHA1:	BCAD69ECF970D10AD0C81FD11E1145DB31870CF0
SHA-256:	F57D7FFA3D9BA81640F4FC524C95033AA40FE7F5ECA97E8E05D8D1F76E8A669F
SHA-512:	2785EEC389034D5F80585DA9C03AFA0AE101BB9702A8534354E8A49E748D3CD2DFDC91C1EA67CB5BFA558961B326440902E0D0955C35BDAA1CA18ADC0E9037F5
Malicious:	true
Preview:	MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................x..........x.............@..............................................@...............................%..................................................................................................................CODE.....w.......x.................. ..`DATA.................\|..............@...BSS.....l................................idata...%.......&..................@....tls.....................................rdata..............................@..P.reloc....... ......................@..P.rsrc...............................@..P.....................^..............@..P........................................................................................................................................

C:\Users\user\AppData\Local\Key Signatures verification\is-N956R.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	129038
Entropy (8bit):	6.508174898498455
Encrypted:	false
SSDEEP:	3072:2n7B3zAWc/gG6IsRc+JdTCXw4hXAMpI3pr:2n7B3zAWc/SmXfAMK
MD5:	3D8C24A40935FB27FC494FC6147E6EA8
SHA1:	C26B6949C34AADB8271E124CE08F511BE5033A04
SHA-256:	F83401305ACDA249D2A81CD8496E08643686FF1327EE4A495A1F3ABD77C7C3E6
SHA-512:	2EC272A4E770FB0B748ED3F3ED9E9A6983B2AB9B88D0C57C63E2248A1EF2B8D8A528EFAAD488CA377DBD05748DFA87DF086DDFA6B0DAD58571C47732320DC958
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#...$.f................................................................@... ...................... .......0..T....`.......................p..x...................................................X1...............................text...$d.......f..................`.P`.data...P............j..............@.P..rdata..PE.......F...l..............@.`@/4.......'.......(..................@.0@.bss..................................0..edata....... ......................@.0@.idata..T....0......................@.0..CRT....,....@......................@.0..tls.........P......................@.0..rsrc........`......................@.0..reloc..x....p......................@.0B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Key Signatures verification\is-R4VT6.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	698382
Entropy (8bit):	6.476081490774289
Encrypted:	false
SSDEEP:	12288:Y8ncCX9jvWgnTMfFj/QhZmyF3yBRAotqlFRHEnWiGGLN:YscCNj3TGFTQhgyF3yBRAyqqV5
MD5:	7C4C4A4D5684E8AACDC6B118A601A7BB
SHA1:	64C8CC24339D73909916E303AB08A253DD49FE3F
SHA-256:	D20E213EF79F5F58CF6CA45812648E21612AF6B82F52EEEE044EA050AB32D75E
SHA-512:	DB34326A59C7E5E809DE1DA9C98D5464D753DD554E9C8DDDC32F164BFE9D637A5D5C6AE093905B8CA075B6801FD0D53E34E6400C7F9E1D553E33618A9BAADEEA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#...$.......... ...........................................,.....}.....@... ......................@+..>....+.$.....+.h.....................+.l1..........................d-........................+.4............................text...............................`.P`.data...............................@.`..rdata.............................@.`@/4...........`.......B..............@.0@.bss....4. ..@........................`..edata...>...@+..@..................@.0@.idata..$.....+......^..............@.0..CRT....,.....+......n..............@.0..tls..........+......p..............@.0..rsrc...h.....+......r..............@.0..reloc..l1....+..2...v..............@.0B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Key Signatures verification\is-RHOK0.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	125637
Entropy (8bit):	6.2640431186303145
Encrypted:	false
SSDEEP:	3072:lRvT0WUWJXNEn9bufmWAHE9pQIAOBmuWR2:DT0WU6E9Kfms9p5guWc
MD5:	6231B452E676ADE27CA0CEB3A3CF874A
SHA1:	F8236DBF9FA3B2835BBB5A8D08DAB3A155F310D1
SHA-256:	9941EEE1CAFFFAD854AB2DFD49BF6E57B181EFEB4E2D731BA7A28F5AB27E91CF
SHA-512:	F5882A3CDED0A4E498519DE5679EA12A0EA275C220E318AF1762855A94BDAC8DC5413D1C5D1A55A7CC31CFEBCF4647DCF1F653195536CE1826A3002CF01AA12C
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........,.....&#...$.d.........................n.........................`............@... .........................u.... ..x............................P....................................................... ...............................text...8b.......d..................`.P`.data...(............h..............@.0..rdata...".......$...j..............@.`@/4.......4.......6..................@.0@.bss..................................0..edata..u...........................@.0@.idata..x.... ......................@.0..CRT....,....0......................@.0..tls.........@......................@.0..reloc.......P......................@.0B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Key Signatures verification\is-U0S2N.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	1065100
Entropy (8bit):	7.300961775371533
Encrypted:	false
SSDEEP:	24576:gsRe/8fBAUZLYnwPKO6lbbTCpGavkg3NyeuQ6l9fHOfD:gzKBAUZLYwiO6UpGaXBuQQ9uD
MD5:	B7DF9B43BF812DDAF60C99732C1AB273
SHA1:	4A90353C8B2845008483854642B711E917F9CEEF
SHA-256:	74024FE9B8A1E4F8B9B7561B336B2916A20784699CDEEF2948074F0E820C9BDE
SHA-512:	DB78A8AF90E8557BA37DF1B8C089B8C2E6D912CB08A7B633126541FA9A2E91A0DD90E275A83D323DB0E38BB464744225B0FD405A2C828170B5B7AC1333D6C6E7
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........8..:......#...#.....4.................... f................................V>....@... ......................P.......`..............................................................0.......................$a...............................text...............................`.P`.data...T...........................@.0..rdata..............................@.`@/4.......Q.......R..................@.0@.bss.........@........................`..edata.......P......................@.0@.idata.......`......................@.0..CRT....,....p......................@.0..tls................................@.0..rsrc...............................@.0..reloc...............$..............@.0B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Key Signatures verification\ksverify.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	3011887
Entropy (8bit):	6.3447286295556085
Encrypted:	false
SSDEEP:	49152:UBd317wTswMFUGbYK44yywHwBGMaDZtYuydXFd2X:UBd3q4NbYKjyywHwBEDvYNd1d2X
MD5:	75BC189F3B2906887761C60E480B7CCF
SHA1:	5D6DCFFBC20CEC4056F123AF0A05FD0AEC00A8F7
SHA-256:	84FE81E96ADEA7140A714181417137D54695F489A1AA4900A6875E76D8B26046
SHA-512:	8FE6720A908D054FF3CF6F82E86C1E17ADC785DC0835C9F495D497EAC300F5A7AAB81EA797B287E618FA6CEF06C48BB056398FA48FE28F2BB5807974581AA780
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..u...u...u.......t.......~.......w...u...S...u...........f...C...t......t...Richu...........................PE..L......e.....................0....................@.......................... ....................................................... ...............................................................................................................text...<........................... ..`.rdata...9.......@..................@..@.data.... ..........................@....rsrc........ ......................@..@_wma6....@....../5..................`...........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Key Signatures verification\languages\is-NPC3C.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	3188
Entropy (8bit):	3.820146923376414
Encrypted:	false
SSDEEP:	96:r9BirQRr9DW1t0Y+6HcRMRBm8K+0vNZry19:Jk+9Ot0EcF8K+d19
MD5:	0F16041A3EFE467EE8440060A5ED7F8A
SHA1:	6FB9C518E8F468275B4C821DB8D1F64DEC787687
SHA-256:	C84D2F1177AAD5EA224C68F34DA0CD0C8E7308BA1CC93494B3376F52051FAC93
SHA-512:	C362D7C35425DDA7F98CDD597F0CC1ED0510194022E5AB9AB8EC0EDCCDDD5D9214563C7D038A2A3A5FD103093074E6D3190CA374D838AA3DD4E78F75C9D2BDE3
Malicious:	false
Preview:	..[.A.P.P.L.I.C.A.T.I.O.N.].....n.a.m.e.=.F.r.e.e. .M.P.3. .C.u.t.t.e.r. .J.o.i.n.e.r.....v.e.r.s.i.o.n.=.V.2.0.2.3...5.....u.r.l.=.h.t.t.p.s.:././.w.w.w...d.v.d.v.i.d.e.o.m.e.d.i.a...c.o.m./.h.o.w.-.t.o.-.c.u.t.-.m.p.3...h.t.m.l.....[.J.I.E.M.I.A.N.].....y.y.=.D.i.l. .S.e...i.m.i.....m.p.3.j.q.=.M.P.3. .K.e.s.i.c.i.....m.p.3.h.b.=.M.P.3. .B.i.r.l.e._.t.i.r.i.c.i.....k.s.j.q.=.B.a._.l.a.n.g.1... .N.o.k.t.a.s.1.:.:.....k.s.j.q.1.=.K.e.s.i.m. .B.a._.l.a.n.g.1.c.1.....j.s.j.q.=.B.i.t.i._. .N.o.k.t.a.s.1.:.....j.q.s.j.=.K.l.i.p. .S...r.e.s.i.:.....y.w.j.=.K.a.y.n.a.k.....k.s.s.j.=.S...r.e. .B.a._.1.....j.s.s.j.=.S...r.e. .S.o.n.u.....s.c.g.s.=...1.k.t.1. .B.i...i.m.i.....o.u.t.p.u.t.=...1.k.t.1. .D.o.s.y.a.s.1.:.....n.y.k.y.z.j.s.r.=.D.o...r.u.d.a.n. .d...z.e.n.l.e.m.e. .d.e.n.e.t.i.m.i. .g.i.r.i._.i. .y.a.p.1.l.a.c.a.k. .z.a.m.a.n. .b.i...i.m.i. .0.0.:.0.0.:.0.0...0.0.0.(.s.a.:.d.a.:.s.n...s.a.l.).....z.t.=.D.u.r.u.m.....z.b.=.H.a.z.1.r.....s.y.m.t.w.j.=.T...m. .S.e.s. .D.o.s.y.a.l.a.r.1.

C:\Users\user\AppData\Local\Key Signatures verification\languages\turkish.ini (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	3188
Entropy (8bit):	3.820146923376414
Encrypted:	false
SSDEEP:	96:r9BirQRr9DW1t0Y+6HcRMRBm8K+0vNZry19:Jk+9Ot0EcF8K+d19
MD5:	0F16041A3EFE467EE8440060A5ED7F8A
SHA1:	6FB9C518E8F468275B4C821DB8D1F64DEC787687
SHA-256:	C84D2F1177AAD5EA224C68F34DA0CD0C8E7308BA1CC93494B3376F52051FAC93
SHA-512:	C362D7C35425DDA7F98CDD597F0CC1ED0510194022E5AB9AB8EC0EDCCDDD5D9214563C7D038A2A3A5FD103093074E6D3190CA374D838AA3DD4E78F75C9D2BDE3
Malicious:	false
Preview:	..[.A.P.P.L.I.C.A.T.I.O.N.].....n.a.m.e.=.F.r.e.e. .M.P.3. .C.u.t.t.e.r. .J.o.i.n.e.r.....v.e.r.s.i.o.n.=.V.2.0.2.3...5.....u.r.l.=.h.t.t.p.s.:././.w.w.w...d.v.d.v.i.d.e.o.m.e.d.i.a...c.o.m./.h.o.w.-.t.o.-.c.u.t.-.m.p.3...h.t.m.l.....[.J.I.E.M.I.A.N.].....y.y.=.D.i.l. .S.e...i.m.i.....m.p.3.j.q.=.M.P.3. .K.e.s.i.c.i.....m.p.3.h.b.=.M.P.3. .B.i.r.l.e._.t.i.r.i.c.i.....k.s.j.q.=.B.a._.l.a.n.g.1... .N.o.k.t.a.s.1.:.:.....k.s.j.q.1.=.K.e.s.i.m. .B.a._.l.a.n.g.1.c.1.....j.s.j.q.=.B.i.t.i._. .N.o.k.t.a.s.1.:.....j.q.s.j.=.K.l.i.p. .S...r.e.s.i.:.....y.w.j.=.K.a.y.n.a.k.....k.s.s.j.=.S...r.e. .B.a._.1.....j.s.s.j.=.S...r.e. .S.o.n.u.....s.c.g.s.=...1.k.t.1. .B.i...i.m.i.....o.u.t.p.u.t.=...1.k.t.1. .D.o.s.y.a.s.1.:.....n.y.k.y.z.j.s.r.=.D.o...r.u.d.a.n. .d...z.e.n.l.e.m.e. .d.e.n.e.t.i.m.i. .g.i.r.i._.i. .y.a.p.1.l.a.c.a.k. .z.a.m.a.n. .b.i...i.m.i. .0.0.:.0.0.:.0.0...0.0.0.(.s.a.:.d.a.:.s.n...s.a.l.).....z.t.=.D.u.r.u.m.....z.b.=.H.a.z.1.r.....s.y.m.t.w.j.=.T...m. .S.e.s. .D.o.s.y.a.l.a.r.1.

C:\Users\user\AppData\Local\Key Signatures verification\libbz2-1.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	105784
Entropy (8bit):	6.258144336244945
Encrypted:	false
SSDEEP:	1536:2VpMEh4vFu4sry2jkEw0D2cXTY+sgmX18CGLganGc:2Vai3yjEw0DNX03gmqCOD3
MD5:	0C6452935851B7CDB3A365AECD2DD260
SHA1:	83EF3CD7F985ACC113A6DE364BDB376DBF8D2F48
SHA-256:	F8385D08BD44B213FF2A2C360FE01AE8A1EDA5311C7E1FC1A043C524E899A8ED
SHA-512:	5FF21A85EE28665C4E707C7044F122D1BAC8E408A06F8EA16E33A8C9201798D196FA65B24327F208C4FF415E24A5AD2414FE7A91D9C0B0D8CFF88299111F2E1D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........@......#...#.2...................P.....b......................................@... .................................................................@............................k......................<................................text...d0.......2..................`.P`.data...l....P.......6..............@.`..rdata..L....`.......D..............@.`@/4....... ......."...\..............@.0@.bss....P.............................`..edata...............~..............@.0@.idata..............................@.0..CRT....,...........................@.0..tls................................@.0..reloc..@...........................@.0B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Key Signatures verification\libgcc_s_dw2-1.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	125637
Entropy (8bit):	6.2640431186303145
Encrypted:	false
SSDEEP:	3072:lRvT0WUWJXNEn9bufmWAHE9pQIAOBmuWR2:DT0WU6E9Kfms9p5guWc
MD5:	6231B452E676ADE27CA0CEB3A3CF874A
SHA1:	F8236DBF9FA3B2835BBB5A8D08DAB3A155F310D1
SHA-256:	9941EEE1CAFFFAD854AB2DFD49BF6E57B181EFEB4E2D731BA7A28F5AB27E91CF
SHA-512:	F5882A3CDED0A4E498519DE5679EA12A0EA275C220E318AF1762855A94BDAC8DC5413D1C5D1A55A7CC31CFEBCF4647DCF1F653195536CE1826A3002CF01AA12C
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........,.....&#...$.d.........................n.........................`............@... .........................u.... ..x............................P....................................................... ...............................text...8b.......d..................`.P`.data...(............h..............@.0..rdata...".......$...j..............@.`@/4.......4.......6..................@.0@.bss..................................0..edata..u...........................@.0@.idata..x.... ......................@.0..CRT....,....0......................@.0..tls.........@......................@.0..reloc.......P......................@.0B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Key Signatures verification\libiconv-2.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	1065100
Entropy (8bit):	7.300961775371533
Encrypted:	false
SSDEEP:	24576:gsRe/8fBAUZLYnwPKO6lbbTCpGavkg3NyeuQ6l9fHOfD:gzKBAUZLYwiO6UpGaXBuQQ9uD
MD5:	B7DF9B43BF812DDAF60C99732C1AB273
SHA1:	4A90353C8B2845008483854642B711E917F9CEEF
SHA-256:	74024FE9B8A1E4F8B9B7561B336B2916A20784699CDEEF2948074F0E820C9BDE
SHA-512:	DB78A8AF90E8557BA37DF1B8C089B8C2E6D912CB08A7B633126541FA9A2E91A0DD90E275A83D323DB0E38BB464744225B0FD405A2C828170B5B7AC1333D6C6E7
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........8..:......#...#.....4.................... f................................V>....@... ......................P.......`..............................................................0.......................$a...............................text...............................`.P`.data...T...........................@.0..rdata..............................@.`@/4.......Q.......R..................@.0@.bss.........@........................`..edata.......P......................@.0@.idata.......`......................@.0..CRT....,....p......................@.0..tls................................@.0..rsrc...............................@.0..reloc...............$..............@.0B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Key Signatures verification\libogg-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	40974
Entropy (8bit):	6.485702128133584
Encrypted:	false
SSDEEP:	768:kB8JMzjwsTYQgUvXtrs7GtUplYj7SG7MLXm:kmMwsTYwvXhZP77SW
MD5:	F47E78AD658B2767461EA926060BF3DD
SHA1:	9BA8A1909864157FD12DDEE8B94536CEA04D8BD6
SHA-256:	602C2B9F796DA7BA7BF877BF624AC790724800074D0E12FFA6861E29C1A38144
SHA-512:	216FA5AA6027C2896EA5C499638DB7298DFE311D04E1ABAC302D6CE7F8D3ED4B9F4761FE2F4951F6F89716CA8104FA4CE3DFECCDBCA77ED10638328D0F13546B
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#...!.F...................`.....p......................... ......I5........ .................................................................@...........................L........................................................text....E.......F..................`.P`.data...0....`.......J..............@.0..rdata..$&...p...(...L..............@.`@/4......<............t..............@.0@.bss..................................`..edata..............................@.0@.idata..............................@.0..CRT....,...........................@.0..tls................................@.0..reloc..@...........................@.0B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Key Signatures verification\libvorbis-0.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	176200
Entropy (8bit):	6.647007817777345
Encrypted:	false
SSDEEP:	1536:9teve4OMTqM/iKAo+/zO9RhR9aPTxRm1TxStoBtwIbaU+yUsXxTTLRazIxSp/FjU:ze24OM+M/bAWK9Rm1NXwIl+/I9RtqIn
MD5:	6896DC57D056879F929206A0A7692A34
SHA1:	D2F709CDE017C42916172E9178A17EB003917189
SHA-256:	8A7D2DA7685CEDB267BFA7F0AD3218AFA28F4ED2F1029EE920D66EB398F3476D
SHA-512:	CD1A981D5281E8B2E6A8C27A57CDB65ED1498DE21D2B7A62EDC945FB380DEA258F47A9EC9E53BD43D603297635EDFCA95EBCB2A962812CD53C310831242384B8
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........8......#...#.b........................tm......................... ......z.....@... .........................E....................................................................w.......................................................text....a.......b..................`.P`.data...P............f..............@.P..rdata...............h..............@.`@/4...............0...Z..............@.0@.bss..................................0..edata..E...........................@.0@.idata..............................@.0..CRT....,...........................@.0..tls................................@.0..reloc..............................@.0B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Key Signatures verification\libvorbisenc-2.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	555894
Entropy (8bit):	3.4167624637949925
Encrypted:	false
SSDEEP:	6144:TnOHRuNruVRJ/RbM4YkuYFSwqFux5T8hac1eQ3RcMLQa9gKutRJhuusoAu3FsWVI:2z8wqux5TEacQmRcMcpfLnFQ
MD5:	77A96C1C8E72D12BE4DFA5600A67E0F4
SHA1:	F1A94189F7DA47DB26E332024C255AFAA085A654
SHA-256:	E6A08981AB88E25B892DB826D75EBE4C3A9EC932704F722B3E32E5D9C8CD359C
SHA-512:	267951B1CF2C745DA69265EEF7E921FF4A9F07C49000EB30D3C1793634C6AB61AB3A897E418A56C77C3F8F735AA2844FC6BF564DC2D88C9C0835A37A318AD52B
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L........v..$......#...#.:...r...............P.....k......................................@... .................................t............................................................Z.........................\|............................text....8.......:..................`.P`.data...D....P.......>..............@.0..rdata..$....`.......@..............@.`@/4......L....`.......@..............@.0@.bss.........p........................0..edata...............L..............@.0@.idata..t............N..............@.0..CRT....,............R..............@.0..tls.................T..............@.0..reloc........... ...V..............@.0B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Key Signatures verification\libwinpthread-1.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	68552
Entropy (8bit):	6.1042544770100395
Encrypted:	false
SSDEEP:	768:Jd8ALXCfP6bO/XfLCwiWBot9ZOGLuNTizPm3YRiFVinPHF:X8fq+X9OjZ2APm3YeinPl
MD5:	F06B0761D27B9E69A8F1220846FF12AF
SHA1:	E3A2F4F12A5291EE8DDC7A185DB2699BFFADFE1A
SHA-256:	E85AECC40854203B4A2F4A0249F875673E881119181E3DF2968491E31AD372A4
SHA-512:	5821EA0084524569E07BB18AA2999E3193C97AA52DA6932A7971A61DD03D0F08CA9A2D4F98EB96A603B99F65171F6D495D3E8F2BBB2FC90469C741EF11B514E9
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........V......#...$...........................d................................Y_....@... ..............................0..t....`..P....................p..............................`........................1..H............................text..............................`.P`.data...L...........................@.0..rdata..............................@.0@/4......,3.......4..................@.0@.bss..................................0..edata..............................@.0@.idata..t....0......................@.0..CRT....0....@......................@.0..tls.........P......................@.0..rsrc...P....`......................@.0..reloc.......p......................@.0B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Key Signatures verification\setting.ini (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	442
Entropy (8bit):	3.8280681998470794
Encrypted:	false
SSDEEP:	12:Q+gZPiv77qlXS8lvlRFo1MonAUNycdlUlaT9SaG:Q+gZPo7GU0vlRq1pnAUNnd+gTAaG
MD5:	09204E71E9F3B624E909FB20DEFE6EF5
SHA1:	2374900EBB8D9BB7127217DAE828A949B8E7938B
SHA-256:	D0755838EFEF3A423FFF51C91B2AEC497EB6C1A2A845534D6918C433E1F95267
SHA-512:	7B6FE24B112EED282D5795F0D2D122CC71539823609F1F3A7A5B3CAFEC8C86F00B310454B0CB607F881DBA99E7F2E55DD6EEDC31A3CC3D1F2B10FE43A923DE8F
Malicious:	false
Preview:	..[.L.A.N.G.U.A.G.E.].....n.a.m.e.1.=.E.n.g.l.i.s.h.....n.a.m.e.2.=.E.s.p.a...o.l.....n.a.m.e.3.=.D.e.u.t.s.c.h.....n.a.m.e.4.=.F.r.a.n...a.i.s.....n.a.m.e.5.=.I.t.a.l.i.a.n.o.....n.a.m.e.6.=..e,g......n.a.m.e.7.=.M.a.g.y.a.r.....n.a.m.e.8.=.T...r.k.....n.a.m.e.9.=.'.D.9.1.(.J.).....n.a.m.e.1.0.=.R.o.m...n.......n.a.m.e.1.1.=.A~.-N.e....f.i.l.e.=.e.n.g.l.i.s.h...i.n.i.....[.P.A.T.H.].....n.a.m.e.=.D.:.\.....[.T.I.M.E.S.].....t.i.m.e.=.0.

C:\Users\user\AppData\Local\Key Signatures verification\swresample-3.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	129038
Entropy (8bit):	6.508174898498455
Encrypted:	false
SSDEEP:	3072:2n7B3zAWc/gG6IsRc+JdTCXw4hXAMpI3pr:2n7B3zAWc/SmXfAMK
MD5:	3D8C24A40935FB27FC494FC6147E6EA8
SHA1:	C26B6949C34AADB8271E124CE08F511BE5033A04
SHA-256:	F83401305ACDA249D2A81CD8496E08643686FF1327EE4A495A1F3ABD77C7C3E6
SHA-512:	2EC272A4E770FB0B748ED3F3ED9E9A6983B2AB9B88D0C57C63E2248A1EF2B8D8A528EFAAD488CA377DBD05748DFA87DF086DDFA6B0DAD58571C47732320DC958
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#...$.f................................................................@... ...................... .......0..T....`.......................p..x...................................................X1...............................text...$d.......f..................`.P`.data...P............j..............@.P..rdata..PE.......F...l..............@.`@/4.......'.......(..................@.0@.bss..................................0..edata....... ......................@.0@.idata..T....0......................@.0..CRT....,....@......................@.0..tls.........P......................@.0..rsrc........`......................@.0..reloc..x....p......................@.0B........................................................................................................................................................................................

C:\Users\user\AppData\Local\Key Signatures verification\unins000.dat

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp
File Type:	InnoSetup Log Key Signatures verification, version 0x30, 5575 bytes, 305090\user, "C:\Users\user\AppData\Local\Key Signatures verification"
Category:	dropped
Size (bytes):	5575
Entropy (8bit):	4.896404664201974
Encrypted:	false
SSDEEP:	96:NAEWFRupGleSz97u+eOIh+i7ICSss/Lnjsss4:NAEWF8pGkSVHHIhBICSsAnjssV
MD5:	F7A581836D99F6C0CC6040FA729AB202
SHA1:	72B44FE3F923D31FB04078BB8AF4A991F3C606E7
SHA-256:	9D14CF88B0672A2EDAC62D9728EB9E05B53B18746442A8BAD27F8C9FA4D76ABA
SHA-512:	18C1712D0271F3F80CC8BAEC1D9901F742FF44B31202004B5054D2C55E55404481CEDE7D3CB82DB9DF9B8EFCEA5DA87EADE6DB0B309364CE1BD3F0C34F126D47
Malicious:	false
Preview:	Inno Setup Uninstall Log (b)....................................Key Signatures verification.....................................................................................................Key Signatures verification.....................................................................................................0...........%.................................................................................................................nW..........6.......^....305090.user;C:\Users\user\AppData\Local\Key Signatures verification...........+...... .....i....;.IFPS.............................................................................................................BOOLEAN..............TWIZARDFORM....TWIZARDFORM.........TPASSWORDEDIT....TPASSWORDEDIT...........................................!MAIN....-1..(...dll:kernel32.dll.CreateFileA..............$...dll:kernel32.dll.WriteFile............"...dll:kernel32.dll.CloseHandle........"...dll:kernel32.dll.ExitProcess........

C:\Users\user\AppData\Local\Key Signatures verification\unins000.exe (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	720373
Entropy (8bit):	6.507180855614231
Encrypted:	false
SSDEEP:	12288:Vhu7eEcdCP8trP837szHUA6JCzS9Ntc3l3ER6orNjURaFDExyFq:nu7eEYCP8trP837szHUA60SLtcV3E9/O
MD5:	0CB667CD04898DDB032350951D89F0FA
SHA1:	BCAD69ECF970D10AD0C81FD11E1145DB31870CF0
SHA-256:	F57D7FFA3D9BA81640F4FC524C95033AA40FE7F5ECA97E8E05D8D1F76E8A669F
SHA-512:	2785EEC389034D5F80585DA9C03AFA0AE101BB9702A8534354E8A49E748D3CD2DFDC91C1EA67CB5BFA558961B326440902E0D0955C35BDAA1CA18ADC0E9037F5
Malicious:	true
Preview:	MZP.....................@.......................InUn....................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................x..........x.............@..............................................@...............................%..................................................................................................................CODE.....w.......x.................. ..`DATA.................\|..............@...BSS.....l................................idata...%.......&..................@....tls.....................................rdata..............................@..P.reloc....... ......................@..P.rsrc...............................@..P.....................^..............@..P........................................................................................................................................

C:\Users\user\AppData\Local\Key Signatures verification\zlib1.dll (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	127192
Entropy (8bit):	6.479927027421408
Encrypted:	false
SSDEEP:	1536:/fMTf09hjtHy4xaIqGpnuJY8KYA/hKjUR+YABqKBrnToIfqIOoIOGESvrTEgTWjx:XMA3Fa0sYDY6hKgRvwqOTBf4uGE+rYgE
MD5:	8B2A6E8419A8A4E7D3FD023D97455FB9
SHA1:	2547A1F94FB4F83B7C133A3E285EE11FAA155E84
SHA-256:	7087CDD1ACDFF6CD1B8D821388F430AF3888314B05A5821BB53E67034362F670
SHA-512:	44438F6DD4BECABC2CB3053E2C42877CBDB0F309FE272F67A94AD530CAF1C5E5D49BC394F7D21C4226A4F0EB6D8661C5C7113508EA2F446E0DBEA0D59554D4A4
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...........=......#...#.>...................P.....c.........................`......;.....@... .............................. ...............................P......................................................0!...............................text...d=.......>..................`.P`.data...L....P.......B..............@.0..rdata.. S...`...T...D..............@.`@/4.......2.......4..................@.0@.bss....P.............................`..edata..............................@.0@.idata....... ......................@.0..CRT....,....0......................@.0..tls.........@......................@.0..reloc.......P......................@.0B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\8B96.exe.log

Download File

Process:	C:\Users\user\AppData\Local\Temp\8B96.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	425
Entropy (8bit):	5.353683843266035
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhav:ML9E4KlKDE4KhKiKhk
MD5:	859802284B12C59DDBB85B0AC64C08F0
SHA1:	4FDDEFC6DB9645057FEB3322BE98EF10D6A593EE
SHA-256:	FB234B6DAB715ADABB23E450DADCDBCDDFF78A054BAF19B5CE7A9B4206B7492B
SHA-512:	8A371F671B962AE8AE0F58421A13E80F645FF0A9888462C1529B77289098A0EA4D6A9E2E07ABD4F96460FCC32AA87B0581CA4D747E77E69C3620BF1368BA9A67
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..

C:\Users\user\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.dat

Download File

Process:	C:\Windows\explorer.exe
File Type:	JSON data
Category:	modified
Size (bytes):	1022
Entropy (8bit):	5.215200866635182
Encrypted:	false
SSDEEP:	24:YqHZ6T06MhmamGgb0O0bihmVmGg6CUXyhmGNmGgbxdB6hm3mGgz0Jahm2mGgbNdh:YqHZ6T06McDTb0O0bic4TDUXycRTbxd/
MD5:	BA8512A1180143F7620E106FB9DF5F43
SHA1:	2EF20B9029C7C89ED134DD87F6A9403D4103031F
SHA-256:	171640BF14335CC6403F09E4C72C11146C7393E63A9273C71B98C2D456202BA9
SHA-512:	2B83F9321A98090269D610D552C19B06136719FCD9F310437B2852F938DED711A1D09EABF017BF9AAEA980F68CEC6703234808A5CAB74C9A52AE4903A0DAE797
Malicious:	false
Preview:	{"RecentItems":[{"AppID":"Microsoft.MicrosoftEdge_8wekyb3d8bbwe!MicrosoftEdge","PenUsageSec":15,"LastSwitchedLowPart":3053123472,"LastSwitchedHighPart":31061843,"PrePopulated":true},{"AppID":"Microsoft.WindowsCommunicationsApps_8wekyb3d8bbwe!Microsoft.WindowsLive.Mail","PenUsageSec":15,"LastSwitchedLowPart":3043123472,"LastSwitchedHighPart":31061843,"PrePopulated":true},{"AppID":"Microsoft.Office.OneNote_8wekyb3d8bbwe!microsoft.onenoteim","PenUsageSec":15,"LastSwitchedLowPart":3033123472,"LastSwitchedHighPart":31061843,"PrePopulated":true},{"AppID":"Microsoft.Windows.Photos_8wekyb3d8bbwe!App","PenUsageSec":15,"LastSwitchedLowPart":3023123472,"LastSwitchedHighPart":31061843,"PrePopulated":true},{"AppID":"Microsoft.MSPaint_8wekyb3d8bbwe!Microsoft.MSPaint","PenUsageSec":15,"LastSwitchedLowPart":3013123472,"LastSwitchedHighPart":31061843,"PrePopulated":true},{"AppID":"Microsoft.WindowsMaps_8wekyb3d8bbwe!App","PenUsageSec":15,"LastSwitchedLowPart":3003123472,"LastSwitchedHighPart":31061843,

C:\Users\user\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x000000000000001d.db

Download File

Process:	C:\Windows\explorer.exe
File Type:	data
Category:	dropped
Size (bytes):	105280
Entropy (8bit):	4.0102037774823724
Encrypted:	false
SSDEEP:	768:/Y1s96kUGyOTiajk0sphnhuIKN4LNbCjEQKWPw8pxR1vTqQCTzsmayps3nQ1hQiX:/16koOshnhu6T1hQi5G5nU8FmNbKZqPN
MD5:	BF1D7B7583082C4488913F25460D0407
SHA1:	99D8B91CE07E8FD6F0922C95656308B1D8702D1B
SHA-256:	08E6C16734BC2994D1F7B53A34ABD1FFEEE39DC0D749EF5C15C59CA1F7E9AA28
SHA-512:	C2EB778F76E8A3AE27687FB1695069212D319B3D967F6FB9C3278A44048343D7491D65F88B62C222F1B82A62CDD4E4C7FE3C06E08B9EFD745F9217059A10B6EE
Malicious:	false
Preview:	....h... ...@...........P...............X...p...]...........@..........V.......e.n.-.C.H.;.e.n.-.G.B..............................P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....Z.1...........user..B............................................e.n.g.i.n.e.e.r.....V.1...........AppData.@............................................A.p.p.D.a.t.a.....V.1...........Roaming.@............................................R.o.a.m.i.n.g.....\.1...........Microsoft.D............................................M.i.c.r.o.s.o.f.t.....V.1...........Windows.@............................................W.i.n.d.o.w.s.....`.1...........Start Menu..F............................................S.t.a.r.t. .M.e.n.u................(..........P.O. .:i.....+00.../C:\...................P.1...........Users.<............................................U.s.e.r.s.....Z.1...........user..B.........................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\freebl3[1].dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	685392
Entropy (8bit):	6.872871740790978
Encrypted:	false
SSDEEP:	12288:4gPbPpxMofhPNN0+RXBrp3M5pzRN4l2SQ+PEu9tUs/abAQb51FW/IzkOfWPO9UN7:4gPbPp9NNP0BgInfW2WMC4M+hW
MD5:	550686C0EE48C386DFCB40199BD076AC
SHA1:	EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB
SHA-256:	EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
SHA-512:	0B7F47AF883B99F9FBDC08020446B58F2F3FA55292FD9BC78FC967DD35BDD8BD549802722DE37668CC89EDE61B20359190EFBFDF026AE2BDC854F4740A54649E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........4......p.....................................................@A........................H...S...............x............F..P/.......#................................... ..................@............................text............................... ..`.rdata....... ......................@..@.data...<F...0......................@....00cfg..............................@..@.rsrc...x...........................@..@.reloc...#.......$..."..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\mozglue[1].dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	608080
Entropy (8bit):	6.833616094889818
Encrypted:	false
SSDEEP:	12288:BlSyAom/gcRKMdRm4wFkRHuyG4RRGJVDjMk/x21R8gY/r:BKgcRKMdRm4wFkVVDGJVv//x21R8br
MD5:	C8FD9BE83BC728CC04BEFFAFC2907FE9
SHA1:	95AB9F701E0024CEDFBD312BCFE4E726744C4F2E
SHA-256:	BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
SHA-512:	FBB446F4A27EF510E616CAAD52945D6C9CC1FD063812C41947E579EC2B54DF57C6DC46237DED80FCA5847F38CBE1747A6C66A13E2C8C19C664A72BE35EB8B040
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........^......................................................j.....@A.........................`...W.....,.... ..................P/...0...A...S..............................h.......................Z.......................text...a........................... ..`.rdata..............................@..@.data...D...........................@....00cfg..............................@..@.tls................................@....rsrc........ ......................@..@.reloc...A...0...B..................@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\msvcp140[1].dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	450024
Entropy (8bit):	6.673992339875127
Encrypted:	false
SSDEEP:	12288:McPa9C9VbL+3Omy5CvyOvzeOKdqhUgiW6QR7t5s03Ooc8dHkC2esGAWf:McPa90Vbky5CvyUeOKn03Ooc8dHkC2eN
MD5:	5FF1FCA37C466D6723EC67BE93B51442
SHA1:	34CC4E158092083B13D67D6D2BC9E57B798A303B
SHA-256:	5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
SHA-512:	4802EF62630C521D83A1D333969593FB00C9B38F82B4D07F70FBD21F495FEA9B3F67676064573D2C71C42BC6F701992989742213501B16087BB6110E337C7546
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1C.._..._..._.)n...._......._...^."._..^..._..\..._..[..._..Z..._.._..._......_..]..._.Rich.._.........................PE..L.....0].........."!.....(..........`........@......................................,.....@A.........................g.......r...........................A.......=..`x..8............................w..@............p.......c..@....................text....&.......(.................. ..`.data...H)...@.......,..............@....idata.......p.......D..............@..@.didat..4............X..............@....rsrc................Z..............@..@.reloc...=.......>...^..............@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\nss3[1].dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2046288
Entropy (8bit):	6.787733948558952
Encrypted:	false
SSDEEP:	49152:fECf12gikHlnKGxJRIB+y5nvxnaOSJ3HFNWYrVvE4CQsgzMmQfTU1NrWmy4KoAzh:J7Tf8J1Q+SS5/nr
MD5:	1CC453CDF74F31E4D913FF9C10ACDDE2
SHA1:	6E85EAE544D6E965F15FA5C39700FA7202F3AAFE
SHA-256:	AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
SHA-512:	DD9FF4E06B00DC831439BAB11C10E9B2AE864EA6E780D3835EA7468818F35439F352EF137DA111EFCDF2BB6465F6CA486719451BF6CF32C6A4420A56B1D64571
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................`........................................p......l- ...@A.........................&..........@....P..x...............P/...`..\...................................................\|...\....&..@....................text............................... ..`.rdata..l...........................@..@.data...DR..........................@....00cfg.......@......................@..@.rsrc...x....P......................@..@.reloc..\....`......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\softokn3[1].dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	257872
Entropy (8bit):	6.727482641240852
Encrypted:	false
SSDEEP:	6144:/yF/zX2zfRkU62THVh/T2AhZxv6A31obD6Hq/8jis+FvtVRpsAAs0o8OqTYz+xnU:/yRzX2zfRkX2T1h/SA5PF9m8jJqKYz+y
MD5:	4E52D739C324DB8225BD9AB2695F262F
SHA1:	71C3DA43DC5A0D2A1941E874A6D015A071783889
SHA-256:	74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
SHA-512:	2D4168A69082A9192B9248F7331BD806C260478FF817567DF54F997D7C3C7D640776131355401E4BDB9744E246C36D658CB24B18DE67D8F23F10066E5FE445F6
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................P...............................................Sg....@A........................Dv..S....w..........................P/.......5..8q...............................................{...............................text...&........................... ..`.rdata.............................@..@.data................\|..............@....00cfg..............................@..@.rsrc...............................@..@.reloc...5.......6..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\vcruntime140[1].dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	80880
Entropy (8bit):	6.920480786566406
Encrypted:	false
SSDEEP:	1536:lw2886xv555et/MCsjw0BuRK3jteo3ecbA2W86b+Ld:lw28V55At/zqw+Iq9ecbA2W8H
MD5:	A37EE36B536409056A86F50E67777DD7
SHA1:	1CAFA159292AA736FC595FC04E16325B27CD6750
SHA-256:	8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
SHA-512:	3A7C260646315CF8C01F44B2EC60974017496BD0D80DD055C7E43B707CADBA2D63AAB5E0EFD435670AA77886ED86368390D42C4017FC433C3C4B9D1C47D0F356
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................08e...................................................u............Rich............PE..L...\|.0].........."!.........................................................0.......m....@A.............................................................A... ....... ..8............................ ..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\ping[1].htm

Download File

Process:	C:\Users\user\AppData\Local\Temp\InstallSetup4.exe
File Type:	very short file (no magic)
Category:	dropped
Size (bytes):	1
Entropy (8bit):	0.0
Encrypted:	false
SSDEEP:	3:V:V
MD5:	CFCD208495D565EF66E7DFF9F98764DA
SHA1:	B6589FC6AB0DC82CF12099D1C2D40AB994E8410C
SHA-256:	5FECEB66FFC86F38D952786C6D696C79C2DBC239DD4E91B46729D73A27FB57E9
SHA-512:	31BCA02094EB78126A517B206A88C73CFA9EC6F704C7030D18212CACE820F025F00BF0EA68DBF3F3A5436CA63B53BF7BF80AD8D5DE7D8359D0B7FED9DBC3AB99
Malicious:	false
Preview:	0

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\syncUpd[1].exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\InstallSetup4.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	192512
Entropy (8bit):	6.823974437026099
Encrypted:	false
SSDEEP:	3072:RJmSLHTIY5mztfwI0Ml89YSpxQxaqmxxkyB9q3eQ5kt0Bm52zxuVB:7mSLsY5+130KJyQxaxxkyenCtkzxu
MD5:	F90AB999CA323DA846279F15FC70C470
SHA1:	9E51FCF51A237E838BB96F8AEE97C4BB0A9D41B2
SHA-256:	9C0B3ABCFB29FF48EEF5294BE24DCA94426396C861C76F6F32924CCC779AB077
SHA-512:	78FDB53C709EBC85D12B207B19F18CBC4C36DEBBBD838388E860C4292C4B6684D5CF4FF25F1BF9F69BDDAC9E6ECDAF1D6599C4083B62C9C6CE8B4B9D2AD31752
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 32%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...............................................................................................................PE..L......c......................n.....b.............@..........................pp.................................................<.....o.................................................................@............................................text............................... ..`.rdata...,..........................@..@.data....m.. ...L..................@....rsrc.........o......\..............@..@........................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\8B96.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4260752
Entropy (8bit):	7.994002904492716
Encrypted:	true
SSDEEP:	98304:msiqIvD0GYCsKN5/htyiXogg05h0qN+QJ7ACSeBNneIbj6aaa1pykL3:xIvIGlsUpoiXop+ww7+eBBemjEGyQ
MD5:	1E2FBA96A14DB95142038A3BD5277306
SHA1:	20A7E641C12F42CB26C4A80AE81C7E0D48A1D1E7
SHA-256:	5919EA787C083924B29B208B181FD18100B465B93B9D9BAEDA60813795A10311
SHA-512:	97712FE1485BAC87DACEA8149892B9D33E46F1261EE8FC86B6A591467F0D470236640A010ECB9DA11FBED95842BA2DCAFB169747CF573304F7733CA055D8BF35
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 71%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................PE..L....t.c.................$@...n..............@@...@..................................+A......................................e@.<........x............@..............A@..............................^@.@............@@.p............................text...."@......$@................. ..`.rdata...-...@@......(@.............@..@.data....m..p@..(...V@.............@....rsrc....x.......z...~@.............@..@................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\3ADF.exe

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5838848
Entropy (8bit):	7.984420991000663
Encrypted:	false
SSDEEP:	98304:yaNhKetDJISqhQiQCjNC9bW5Bf6qkZiwUcDNGQslUsmtIFlUsOd/hFPHpFWfYRs:yctD6SqhFtjNC9bW5pb0elUulUj1HpFA
MD5:	230C0C4D6093A74763327DA465F16231
SHA1:	D947898F9E89115C77BA2BF3EA1489922D7E154E
SHA-256:	8E93CA07A6F30CE79C5CA912BCE1D993D5ED249AEAE596D5C846F4A3C1F76935
SHA-512:	BC8D85A626A7912A18397E5975C81287651FDBE815B01EF09A52AD87D6BC530DEF60A0460B5DF18E0AA7609C135FAB0812001F50F79E4E6B396422B4E8BC8B67
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 26%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L......e.................n.......................@..........................@......a.Y...@...................................G.d....@....................... ..h.....................................................?..............................text....m.......................... ..`.rdata...?..........................@..@.data...T...........................@....vmp..8Q7......................... ..`.vmp........?.....................@....vmp....V.. ?...W................. ..`.reloc..h.... ........W.............@..@.rsrc........@.......$W.............@..@........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\4KPV6A~1\cached-certs (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\58CA.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	20852
Entropy (8bit):	6.05147791645295
Encrypted:	false
SSDEEP:	384:gU4WGYgVVdz31hif/40VVq1h8PXt/ea4igBVA1hrqc2q48XVd91hMBb50IU4mV91:NddgV/T+HJiO92a9gBSy8nX98b+3jntz
MD5:	141533A96B44667C92AB2EE602DA3C3C
SHA1:	9000C7596ED6C1B6B187CAF5E01330DC556C6E7E
SHA-256:	66FFA9E746DC8DAD2DFA0788B5635B1092A196CF7FC1F30608472A916694567B
SHA-512:	390AD9B4665F67344647BA586BA4B908A83C75ADD1746104231E078DA5207B851ED810A7DDC236BE3E2DDEB7A2C357D36849FECB0AB2421F4F24A90EA64FE50C
Malicious:	false
Preview:	dir-key-certificate-version 3..fingerprint 49015F787433103580E3B66A1707A00E60F2D15B..dir-key-published 2023-12-12 07:10:31..dir-key-expires 2024-03-12 07:10:31..dir-identity-key..-----BEGIN RSA PUBLIC KEY-----..MIIBigKCAYEAxVbS0noZKz1Ei6858RGyyuQgwQUKG4Urrp2BiAzkYxwX+6fURlut..AjeLb4XysqCdNdUipuLRQ2QIy1C220QiCHV6jZAsM4tmEq6TpK6q1lxi5YPKqbGS..CfUQFT1nO4s4DCYSLCwiRNy6bMe8tNHc0MpXP3loCbPkYCoXrEL6vYIROw3oeGWE..KbFPQrzYJAPHgUubBibsY5lkUY9N/5QZw2y1bn+dq9mFOoCIHLd6DkQmySmftnMe..QrpYA2WvE4M5yN2HB8QGT7TdzXPPL6889rFw/mjqYExQPX7cqmILkchsB7I5whjA..u0oodF8Y9ooK9QT0GeK4h3xQhzNG17anuUxbZ7sxzmBwBNmkNyLWEeIntazyjRFr..P2mDY/9YK2JOQKkh3tKl1whcCG9ZtAhKmm/ijG7OrhqtusdGKBXIgALf4f111AK1..gNcacDx2fJzRHuNK8zkIORAzStxKdLbAbBNeLENk1zBjSkrxCOJH4mBpr8TXULq1..ThLI/8OzZq4LAgMBAAE=..-----END RSA PUBLIC KEY-----..dir-signing-key..-----BEGIN RSA PUBLIC KEY-----..MIIBCgKCAQEAr2SjmxqSAa4JGzVKY9jCWFe35IQWv/8Xf9wigoGPfvhSSx0KgkiR..3GPKs9qnpdMpy9RfNf0/nugCMFIE7M5M5sqfWvItMm5Fa91zGjaLs5okWfuiED3g..Q/Az8zoxBJUcs70e6Lxf1zvJ3FoM

C:\Users\user\AppData\Local\Temp\4KPV6A~1\cached-microdesc-consensus (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\58CA.exe
File Type:	ASCII text, with very long lines (1006)
Category:	dropped
Size (bytes):	2847846
Entropy (8bit):	5.611284169238359
Encrypted:	false
SSDEEP:	12288:SQdyaEgHdX8IIyAPi4Yz9jazizsR7YLKRXcVYJNF8N03du2bMz/yP:SKEo7APEjFLKAMi2tZMmP
MD5:	AC776B6AF62633E66C38E2C6DFB545C7
SHA1:	3ACFBC3682E3171459DCFA29920A56EDB4515ED9
SHA-256:	9A17C2A2DEBFF09375DB576DAECB016A9E242BF1304BA7EA8DE3C284E9B75DF8
SHA-512:	7C872A6CDA948F5D70DF832CB100683B15362FD8D701FAF7293399F02523D5299F860EC75C73063E28BB812A8F8DFAA6F0462C09179FF92FCB34151582F80502
Malicious:	false
Preview:	network-status-version 3 microdesc.vote-status consensus.consensus-method 33.valid-after 2024-02-01 08:00:00.fresh-until 2024-02-01 09:00:00.valid-until 2024-02-01 11:00:00.voting-delay 300 300.client-versions 0.4.8.1-alpha,0.4.8.2-alpha,0.4.8.3-rc,0.4.8.4,0.4.8.5,0.4.8.6,0.4.8.7,0.4.8.8,0.4.8.9,0.4.8.10.server-versions 0.4.8.1-alpha,0.4.8.2-alpha,0.4.8.3-rc,0.4.8.4,0.4.8.5,0.4.8.6,0.4.8.7,0.4.8.8,0.4.8.9,0.4.8.10.known-flags Authority BadExit Exit Fast Guard HSDir MiddleOnly NoEdConsensus Running Stable StaleDesc Sybil V2Dir Valid.recommended-client-protocols Cons=2 Desc=2 DirCache=2 HSDir=2 HSIntro=4 HSRend=2 Link=4-5 Microdesc=2 Relay=2.recommended-relay-protocols Cons=2 Desc=2 DirCache=2 HSDir=2 HSIntro=4 HSRend=2 Link=4-5 LinkAuth=3 Microdesc=2 Relay=2.required-client-protocols Cons=2 Desc=2 Link=4 Microdesc=2 Relay=2.required-relay-protocols Cons=2 Desc=2 DirCache=2 HSDir=2 HSIntro=4 HSRend=2 Link=4-5 LinkAuth=3 Microdesc=2 Relay=2.params AuthDirMaxServersPerAddr=8 CircuitPriorit

C:\Users\user\AppData\Local\Temp\4KPV6A~1\state (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\58CA.exe
File Type:	ASCII text, with very long lines (373), with CRLF line terminators
Category:	dropped
Size (bytes):	4621
Entropy (8bit):	5.293274458459042
Encrypted:	false
SSDEEP:	48:cEzM+FvnBTOuXsVrKvgvqhohBF2VRFcbeOUjZOjrydbE01C:rB5nYuXsVrKvgvT/AkeOUVWrydbE01C
MD5:	ED80A515C275C33C0961B2E7ACD66578
SHA1:	1F5426CD32F8E9CB9AF00A40069BD457039E2D30
SHA-256:	D10940BEA0BF92CD035FF273F0F49B8F073429A8049C16BCD2D6362168EA38C1
SHA-512:	5E60D53F84670774715A6581E0E9335751E05135951AAFA75B0ABC4F7F8DE22789C205B3C378D9AE331AED737C2533ADCADCF9B62EBB24B487F616E7B38AB3F2
Malicious:	false
Preview:	# Tor state file last generated on 2024-02-01 09:53:05 local time..# Other times below are in UTC..# You do not need to edit this file.....CircuitBuildTimeBin 725 1..CircuitBuildTimeBin 775 1..CircuitBuildTimeBin 825 1..CircuitBuildTimeBin 1075 1..CircuitBuildTimeBin 1125 1..CircuitBuildTimeBin 1175 1..CircuitBuildTimeBin 1275 1..CircuitBuildTimeBin 1675 1..CircuitBuildTimeBin 2375 1..CircuitBuildTimeBin 5825 1..CircuitBuildTimeBin 9775 1..CircuitBuildTimeBin 10075 1..CircuitBuildTimeBin 12825 1..CircuitBuildTimeBin 16425 1..CircuitBuildTimeBin 16675 1..CircuitBuildTimeBin 16825 1..CircuitBuildTimeBin 17325 1..Dormant 0..Guard in=default rsa_id=C7FF606D59C7F6BECA8A341D3CF11B423F382D5D nickname=MCdrKNe2 sampled_on=2024-01-24T06:38:59 sampled_idx=0 sampled_by=0.4.4.9 listed=1 confirmed_on=2024-01-21T19:01:50 confirmed_idx=0 pb_use_attempts=10.000000 pb_use_successes=10.000000 pb_circ_attempts=14.000000 pb_circ_successes=12.000000 pb_successful_circuits_closed=12.000000 pb_timeouts=2.00

C:\Users\user\AppData\Local\Temp\4KPV6A~1\unverified-microdesc-consensus (copy)

Download File

Process:	C:\Users\user\AppData\Local\Temp\58CA.exe
File Type:	ASCII text, with very long lines (1006)
Category:	dropped
Size (bytes):	2847846
Entropy (8bit):	5.611284169238359
Encrypted:	false
SSDEEP:	12288:SQdyaEgHdX8IIyAPi4Yz9jazizsR7YLKRXcVYJNF8N03du2bMz/yP:SKEo7APEjFLKAMi2tZMmP
MD5:	AC776B6AF62633E66C38E2C6DFB545C7
SHA1:	3ACFBC3682E3171459DCFA29920A56EDB4515ED9
SHA-256:	9A17C2A2DEBFF09375DB576DAECB016A9E242BF1304BA7EA8DE3C284E9B75DF8
SHA-512:	7C872A6CDA948F5D70DF832CB100683B15362FD8D701FAF7293399F02523D5299F860EC75C73063E28BB812A8F8DFAA6F0462C09179FF92FCB34151582F80502
Malicious:	false
Preview:	network-status-version 3 microdesc.vote-status consensus.consensus-method 33.valid-after 2024-02-01 08:00:00.fresh-until 2024-02-01 09:00:00.valid-until 2024-02-01 11:00:00.voting-delay 300 300.client-versions 0.4.8.1-alpha,0.4.8.2-alpha,0.4.8.3-rc,0.4.8.4,0.4.8.5,0.4.8.6,0.4.8.7,0.4.8.8,0.4.8.9,0.4.8.10.server-versions 0.4.8.1-alpha,0.4.8.2-alpha,0.4.8.3-rc,0.4.8.4,0.4.8.5,0.4.8.6,0.4.8.7,0.4.8.8,0.4.8.9,0.4.8.10.known-flags Authority BadExit Exit Fast Guard HSDir MiddleOnly NoEdConsensus Running Stable StaleDesc Sybil V2Dir Valid.recommended-client-protocols Cons=2 Desc=2 DirCache=2 HSDir=2 HSIntro=4 HSRend=2 Link=4-5 Microdesc=2 Relay=2.recommended-relay-protocols Cons=2 Desc=2 DirCache=2 HSDir=2 HSIntro=4 HSRend=2 Link=4-5 LinkAuth=3 Microdesc=2 Relay=2.required-client-protocols Cons=2 Desc=2 Link=4 Microdesc=2 Relay=2.required-relay-protocols Cons=2 Desc=2 DirCache=2 HSDir=2 HSIntro=4 HSRend=2 Link=4-5 LinkAuth=3 Microdesc=2 Relay=2.params AuthDirMaxServersPerAddr=8 CircuitPriorit

C:\Users\user\AppData\Local\Temp\4kPv6aJG8e\cached-certs.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\58CA.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	20852
Entropy (8bit):	6.05147791645295
Encrypted:	false
SSDEEP:	384:gU4WGYgVVdz31hif/40VVq1h8PXt/ea4igBVA1hrqc2q48XVd91hMBb50IU4mV91:NddgV/T+HJiO92a9gBSy8nX98b+3jntz
MD5:	141533A96B44667C92AB2EE602DA3C3C
SHA1:	9000C7596ED6C1B6B187CAF5E01330DC556C6E7E
SHA-256:	66FFA9E746DC8DAD2DFA0788B5635B1092A196CF7FC1F30608472A916694567B
SHA-512:	390AD9B4665F67344647BA586BA4B908A83C75ADD1746104231E078DA5207B851ED810A7DDC236BE3E2DDEB7A2C357D36849FECB0AB2421F4F24A90EA64FE50C
Malicious:	false
Preview:	dir-key-certificate-version 3..fingerprint 49015F787433103580E3B66A1707A00E60F2D15B..dir-key-published 2023-12-12 07:10:31..dir-key-expires 2024-03-12 07:10:31..dir-identity-key..-----BEGIN RSA PUBLIC KEY-----..MIIBigKCAYEAxVbS0noZKz1Ei6858RGyyuQgwQUKG4Urrp2BiAzkYxwX+6fURlut..AjeLb4XysqCdNdUipuLRQ2QIy1C220QiCHV6jZAsM4tmEq6TpK6q1lxi5YPKqbGS..CfUQFT1nO4s4DCYSLCwiRNy6bMe8tNHc0MpXP3loCbPkYCoXrEL6vYIROw3oeGWE..KbFPQrzYJAPHgUubBibsY5lkUY9N/5QZw2y1bn+dq9mFOoCIHLd6DkQmySmftnMe..QrpYA2WvE4M5yN2HB8QGT7TdzXPPL6889rFw/mjqYExQPX7cqmILkchsB7I5whjA..u0oodF8Y9ooK9QT0GeK4h3xQhzNG17anuUxbZ7sxzmBwBNmkNyLWEeIntazyjRFr..P2mDY/9YK2JOQKkh3tKl1whcCG9ZtAhKmm/ijG7OrhqtusdGKBXIgALf4f111AK1..gNcacDx2fJzRHuNK8zkIORAzStxKdLbAbBNeLENk1zBjSkrxCOJH4mBpr8TXULq1..ThLI/8OzZq4LAgMBAAE=..-----END RSA PUBLIC KEY-----..dir-signing-key..-----BEGIN RSA PUBLIC KEY-----..MIIBCgKCAQEAr2SjmxqSAa4JGzVKY9jCWFe35IQWv/8Xf9wigoGPfvhSSx0KgkiR..3GPKs9qnpdMpy9RfNf0/nugCMFIE7M5M5sqfWvItMm5Fa91zGjaLs5okWfuiED3g..Q/Az8zoxBJUcs70e6Lxf1zvJ3FoM

C:\Users\user\AppData\Local\Temp\4kPv6aJG8e\cached-microdesc-consensus.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\58CA.exe
File Type:	ASCII text, with very long lines (1006)
Category:	dropped
Size (bytes):	2847846
Entropy (8bit):	5.611284169238359
Encrypted:	false
SSDEEP:	12288:SQdyaEgHdX8IIyAPi4Yz9jazizsR7YLKRXcVYJNF8N03du2bMz/yP:SKEo7APEjFLKAMi2tZMmP
MD5:	AC776B6AF62633E66C38E2C6DFB545C7
SHA1:	3ACFBC3682E3171459DCFA29920A56EDB4515ED9
SHA-256:	9A17C2A2DEBFF09375DB576DAECB016A9E242BF1304BA7EA8DE3C284E9B75DF8
SHA-512:	7C872A6CDA948F5D70DF832CB100683B15362FD8D701FAF7293399F02523D5299F860EC75C73063E28BB812A8F8DFAA6F0462C09179FF92FCB34151582F80502
Malicious:	false
Preview:	network-status-version 3 microdesc.vote-status consensus.consensus-method 33.valid-after 2024-02-01 08:00:00.fresh-until 2024-02-01 09:00:00.valid-until 2024-02-01 11:00:00.voting-delay 300 300.client-versions 0.4.8.1-alpha,0.4.8.2-alpha,0.4.8.3-rc,0.4.8.4,0.4.8.5,0.4.8.6,0.4.8.7,0.4.8.8,0.4.8.9,0.4.8.10.server-versions 0.4.8.1-alpha,0.4.8.2-alpha,0.4.8.3-rc,0.4.8.4,0.4.8.5,0.4.8.6,0.4.8.7,0.4.8.8,0.4.8.9,0.4.8.10.known-flags Authority BadExit Exit Fast Guard HSDir MiddleOnly NoEdConsensus Running Stable StaleDesc Sybil V2Dir Valid.recommended-client-protocols Cons=2 Desc=2 DirCache=2 HSDir=2 HSIntro=4 HSRend=2 Link=4-5 Microdesc=2 Relay=2.recommended-relay-protocols Cons=2 Desc=2 DirCache=2 HSDir=2 HSIntro=4 HSRend=2 Link=4-5 LinkAuth=3 Microdesc=2 Relay=2.required-client-protocols Cons=2 Desc=2 Link=4 Microdesc=2 Relay=2.required-relay-protocols Cons=2 Desc=2 DirCache=2 HSDir=2 HSIntro=4 HSRend=2 Link=4-5 LinkAuth=3 Microdesc=2 Relay=2.params AuthDirMaxServersPerAddr=8 CircuitPriorit

C:\Users\user\AppData\Local\Temp\4kPv6aJG8e\cached-microdescs.new

Download File

Process:	C:\Users\user\AppData\Local\Temp\58CA.exe
File Type:	ASCII text, with very long lines (15714)
Category:	dropped
Size (bytes):	22253803
Entropy (8bit):	4.8108187996686835
Encrypted:	false
SSDEEP:	24576:ty1xqf+lV6hHMjBEmUPgbsbHisk4qsZYZ/RKtlBH2esStobtXMVavOZ6vL1xYESj:dM7Ixa2yyzOkvpbg39/bYfXC+Lvovxa
MD5:	9AD0AAACA13BFBAD82FE5DA5BB1EB1F9
SHA1:	4028421AD892EDFEC81B3D493C4D74D1B229540E
SHA-256:	30145D2944A4739D5375A718886F22B9106AFEFD1C92EFF3C92B12E2D9D71817
SHA-512:	6720ADE4A928BEC8710BED6471114840850A800F11D8A812191E0348F9354D74722D424131A2A01031E603C59EB89FC4CC0D32C9EEAEE4C659F4F0FA3B0645A2
Malicious:	false
Preview:	@last-listed 2024-02-01 08:44:22.onion-key.-----BEGIN RSA PUBLIC KEY-----.MIGJAoGBAL5p2/BPS4SKXvHtC/3sZZCO5R1akkUnPcd1BhJ2Zuj3ADWOvhDtD80m.5rOC6jCCut4VxgYjOf6hzgYdy6dkbn25/UaFYvTFYqK3ltDK7uAha2F4TPgZ7uXJ.3NUl1Ejndgn/wYx+GfhGB0w8n1LwAjNhLQEc7ji9TUnIQ9Lgd4//AgMBAAE=.-----END RSA PUBLIC KEY-----.ntor-onion-key Eb/D9vFWIKvlQdic7dRsT4Pv6K0MVY6tKJDFyBwvug4.family $2B66388257A388CA07A0ADFA30FDFA434CA991B7 $3EBF6E6034F6844AC80990A2AE46A3B5B674D3DA $55BF0392AF79B4C6F17379AE94F4D6A9DA94C4BC $63CC9719554561EE7394ADC3228520E8375A2845 $6E72BCD5FB46EB6BEC9543EEC3F70140D5F8EB8A $8AFAD7846A0952C4D02FCC3BC6E994735B417AA4 $8E4F024CFB3410FA3D6D3B18E6EB1314B441B67E $93572919E724E1EECEF0142098703FF42754F491 $A206A7E4CBEC7462678EE29C120CDF7C12507237 $AD03B73D826A468F6237788FD5207327F8F1821F $B7B2E9E3CC692864F56CB3D577EE0D5349A533EF $C128D051E7371C288299FED2922C8AA130155C2D $CB587AF229A16CBC2981E7BF9B96DEB8681AC345 $EB23361ECEFC3469B7D6FCE0995658279F9DA947 $F0F3BEE77EFF7741AFAAA2E026308C69ABCB1B15 $F10F6F548

C:\Users\user\AppData\Local\Temp\4kPv6aJG8e\state.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\58CA.exe
File Type:	ASCII text, with very long lines (373), with CRLF line terminators
Category:	modified
Size (bytes):	4621
Entropy (8bit):	5.293274458459042
Encrypted:	false
SSDEEP:	48:cEzM+FvnBTOuXsVrKvgvqhohBF2VRFcbeOUjZOjrydbE01C:rB5nYuXsVrKvgvT/AkeOUVWrydbE01C
MD5:	ED80A515C275C33C0961B2E7ACD66578
SHA1:	1F5426CD32F8E9CB9AF00A40069BD457039E2D30
SHA-256:	D10940BEA0BF92CD035FF273F0F49B8F073429A8049C16BCD2D6362168EA38C1
SHA-512:	5E60D53F84670774715A6581E0E9335751E05135951AAFA75B0ABC4F7F8DE22789C205B3C378D9AE331AED737C2533ADCADCF9B62EBB24B487F616E7B38AB3F2
Malicious:	false
Preview:	# Tor state file last generated on 2024-02-01 09:53:05 local time..# Other times below are in UTC..# You do not need to edit this file.....CircuitBuildTimeBin 725 1..CircuitBuildTimeBin 775 1..CircuitBuildTimeBin 825 1..CircuitBuildTimeBin 1075 1..CircuitBuildTimeBin 1125 1..CircuitBuildTimeBin 1175 1..CircuitBuildTimeBin 1275 1..CircuitBuildTimeBin 1675 1..CircuitBuildTimeBin 2375 1..CircuitBuildTimeBin 5825 1..CircuitBuildTimeBin 9775 1..CircuitBuildTimeBin 10075 1..CircuitBuildTimeBin 12825 1..CircuitBuildTimeBin 16425 1..CircuitBuildTimeBin 16675 1..CircuitBuildTimeBin 16825 1..CircuitBuildTimeBin 17325 1..Dormant 0..Guard in=default rsa_id=C7FF606D59C7F6BECA8A341D3CF11B423F382D5D nickname=MCdrKNe2 sampled_on=2024-01-24T06:38:59 sampled_idx=0 sampled_by=0.4.4.9 listed=1 confirmed_on=2024-01-21T19:01:50 confirmed_idx=0 pb_use_attempts=10.000000 pb_use_successes=10.000000 pb_circ_attempts=14.000000 pb_circ_successes=12.000000 pb_successful_circuits_closed=12.000000 pb_timeouts=2.00

C:\Users\user\AppData\Local\Temp\4kPv6aJG8e\unverified-microdesc-consensus.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\58CA.exe
File Type:	ASCII text, with very long lines (1006)
Category:	dropped
Size (bytes):	2847846
Entropy (8bit):	5.611284169238359
Encrypted:	false
SSDEEP:	12288:SQdyaEgHdX8IIyAPi4Yz9jazizsR7YLKRXcVYJNF8N03du2bMz/yP:SKEo7APEjFLKAMi2tZMmP
MD5:	AC776B6AF62633E66C38E2C6DFB545C7
SHA1:	3ACFBC3682E3171459DCFA29920A56EDB4515ED9
SHA-256:	9A17C2A2DEBFF09375DB576DAECB016A9E242BF1304BA7EA8DE3C284E9B75DF8
SHA-512:	7C872A6CDA948F5D70DF832CB100683B15362FD8D701FAF7293399F02523D5299F860EC75C73063E28BB812A8F8DFAA6F0462C09179FF92FCB34151582F80502
Malicious:	false
Preview:	network-status-version 3 microdesc.vote-status consensus.consensus-method 33.valid-after 2024-02-01 08:00:00.fresh-until 2024-02-01 09:00:00.valid-until 2024-02-01 11:00:00.voting-delay 300 300.client-versions 0.4.8.1-alpha,0.4.8.2-alpha,0.4.8.3-rc,0.4.8.4,0.4.8.5,0.4.8.6,0.4.8.7,0.4.8.8,0.4.8.9,0.4.8.10.server-versions 0.4.8.1-alpha,0.4.8.2-alpha,0.4.8.3-rc,0.4.8.4,0.4.8.5,0.4.8.6,0.4.8.7,0.4.8.8,0.4.8.9,0.4.8.10.known-flags Authority BadExit Exit Fast Guard HSDir MiddleOnly NoEdConsensus Running Stable StaleDesc Sybil V2Dir Valid.recommended-client-protocols Cons=2 Desc=2 DirCache=2 HSDir=2 HSIntro=4 HSRend=2 Link=4-5 Microdesc=2 Relay=2.recommended-relay-protocols Cons=2 Desc=2 DirCache=2 HSDir=2 HSIntro=4 HSRend=2 Link=4-5 LinkAuth=3 Microdesc=2 Relay=2.required-client-protocols Cons=2 Desc=2 Link=4 Microdesc=2 Relay=2.required-relay-protocols Cons=2 Desc=2 DirCache=2 HSDir=2 HSIntro=4 HSRend=2 Link=4-5 LinkAuth=3 Microdesc=2 Relay=2.params AuthDirMaxServersPerAddr=8 CircuitPriorit

C:\Users\user\AppData\Local\Temp\52CE.exe

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	680601
Entropy (8bit):	7.368957909178037
Encrypted:	false
SSDEEP:	12288:jQs4xp9+KR+G6p9wKvIAHDhCwQipijYcUAwAQKufD6t+TXjuqy:EXT+R5LDYpbQr8wuL
MD5:	DD0A3EBCD915E422F47141770AF20252
SHA1:	16343E4DA2DCC27729E4FFB8DD03F7FAC379CDA9
SHA-256:	C5028CDB9A2633A84FC9311176E8250B49D280235E9A370B492B582B43DF41C7
SHA-512:	9F449D1A0D0B524DE62056F98104DC57F16483533F112CA787742B71BFB6F7DF01AE1A3AE020BB541ECF0D903B290AD75C93EB188AEF6575DCDBBFC92079B067
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 53%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......jge....D...D...D0T.D2..D0T.D=..D0T.D{..D..pD,..D..VD-..D...Dv..D'~.D/..D'~.D/..DRich...D........PE..L...}.e............................Y.............@..........................p..........................................C.......<...................Q9..H)..............................................................(............................text...K........................... ..`.reloc..(........................... ..`.mgjh............................... ..`.rdata........... ..................@..@.data...X...........................@....eEBC...........Q....v.................@................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\58CA.exe

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1902592
Entropy (8bit):	7.96578241790919
Encrypted:	false
SSDEEP:	24576:aIIgn56xKQZ9UvBEJLMJEyvAa5GNBLEMSp/zQZuIwd7SuMAFagdmUypRKjen0CQI:jI+Q9LUU7cpMBMkwIwdtMxpgjeGaf
MD5:	1274287F7DAA409EEA3E07059CF8FD51
SHA1:	A1DF35B30CCD295C319F5E3778F8BF0DEDC996F6
SHA-256:	EAB7F930DC57ABA040449BF4A2A9E2481873AA897A2305D7BE3C3E36765E2843
SHA-512:	136DA364C7733F6243EEBD74CA914714E65B60ACA86A5C96A4751803D40E5C729BD032BDC879F880A083501A544213A5BCE6920057AEB3742B19D7562F0E479E
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 66%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................................PE..L...)t\|d......................n.............. ....@.........................................................................lD..<........x...........................!..............................(=..@............ ..p............................text............................... ..`.rdata...,... ......................@..@.data...\|.m..P...L...B..............@....rsrc....x.......z..................@..@................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\5C46.exe

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	431104
Entropy (8bit):	7.865829876036064
Encrypted:	false
SSDEEP:	6144:4phcsngKdHpPXECq6Xz4G/rmnHXekVB9YNeeA23YMd7pMFW54AXIEB93KWZMxEHL:4pasngwHpP5qa4G4eIWsyHd0XKBBXL
MD5:	1996A23C7C764A77CCACF5808FEC23B0
SHA1:	5A7141B167056BF8F01C067EBE12ED4CCC608DC7
SHA-256:	E40C8E14E8CB8A0667026A35E6E281C7A8A02BDF7BC39B53CFE0605E29372888
SHA-512:	430C8B43C2CBB937D2528FA79C754BE1A1B80C95C45C49DBA323E3FE6097A7505FC437DDAFAB54B21D00FBA9300B5FA36555535A6FA2EB656B5AA45CCF942E23
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 87%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Y..Y..Y..3..p..Y..[....[..Y..V....X..RichY..................PE..L......d..........................................@......................................@.........................................................................P...................................................8............................text............................... ..`.rdata... ..........................@..@.data... ....0......................@....rsrc...............................@..@................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\6000.dll

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1523712
Entropy (8bit):	7.979039200752945
Encrypted:	false
SSDEEP:	24576:owmNFVzXOrW9fO7F2qeGG3fjBdDv7T1rWZ1P6mGhcpJODFpC2qxCX:opNFVNO7cqeRrDjT1r+xGh9wxu
MD5:	445873A8BBF6DF6F5DC7B87F8BCC0FB8
SHA1:	A0D381FF79CC0350227A9B0176EE84FAC1204C68
SHA-256:	684DB557C20787207E90036DE3DE555C894957A0930F29900C68104C0D99670A
SHA-512:	10D95F469A1E25A8C6F50957A402927A591B403E17B3B39FA81D39B604682170725A0459D79E16C2B21932625D41CAA3D5E950C7A473AD7B2044AA39D13A634C
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 32%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........if....L...L...L.p.L...L...L...L...L...L.p.L...L.p.L...L.p.L...LRich...L........................PE..L....1S>...........!................h........................................P..........................................q..............H.................... ..L.......................................................l............................text.............................. ..`.rdata..q...........................@..@.data....K.......@..................@....rsrc...H...........................@..@.reloc...#... ...0..................@..B........................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\7147.exe

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5991936
Entropy (8bit):	7.9770850113372225
Encrypted:	false
SSDEEP:	98304:40oQcW83WO74X4maSGk1Rx/+1Jxa4+OWwUld9Fg5r2YfEMf1uXDTPf5VpfHSAVN1:3o13J4XHdmdWw0Bk5E2wXDT5XSA0zT
MD5:	AFEC1180BFCBA8D6B8BCAE439C73E1EC
SHA1:	3592608C4EFDEA196F7C4CB132B0DFE0AF54B563
SHA-256:	D436D89F9274EFB89CA8A28BC23A7C95D92DC86E9C464430BD06CE56F8535A7D
SHA-512:	828FDB330A5D37E48798B01B92E68D0D6F38BD7C6103734687709AD5413076B47FABCBE3297F0D7B5D80A3A2D40C8FBEF673B5B79EF7F69755B0948FD6D7B214
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 34%
Preview:	MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L......e.................n...<...................@.......................... ......92\...@.................................H.{........ -.....................D.....................................................M.t............................text....m.......................... ..`.rdata...?..........................@..@.data...T...........................@....size>\.@t..........................`..`.size>\......0 .....................`..`........ >..................... ..`...........M.....................@........`.Y...M...Y................. ..`.reloc..D............Y.............@..@.rsrc... -......D...*Y.............@..@........................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\8B96.exe

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	6394880
Entropy (8bit):	7.995883106076817
Encrypted:	true
SSDEEP:	196608:N0XbM42cAcssArBJNPZsZTdUkmhh0rtAl9C+6SJ:S3GdmTdSegt
MD5:	2AB09B6EBDA5C4FDE187A8A91AC25F64
SHA1:	45A6DB1209FE611A60DC8710394D35A453E03EFE
SHA-256:	D36FD9744B55323A635ECB2E40BEF59AF228CEF124E81D38ED70E519117D804E
SHA-512:	76E14ED688EF67222551A3FCD306FEA0995287E88E8551560A05761AEA87D913B041CACC4EEA539BCCC8B05ADF358467E091D350096D17710E5472C13AF8B940
Malicious:	true
Yara Hits:	Rule: MALWARE_Win_DLInjector04, Description: Detects downloader / injector, Source: C:\Users\user\AppData\Local\Temp\8B96.exe, Author: ditekSHen
Antivirus:	Antivirus: ReversingLabs, Detection: 79%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....(.e..................a.........N.a.. ....a...@.. ........................b...........@...................................a.O.....a.@.....................a...................................................... ............... ..H............text...T.a.. ....a................. ..`.rsrc...@.....a.......a.............@..@.reloc........a.......a.............@..B................0.a.....H.......<.a..............'...ja..........................................0.._.......~....,.(....,..(....~....,.(....,..(....~....,.(....,..(....~....,.(....,..(....~....,.~.... ....Z(....~....,.r...pr...p.(....&..8....~.....o.....~.....o.....~.....o.....~.....o.......(......~....,...(......~....r...p(....,.(....r...po......(......+)~....r1..p(....,...(....r...po....(..........(....(..........(.......(......X..~....o....?....~....&*..0../........s.....s.......s.......o.......,

C:\Users\user\AppData\Local\Temp\99FE.exe

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	7604013
Entropy (8bit):	7.999485566047926
Encrypted:	true
SSDEEP:	98304:Njo7BbgLDg4QNGgy1pqDQce2vOzHXRLG8YvpvG3/0fi8+RarLQiU4MdFJgN34UdA:nL8f4gnQMsLG3RGsfj+8AH4MdFqFiX
MD5:	4D0BDD6E4F596B077EB8FAC05E502EDA
SHA1:	47469B70905BD4B9BB9A2F069F68928FEB54A850
SHA-256:	D137E436029C25CFCAB55BB0103FBC6B91A1D2D635001520F8DA3C17618922D6
SHA-512:	58F734B414CD1D1C3D4DEF021F238057B47A5D5620567DED181A9878E714027C314502BE1A015DC16CA756C53D30A9EAAF84741842CA81C546CD45A8C4580D40
Malicious:	true
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................F......@.............@..........................@...................@..............................P........,..........................................................................................................CODE....d........................... ..`DATA....L...........................@...BSS......................................idata..P...........................@....tls.....................................rdata..............................@..P.reloc..............................@..P.rsrc....,.......,..................@..P.............@......................@..P........................................................................................................................................

C:\Users\user\AppData\Local\Temp\BD27.exe

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	193024
Entropy (8bit):	6.818301844183476
Encrypted:	false
SSDEEP:	3072:gJmSLHTIY5mztfxY/y7hHxAZ/kHap8HmW5KjjVB:qmSLsY5+1q/y7huNkHatjj
MD5:	31A6C56DA13533F4ADDEF7BAB188E395
SHA1:	FAAA36754AE4B8B04E89E6928338EB137A327A73
SHA-256:	A2D67DAEA33A52DE3B121B43EBF8D2C8F5F5E1EF897BC1C7CFAAA9591A9D4172
SHA-512:	AE939CFDFEE3568D4FDD848E6F026C2A09FB45AAD5885247E80323411B33DF46B28E78506DD322B2379915F1C2B61EF7E2C6C25166F93B5581A8C5BBB76CAA73
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...............................................................................................................PE..L....Y/d......................n.....b.............@..........................pp.....GP..........................................<.....o.................................................................@............................................text...F........................... ..`.rdata...,..........................@..@.data....m.. ...L..................@....rsrc.........o......^..............@..@........................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\BroomSetup.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\InstallSetup4.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4979200
Entropy (8bit):	6.419395528077673
Encrypted:	false
SSDEEP:	49152:90oSiZ63YBmS9+rCgpvH8la0ZxRh+caGnj8HEQUhexTUT+1d/2/Tbt:0Ula0cGwXUheabt
MD5:	5E94F0F6265F9E8B2F706F1D46BBD39E
SHA1:	D0189CBA430F5EEA07EFE1AB4F89ADF5AE2453DB
SHA-256:	50A46B3120DA828502EF0CABA15DEFBAD004A3ADB88E6EACF1F9604572E2D503
SHA-512:	473DFA66A36FEED9B29A43245074141478327CE22BA7CCE512599379DCB783B4D665E2D65C5E9750B988C7ED8F6C3349A7A12D4B8B57C89840EEE6CA6E1A30CD
Malicious:	true
Yara Hits:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exe, Author: Joe Security
Antivirus:	Antivirus: ReversingLabs, Detection: 21%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...F..^..................9..X.......9.......9...@.......................... N..................@....................<......`<..B...`A.......................<.tk............................<.....................Ll<.......<......................text...8`9......b9................. ..`.itext...;....9..<...f9............. ..`.data.........9.......9.............@....bss....`.....:..........................idata...B...`<..D...\|:.............@....didata.......<.......:.............@....edata........<.......:.............@..@.tls....L.....<..........................rdata..].....<.......:.............@..@.reloc..tk....<..l....:.............@..B.rsrc........`A......<?.............@..@............. N.......K.............@..@................

C:\Users\user\AppData\Local\Temp\D358.exe

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	678912
Entropy (8bit):	7.497991289164504
Encrypted:	false
SSDEEP:	12288:QKWx9unShF7rjHEB1LFn4jT6RTxry/3cXT3mDBB/SWNy84oeYxYmE:Qa6RwRyT6Le/MijXNXNxYm
MD5:	98B480339C9A8C8316F5255F976FD575
SHA1:	306AFD77C684C9F20645030CC78ED42D8507CA87
SHA-256:	CE2233AFBAAE3DBD11DE511A72182D30CC1F7ABFFB9F35506954FABDF723C234
SHA-512:	AED448B6AAE5796B3880262CBD4310665158A765AED5B4CBCBECF9856DC20C111ED499C7EEBB9D440A467E9FCE476B73597CD1DF9B1293DB345646D7C840C66B
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 84%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......O..'..ct..ct..ctd..t..ctd..tz.ctd..t/.ct...t..ct..btm.ctd..t..ctd..t..ctd..t..ctRich..ct........................PE..L.....ec.................D...........+.......`....@..................................&......................................L...<....P..............................................................................`...............................text....B.......D.................. ..`.rdata...K...`...L...H..............@..@.data...p........"..................@....tls.........@......................@....rsrc........P......................@..@........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\DFB4.exe

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	628736
Entropy (8bit):	7.78488985226744
Encrypted:	false
SSDEEP:	12288:IT/l2NIKAX1ILVq5L0UqxWOF5g1S7KY5oOct3Coo04:I5qIV5hdOF5v7K0kFCh0
MD5:	06FAD45002385C2B1062998E6D840E54
SHA1:	4C598A9FD8F4768BFCC83A2B43EFFA1387050003
SHA-256:	FE089E2DE5573A6E56CA69768894BFFA6CFE9D2DB226EDD6EBD75A221D044611
SHA-512:	4917EA1585E746AD3F105589768A506F48C24D15BC88FE3A65419D7B5FEE1F7AF1FB06D5746A9A8982CE81DE97F668EB24BBF53E45637F5C3E83DC95DD7F3F8F
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 37%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...............................................................................................................PE..L......d......................n.....b.............@.......................... w.................................................<.....v................................................................@............................................text...F........................... ..`.rdata...,..........................@..@.data....m......L..................@....rsrc.........v.....................@..@........................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\InstallSetup4.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\8B96.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	2123213
Entropy (8bit):	7.978872003656479
Encrypted:	false
SSDEEP:	49152:Ch9F2z0X1W34qvuyXPHcqaGqW9gwLgMyu5noEiyIJAuM:CXFdFWINS/NF9gpMR5oEfJ
MD5:	AB8E9C5D6AB3051C122463922F936EE8
SHA1:	60B78CD895FCA552562C829ADF86834F0211A4AC
SHA-256:	278076733A14E182119C5BEF487EE5F9DCEA0BF4E2ED853C12713B3F946FE7D3
SHA-512:	2E6C9380F411AAF3BA1000F8DDDDF72E9B6340174622A18C4164275AF3BB6A13CE74A24A8C7CD319E1E1B8A942AFF672FF534F28306E968137B21B4056442294
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 66%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1 ..PN..PN..PN._...PN..PO.JPN._...PN.s~..PN..VH..PN.Rich.PN.........................PE..L...l.d.................j..........25............@..........................P............@..........................................P..(............................................................................................................text....h.......j.................. ..`.rdata..d............n..............@..@.data...............................@....ndata.......P...........................rsrc...(....P......................@..@................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-66LSP.tmp\_isetup\_RegDLL.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	4.026670007889822
Encrypted:	false
SSDEEP:	48:ivuz1hEU3FR/pmqBl8/QMCBaquEMx5BC+SS4k+bkguj0KHc:bz1eEFNcqBC/Qrex5iSKDkc
MD5:	0EE914C6F0BB93996C75941E1AD629C6
SHA1:	12E2CB05506EE3E82046C41510F39A258A5E5549
SHA-256:	4DC09BAC0613590F1FAC8771D18AF5BE25A1E1CB8FDBF4031AA364F3057E74A2
SHA-512:	A899519E78125C69DC40F7E371310516CF8FAA69E3B3FF747E0DDF461F34E50A9FF331AB53B4D07BB45465039E8EBA2EE4684B3EE56987977AE8C7721751F5F9
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.....................H................\|.......\|.......\|......Rich............PE..L....M;J..................................... ....@..........................@..............................................l ..P....0..@............................................................................ ..D............................text............................... ..`.rdata....... ......................@..@.rsrc...@....0......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-66LSP.tmp\_isetup\_iscrypt.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2560
Entropy (8bit):	2.8818118453929262
Encrypted:	false
SSDEEP:	24:e1GSgDIX566lIB6SXvVmMPUjvhBrDsqZ:SgDKRlVImgUNBsG
MD5:	A69559718AB506675E907FE49DEB71E9
SHA1:	BC8F404FFDB1960B50C12FF9413C893B56F2E36F
SHA-256:	2F6294F9AA09F59A574B5DCD33BE54E16B39377984F3D5658CDA44950FA0F8FC
SHA-512:	E52E0AA7FE3F79E36330C455D944653D449BA05B2F9ABEE0914A0910C3452CFA679A40441F9AC696B3CCF9445CBB85095747E86153402FC362BB30AC08249A63
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........W.c.W.c.W.c...>.T.c.W.b.V.c.R.<.V.c.R.?.V.c.R.9.V.c.RichW.c.........................PE..L....b.@...........!......................... ...............................@......................................p ..}.... ..(............................0....................................................... ...............................text............................... ..`.rdata....... ......................@..@.reloc.......0......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-66LSP.tmp\_isetup\_isdecmp.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19456
Entropy (8bit):	5.8975201046735535
Encrypted:	false
SSDEEP:	384:ED4NeA1PrXPBdHCNPJEQkWybd0oBSRnAZ806OSDrgtOFXqYUPYNQLJ/k+9tPEBer:64NHPfHCs6GNOpiM+RFjFyzcN23A
MD5:	3ADAA386B671C2DF3BAE5B39DC093008
SHA1:	067CF95FBDB922D81DB58432C46930F86D23DDED
SHA-256:	71CD2F5BC6E13B8349A7C98697C6D2E3FCDEEA92699CEDD591875BEA869FAE38
SHA-512:	BBE4187758D1A69F75A8CCA6B3184E0C20CF8701B16531B55ED4987497934B3C9EF66ECD5E6B83C7357F69734F1C8301B9F82F0A024BB693B732A2D5760FD303
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......g...#~..#~..#~...q.. ~..#~..!~......"~......+~......"~......"~..Rich#~..........................PE..L....[.L...........!.....6...........E.......P.......................................................................P.......P..(............................p.......................................................P...............................text....5.......6.................. ..`.rdata.......P.......:..............@..@.data...8....`.......<..............@....reloc.......p.......J..............@..B................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-66LSP.tmp\_isetup\_setup64.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp
File Type:	PE32+ executable (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	6144
Entropy (8bit):	4.215994423157539
Encrypted:	false
SSDEEP:	96:sfkcXegaJ/ZAYNzcld1xaX12pS5SKvkc:sfJEVYlvxaX12EF
MD5:	4FF75F505FDDCC6A9AE62216446205D9
SHA1:	EFE32D504CE72F32E92DCF01AA2752B04D81A342
SHA-256:	A4C86FC4836AC728D7BD96E7915090FD59521A9E74F1D06EF8E5A47C8695FD81
SHA-512:	BA0469851438212D19906D6DA8C4AE95FF1C0711A095D9F21F13530A6B8B21C3ACBB0FF55EDB8A35B41C1A9A342F5D3421C00BA395BC13BB1EF5902B979CE824
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......^...............l...............=\......=\......=\......Rich............................PE..d...XW:J..........#............................@.............................`..............................................................<!.......P..@....@..0.................................................................... ...............................text............................... ..`.rdata..\|.... ......................@..@.data...,....0......................@....pdata..0....@......................@..@.rsrc...@....P......................@..@................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-66LSP.tmp\_isetup\_shfoldr.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp
File Type:	PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	23312
Entropy (8bit):	4.596242908851566
Encrypted:	false
SSDEEP:	384:+Vm08QoKkiWZ76UJuP71W55iWHHoSHigH2euwsHTGHVb+VHHmnH+aHjHqLHxmoq1:2m08QotiCjJuPGw4
MD5:	92DC6EF532FBB4A5C3201469A5B5EB63
SHA1:	3E89FF837147C16B4E41C30D6C796374E0B8E62C
SHA-256:	9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87
SHA-512:	9908E573921D5DBC3454A1C0A6C969AB8A81CC2E8B5385391D46B1A738FB06A76AA3282E0E58D0D2FFA6F27C85668CD5178E1500B8A39B1BBAE04366AE6A86D3
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......IzJ^..$...$...$...%.".$.T87...$.[."...$...$...$.Rich..$.........................PE..L.....\;...........#..... ...4.......'.......0.....q....................................................................k...l)..<....@.../...................p..T....................................................................................text...{........ .................. ..`.data...\....0.......&..............@....rsrc..../...@...0...(..............@..@.reloc.......p.......X..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-7LVCL.tmp\99FE.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\99FE.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	709120
Entropy (8bit):	6.498765103260087
Encrypted:	false
SSDEEP:	12288:thu7eEcdCP8trP837szHUA6JCzS9Ntc3l3ER6orNjURaFDExyF:Pu7eEYCP8trP837szHUA60SLtcV3E9/T
MD5:	558517932AFFF8DEF7D6C9E9A2A51668
SHA1:	69F1830A41BF3C5F9D3E578B85071D05FAEFC934
SHA-256:	464FF8248E06554C0D76B162E9C10968648013091C93869B3C93BE6D086B632E
SHA-512:	D23BADD9D1DD0BBB370FDB4F46DCA6EBF176D42F126D7EBF751F25498A047EDA3F1C0E6FD93FCFABA0DF29B177961201AB869CF0E14E2F360DA47E7A756D69DB
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................x..........x.............@..............................................@...............................%..................................................................................................................CODE.....w.......x.................. ..`DATA.................\|..............@...BSS.....l................................idata...%.......&..................@....tls.....................................rdata..............................@..P.reloc....... ......................@..P.rsrc...............................@..P.....................^..............@..P........................................................................................................................................

C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\99FE.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	709120
Entropy (8bit):	6.498765103260087
Encrypted:	false
SSDEEP:	12288:thu7eEcdCP8trP837szHUA6JCzS9Ntc3l3ER6orNjURaFDExyF:Pu7eEYCP8trP837szHUA60SLtcV3E9/T
MD5:	558517932AFFF8DEF7D6C9E9A2A51668
SHA1:	69F1830A41BF3C5F9D3E578B85071D05FAEFC934
SHA-256:	464FF8248E06554C0D76B162E9C10968648013091C93869B3C93BE6D086B632E
SHA-512:	D23BADD9D1DD0BBB370FDB4F46DCA6EBF176D42F126D7EBF751F25498A047EDA3F1C0E6FD93FCFABA0DF29B177961201AB869CF0E14E2F360DA47E7A756D69DB
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 3%
Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.................x..........x.............@..............................................@...............................%..................................................................................................................CODE.....w.......x.................. ..`DATA.................\|..............@...BSS.....l................................idata...%.......&..................@....tls.....................................rdata..............................@..P.reloc....... ......................@..P.rsrc...............................@..P.....................^..............@..P........................................................................................................................................

C:\Users\user\AppData\Local\Temp\nse94C9.tmp\INetC.dll

Download File

Process:	C:\Users\user\AppData\Local\Temp\InstallSetup4.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	25600
Entropy (8bit):	5.391050633650523
Encrypted:	false
SSDEEP:	384:pjj9e9dE95XD+iTx58Y5oMM3O9MEoLr1VcQZ/ZwcSyekMRlZ4L4:dAvE90GuY2tO93oLrJRM7Z4E
MD5:	40D7ECA32B2F4D29DB98715DD45BFAC5
SHA1:	124DF3F617F562E46095776454E1C0C7BB791CC7
SHA-256:	85E03805F90F72257DD41BFDAA186237218BBB0EC410AD3B6576A88EA11DCCB9
SHA-512:	5FD4F516CE23FB7E705E150D5C1C93FC7133694BA495FB73101674A528883A013A34AB258083AA7CE6072973B067A605158316A4C9159C1B4D765761F91C513D
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......'9<.cXR.cXR.cXR.D.).jXR.cXS.6XR.D. .`XR.D.(.bXR.D...bXR.D.*.bXR.RichcXR.........................PE..L....T.[...........!.....@...j.......E.......P.......................................................................M..l...\F..d.......(.......................\.......................................................d............................text...\>.......@.................. ..`.data...dW...P.......D..............@....rsrc...(............R..............@..@.reloc..\............\..............@..B................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp

Download File

Process:	C:\Users\user\AppData\Local\Temp\InstallSetup4.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	192512
Entropy (8bit):	6.823974437026099
Encrypted:	false
SSDEEP:	3072:RJmSLHTIY5mztfwI0Ml89YSpxQxaqmxxkyB9q3eQ5kt0Bm52zxuVB:7mSLsY5+130KJyQxaxxkyenCtkzxu
MD5:	F90AB999CA323DA846279F15FC70C470
SHA1:	9E51FCF51A237E838BB96F8AEE97C4BB0A9D41B2
SHA-256:	9C0B3ABCFB29FF48EEF5294BE24DCA94426396C861C76F6F32924CCC779AB077
SHA-512:	78FDB53C709EBC85D12B207B19F18CBC4C36DEBBBD838388E860C4292C4B6684D5CF4FF25F1BF9F69BDDAC9E6ECDAF1D6599C4083B62C9C6CE8B4B9D2AD31752
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 32%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...............................................................................................................PE..L......c......................n.....b.............@..........................pp.................................................<.....o.................................................................@............................................text............................... ..`.rdata...,..........................@..@.data....m.. ...L..................@....rsrc.........o......\..............@..@........................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite-shm

Download File

Process:	C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqlite-shm

Download File

Process:	C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp
File Type:	data
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	0.017262956703125623
Encrypted:	false
SSDEEP:	3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
MD5:	B7C14EC6110FA820CA6B65F5AEC85911
SHA1:	608EEB7488042453C9CA40F7E1398FC1A270F3F4
SHA-256:	FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
SHA-512:	D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
Malicious:	false
Preview:	..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Temp\Task.bat

Download File

Process:	C:\Users\user\AppData\Local\Temp\BroomSetup.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	131
Entropy (8bit):	4.797757447689461
Encrypted:	false
SSDEEP:	3:HFUuvaOpLKBchEXEtTC5WAuN+E2J5xAIEyrKBySKFS3:Ogas7SXEFAuN723faKS3
MD5:	467322334BC9A78A5E8C16164C4CFA5E
SHA1:	F8EA2C7B5BB81F45C1A4AB4CBA90A29FC60868E6
SHA-256:	5061C3009CC21C72B82EDA2440994EFC0C972F387244E5A4CC0A6DDFA0F8EECA
SHA-512:	441F536C169F90BBB8185366DA91837B892D06BBA1E413956D3D1507E12BA4D9E34A616D2920B3619A7811D1D7AC065A114280A72AFF5D0F3B180CAEA7E64C3F
Malicious:	false
Preview:	chcp 1251.. schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\user\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F..

C:\Users\user\AppData\Roaming\afiffai

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	193024
Entropy (8bit):	6.818301844183476
Encrypted:	false
SSDEEP:	3072:gJmSLHTIY5mztfxY/y7hHxAZ/kHap8HmW5KjjVB:qmSLsY5+1q/y7huNkHatjj
MD5:	31A6C56DA13533F4ADDEF7BAB188E395
SHA1:	FAAA36754AE4B8B04E89E6928338EB137A327A73
SHA-256:	A2D67DAEA33A52DE3B121B43EBF8D2C8F5F5E1EF897BC1C7CFAAA9591A9D4172
SHA-512:	AE939CFDFEE3568D4FDD848E6F026C2A09FB45AAD5885247E80323411B33DF46B28E78506DD322B2379915F1C2B61EF7E2C6C25166F93B5581A8C5BBB76CAA73
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...............................................................................................................PE..L....Y/d......................n.....b.............@..........................pp.....GP..........................................<.....o.................................................................@............................................text...F........................... ..`.rdata...,..........................@..@.data....m.. ...L..................@....rsrc.........o......^..............@..@........................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\esiffai

Download File

Process:	C:\Windows\explorer.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	342016
Entropy (8bit):	6.618443860215118
Encrypted:	false
SSDEEP:	6144:ApAuEruJjFJtqIJ9cMBHgVcg2N/mAthb+dw:4LEruJjFJ9jgVcg8mAHbr
MD5:	10F4053998FD9C03A187FE7F75A36697
SHA1:	E7D8BF1E601693288DB584BACD161D0CABFBE8D7
SHA-256:	25825052577F72CF9553334F78FEF5FB991EE4891A908E90555BFD16DD6A1C4E
SHA-512:	562DB4E2C79FD2D091D3282EA71CAE76EC089D2A089E52F6FF9C9D936B07D2FFB980E7C1E2B5CE1BE642B5EF381259A0C9FDF853FB7E3CEB93BE0665569813FA
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 55%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......... ...N...N...N.....N.....N.....N.....N...O...N......N......N......N.Rich..N.........PE..L....Z.d.............................-.......0....@.................................^.......................................lr..P.... .......................................................d.......................0...............................text...*........................... ..`.rdata..rL...0...N..................@..@.data............"...l..............@....tls................................@....rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\esiffai:Zone.Identifier

Download File

Process:	C:\Windows\explorer.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.618443860215118
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	v6SEx6rJ3E.exe
File size:	342'016 bytes
MD5:	10f4053998fd9c03a187fe7f75a36697
SHA1:	e7d8bf1e601693288db584bacd161d0cabfbe8d7
SHA256:	25825052577f72cf9553334f78fef5fb991ee4891a908e90555bfd16dd6a1c4e
SHA512:	562db4e2c79fd2d091d3282ea71cae76ec089d2a089e52f6ff9c9d936b07d2ffb980e7c1e2b5ce1be642b5ef381259a0c9fdf853fb7e3ceb93be0665569813fa
SSDEEP:	6144:ApAuEruJjFJtqIJ9cMBHgVcg2N/mAthb+dw:4LEruJjFJ9jgVcg8mAHbr
TLSH:	E1747F1022E0E432E3A315354934F7A7097BF82269F1958F5F919B3EBE24AD1D621F1B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......... ...N...N...N.......N.......N.......N.......N...O...N.......N.......N.......N.Rich..N.........PE..L....Z.d...................

File Icon


Icon Hash:	1369455569330707

Static PE Info

General

Entrypoint:	0x402da1
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x64A55A0E [Wed Jul 5 11:54:54 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	f33a90fe7fcd2447ccf7758f25884a8c

Entrypoint Preview

Instruction
call 00007F8638DE6B95h
jmp 00007F8638DE36FEh
mov edi, edi
push ebp
mov ebp, esp
sub esp, 20h
mov eax, dword ptr [ebp+08h]
push esi
push edi
push 00000008h
pop ecx
mov esi, 004332B0h
lea edi, dword ptr [ebp-20h]
rep movsd
mov dword ptr [ebp-08h], eax
mov eax, dword ptr [ebp+0Ch]
pop edi
mov dword ptr [ebp-04h], eax
pop esi
test eax, eax
je 00007F8638DE387Eh
test byte ptr [eax], 00000008h
je 00007F8638DE3879h
mov dword ptr [ebp-0Ch], 01994000h
lea eax, dword ptr [ebp-0Ch]
push eax
push dword ptr [ebp-10h]
push dword ptr [ebp-1Ch]
push dword ptr [ebp-20h]
call dword ptr [004330C0h]
leave
retn 0008h
mov edi, edi
push ebp
mov ebp, esp
sub esp, 00000328h
mov dword ptr [0043A328h], eax
mov dword ptr [0043A324h], ecx
mov dword ptr [0043A320h], edx
mov dword ptr [0043A31Ch], ebx
mov dword ptr [0043A318h], esi
mov dword ptr [0043A314h], edi
mov word ptr [0043A340h], ss
mov word ptr [0043A334h], cs
mov word ptr [0043A310h], ds
mov word ptr [0043A30Ch], es
mov word ptr [0043A308h], fs
mov word ptr [0043A304h], gs
pushfd
pop dword ptr [0043A338h]
mov eax, dword ptr [ebp+00h]
mov dword ptr [0043A32Ch], eax
mov eax, dword ptr [ebp+04h]
mov dword ptr [0043A330h], eax
lea eax, dword ptr [ebp+08h]

Rich Headers

Programming Language:

[ASM] VS2010 build 30319
[ C ] VS2010 build 30319
[C++] VS2010 build 30319
[IMP] VS2008 SP1 build 30729
[RES] VS2010 build 30319
[LNK] VS2010 build 30319

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3726c	0x50	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x42000	0x19e80	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x36410	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x33000	0x1b4	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x3192a	0x31a00	951b1967b0b47701db78bece41fd0335	False	0.6341949386020151	data	7.018049816976223	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x33000	0x4c72	0x4e00	f82f7680215054e27d48013253c608e0	False	0.3683894230769231	data	4.953615787304543	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x38000	0x8384	0x2200	9da22fb4d4c9cb7413badcdb724a56ef	False	0.21254595588235295	data	2.4212504288944046	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x41000	0x9cd	0xa00	a371492f16c0940507435909603efe88	False	0.009375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x42000	0x19e80	0x1a000	33f4b6a24a828c8c55a575140db3fc6e	False	0.5455134465144231	data	5.78167827557686	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
AFX_DIALOG_LAYOUT	0x569a8	0x2	data	English	United States	5.0
AFX_DIALOG_LAYOUT	0x569b0	0x2	data	English	United States	5.0
RUSED	0x56368	0x60c	ASCII text, with very long lines (1548), with no line terminators	English	United States	0.6169250645994832
RT_CURSOR	0x569b8	0x130	Device independent bitmap graphic, 32 x 64 x 1, image size 0	English	United States	0.4276315789473684
RT_CURSOR	0x56b00	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	United States	0.31023454157782515
RT_ICON	0x42ac0	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	United States	0.4554904051172708
RT_ICON	0x43968	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	United States	0.601985559566787
RT_ICON	0x44210	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	English	United States	0.6837557603686636
RT_ICON	0x448d8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	United States	0.7666184971098265
RT_ICON	0x44e40	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	United States	0.6005186721991701
RT_ICON	0x473e8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	United States	0.6475140712945591
RT_ICON	0x48490	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	English	United States	0.7450819672131147
RT_ICON	0x48e18	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	United States	0.7934397163120568
RT_ICON	0x492f8	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colors	English	United States	0.4522921108742004
RT_ICON	0x4a1a0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colors	English	United States	0.572202166064982
RT_ICON	0x4aa48	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 576, 256 important colors	English	United States	0.6100230414746544
RT_ICON	0x4b110	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colors	English	United States	0.6777456647398844
RT_ICON	0x4b678	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.5023858921161826
RT_ICON	0x4dc20	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.5701219512195121
RT_ICON	0x4ecc8	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	English	United States	0.6024590163934426
RT_ICON	0x4f650	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.651595744680851
RT_ICON	0x4fb30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	United States	0.39872068230277186
RT_ICON	0x509d8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	United States	0.5685920577617328
RT_ICON	0x51280	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 0	English	United States	0.6226958525345622
RT_ICON	0x51948	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	United States	0.6539017341040463
RT_ICON	0x51eb0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	United States	0.6446058091286307
RT_ICON	0x54458	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	United States	0.6693245778611632
RT_ICON	0x55500	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 0	English	United States	0.6844262295081968
RT_ICON	0x55e88	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	United States	0.7313829787234043
RT_STRING	0x57bb0	0x174	data	English	United States	0.5053763440860215
RT_STRING	0x57d28	0x402	data	English	United States	0.45419103313840153
RT_STRING	0x58130	0x558	data	English	United States	0.43640350877192985
RT_STRING	0x58688	0x504	data	English	United States	0.4400311526479751
RT_STRING	0x58b90	0x782	data	English	United States	0.42611862643080123
RT_STRING	0x59318	0x806	data	English	United States	0.40993184031158714
RT_STRING	0x59b20	0x55c	data	English	United States	0.4402332361516035
RT_STRING	0x5a080	0x152	data	English	United States	0.5118343195266272
RT_STRING	0x5a1d8	0x52a	data	English	United States	0.45007564296520425
RT_STRING	0x5a708	0xb2	data	English	United States	0.601123595505618
RT_STRING	0x5a7c0	0x6d0	data	English	United States	0.4288990825688073
RT_STRING	0x5ae90	0x5ee	data	English	United States	0.43544137022397894
RT_STRING	0x5b480	0x4dc	data	English	United States	0.4413183279742765
RT_STRING	0x5b960	0x51c	data	English	United States	0.4441896024464832
RT_ACCELERATOR	0x56978	0x20	data	English	United States	1.15625
RT_GROUP_CURSOR	0x56ae8	0x14	data	English	United States	1.15
RT_GROUP_CURSOR	0x579a8	0x14	data	English	United States	1.25
RT_GROUP_ICON	0x49280	0x76	data	English	United States	0.6610169491525424
RT_GROUP_ICON	0x4fab8	0x76	data	English	United States	0.6694915254237288
RT_GROUP_ICON	0x562f0	0x76	data	English	United States	0.6694915254237288
RT_VERSION	0x579c0	0x1f0	MS Windows COFF PowerPC object file	English	United States	0.5625
None	0x56998	0xa	data	English	United States	1.8

Imports

DLL	Import
KERNEL32.dll	EnumDateFormatsExW, GetModuleHandleExA, GetLocaleInfoA, FindResourceW, SystemTimeToTzSpecificLocalTime, HeapAlloc, EndUpdateResourceW, InterlockedIncrement, MoveFileExW, OpenJobObjectA, CreateDirectoryW, FreeEnvironmentStringsA, GetTickCount, EnumCalendarInfoExW, GetProcessHeap, GetConsoleAliasesA, GetSystemTimes, WideCharToMultiByte, GetConsoleAliasesLengthW, LoadLibraryW, GetAtomNameW, ReadFile, CompareStringW, GetStartupInfoW, WritePrivateProfileStringW, GlobalUnfix, SetCurrentDirectoryA, GetLastError, GetProcAddress, CreateNamedPipeA, LoadLibraryA, OpenWaitableTimerW, LocalAlloc, GetCurrentDirectoryA, LocalFileTimeToFileTime, EnumSystemLocalesA, GetUserDefaultLCID, SetDefaultCommConfigA, GetVolumeInformationA, PulseEvent, HeapFree, EncodePointer, DecodePointer, GetCommandLineW, HeapSetInformation, RaiseException, TerminateProcess, GetCurrentProcess, UnhandledExceptionFilter, SetUnhandledExceptionFilter, IsDebuggerPresent, IsProcessorFeaturePresent, HeapCreate, HeapDestroy, Sleep, HeapSize, GetModuleHandleW, ExitProcess, EnterCriticalSection, LeaveCriticalSection, WriteFile, GetStdHandle, GetModuleFileNameW, FreeEnvironmentStringsW, GetEnvironmentStringsW, SetHandleCount, InitializeCriticalSectionAndSpinCount, GetFileType, DeleteCriticalSection, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, SetLastError, GetCurrentThreadId, InterlockedDecrement, GetCurrentThread, QueryPerformanceCounter, GetCurrentProcessId, GetSystemTimeAsFileTime, HeapReAlloc, FatalAppExitA, SetConsoleCtrlHandler, FreeLibrary, InterlockedExchange, GetLocaleInfoW, RtlUnwind, GetCPInfo, GetACP, GetOEMCP, IsValidCodePage, GetConsoleCP, GetConsoleMode, FlushFileBuffers, LCMapStringW, MultiByteToWideChar, GetStringTypeW, SetFilePointer, CloseHandle, WriteConsoleW, SetStdHandle, CreateFileW, IsValidLocale
USER32.dll	DestroyIcon
ADVAPI32.dll	DuplicateToken, ReadEventLogA

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Target ID:	0
Start time:	09:42:41
Start date:	01/02/2024
Path:	C:\Users\user\Desktop\v6SEx6rJ3E.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\v6SEx6rJ3E.exe
Imagebase:	0x400000
File size:	342'016 bytes
MD5 hash:	10F4053998FD9C03A187FE7F75A36697
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000000.00000002.2122757186.00000000020B1000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000000.00000002.2122757186.00000000020B1000.00000004.10000000.00040000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000000.00000002.2122690423.0000000002080000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000000.00000002.2122714644.0000000002090000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000000.00000002.2122714644.0000000002090000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000000.00000002.2122463373.000000000048D000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	09:42:47
Start date:	01/02/2024
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff609140000
File size:	5'141'208 bytes
MD5 hash:	662F4F92FDE3557E86D110526BB578D5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	09:43:07
Start date:	01/02/2024
Path:	C:\Users\user\AppData\Roaming\esiffai
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\esiffai
Imagebase:	0x400000
File size:	342'016 bytes
MD5 hash:	10F4053998FD9C03A187FE7F75A36697
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000006.00000002.2363431931.00000000004C0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000006.00000002.2363904788.00000000004D0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000006.00000002.2363904788.00000000004D0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000006.00000002.2364285288.0000000000551000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000006.00000002.2364285288.0000000000551000.00000004.10000000.00040000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000006.00000002.2364391445.00000000005AE000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 55%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	09:43:09
Start date:	01/02/2024
Path:	C:\Users\user\AppData\Local\Temp\52CE.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\52CE.exe
Imagebase:	0x400000
File size:	680'601 bytes
MD5 hash:	DD0A3EBCD915E422F47141770AF20252
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 53%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	09:43:09
Start date:	01/02/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	09:43:10
Start date:	01/02/2024
Path:	C:\Users\user\AppData\Local\Temp\58CA.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\58CA.exe
Imagebase:	0x400000
File size:	1'902'592 bytes
MD5 hash:	1274287F7DAA409EEA3E07059CF8FD51
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000009.00000002.2441680458.0000000004905000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 66%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	09:43:11
Start date:	01/02/2024
Path:	C:\Users\user\AppData\Local\Temp\5C46.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\5C46.exe
Imagebase:	0x400000
File size:	431'104 bytes
MD5 hash:	1996A23C7C764A77CCACF5808FEC23B0
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 0000000A.00000002.2405732872.0000000000413000.00000004.00000001.01000000.00000008.sdmp, Author: Joe Security
Antivirus matches:	Detection: 87%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	09:43:12
Start date:	01/02/2024
Path:	C:\Windows\System32\regsvr32.exe
Wow64 process (32bit):	false
Commandline:	regsvr32 /s C:\Users\user\AppData\Local\Temp\6000.dll
Imagebase:	0x7ff750e70000
File size:	25'088 bytes
MD5 hash:	B0C2FA35D14A9FAD919E99D9D75E1B9E
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	09:43:12
Start date:	01/02/2024
Path:	C:\Windows\SysWOW64\regsvr32.exe
Wow64 process (32bit):	true
Commandline:	/s C:\Users\user\AppData\Local\Temp\6000.dll
Imagebase:	0x3b0000
File size:	20'992 bytes
MD5 hash:	878E47C8656E53AE8A8A21E927C6F7E0
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	09:43:13
Start date:	01/02/2024
Path:	C:\Users\user\AppData\Local\Temp\5C46.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\5C46.exe"
Imagebase:	0x400000
File size:	431'104 bytes
MD5 hash:	1996A23C7C764A77CCACF5808FEC23B0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000010.00000002.2442232703.0000000000413000.00000004.00000001.01000000.00000008.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	09:43:13
Start date:	01/02/2024
Path:	C:\Users\user\AppData\Local\Temp\58CA.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\58CA.exe
Imagebase:	0x400000
File size:	1'902'592 bytes
MD5 hash:	1274287F7DAA409EEA3E07059CF8FD51
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	09:43:17
Start date:	01/02/2024
Path:	C:\Users\user\AppData\Local\Temp\7147.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\7147.exe
Imagebase:	0x6b0000
File size:	5'991'936 bytes
MD5 hash:	AFEC1180BFCBA8D6B8BCAE439C73E1EC
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000012.00000003.2882836255.00000000017BE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000012.00000002.2887800762.00000000017BE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000012.00000003.2885033991.00000000017BE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000012.00000003.2883808615.00000000017BE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 34%, ReversingLabs
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	09:43:23
Start date:	01/02/2024
Path:	C:\Users\user\AppData\Local\Temp\8B96.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\8B96.exe
Imagebase:	0x930000
File size:	6'394'880 bytes
MD5 hash:	2AB09B6EBDA5C4FDE187A8A91AC25F64
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: MALWARE_Win_DLInjector04, Description: Detects downloader / injector, Source: C:\Users\user\AppData\Local\Temp\8B96.exe, Author: ditekSHen
Antivirus matches:	Detection: 79%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	09:43:25
Start date:	01/02/2024
Path:	C:\Users\user\AppData\Local\Temp\InstallSetup4.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\InstallSetup4.exe"
Imagebase:	0x400000
File size:	2'123'213 bytes
MD5 hash:	AB8E9C5D6AB3051C122463922F936EE8
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 66%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	09:43:25
Start date:	01/02/2024
Path:	C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"
Imagebase:	0x400000
File size:	4'260'752 bytes
MD5 hash:	1E2FBA96A14DB95142038A3BD5277306
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Glupteba, Description: Yara detected Glupteba, Source: 00000016.00000002.2669166825.00000000053A3000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000016.00000002.2668458001.0000000004A58000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000016.00000002.2669166825.0000000004F60000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Glupteba, Description: Yara detected Glupteba, Source: 00000016.00000003.2535351079.0000000005C92000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Glupteba, Description: Yara detected Glupteba, Source: 00000016.00000002.2661056946.0000000000843000.00000040.00000001.01000000.0000000F.sdmp, Author: Joe Security
Antivirus matches:	Detection: 71%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	09:43:25
Start date:	01/02/2024
Path:	C:\Users\user\AppData\Local\Temp\BroomSetup.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\BroomSetup.exe
Imagebase:	0x400000
File size:	4'979'200 bytes
MD5 hash:	5E94F0F6265F9E8B2F706F1D46BBD39E
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000017.00000000.2496485402.0000000000401000.00000020.00000001.01000000.00000010.sdmp, Author: Joe Security Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Local\Temp\BroomSetup.exe, Author: Joe Security
Antivirus matches:	Detection: 21%, ReversingLabs
Has exited:	false

Show Windows behavior

Target ID:	24
Start time:	09:43:27
Start date:	01/02/2024
Path:	C:\Users\user\AppData\Local\Temp\99FE.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\99FE.exe
Imagebase:	0x400000
File size:	7'604'013 bytes
MD5 hash:	4D0BDD6E4F596B077EB8FAC05E502EDA
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	25
Start time:	09:43:27
Start date:	01/02/2024
Path:	C:\Users\user\AppData\Local\Temp\is-7LVCL.tmp\99FE.tmp
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\is-7LVCL.tmp\99FE.tmp" /SL5="$1043A,7349384,54272,C:\Users\user\AppData\Local\Temp\99FE.exe"
Imagebase:	0x400000
File size:	709'120 bytes
MD5 hash:	558517932AFFF8DEF7D6C9E9A2A51668
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 3%, ReversingLabs
Has exited:	false

Show Windows behavior

Target ID:	26
Start time:	09:43:28
Start date:	01/02/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Roaming\Temp\Task.bat" "
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	09:43:28
Start date:	01/02/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	09:43:29
Start date:	01/02/2024
Path:	C:\Windows\SysWOW64\chcp.com
Wow64 process (32bit):	true
Commandline:	chcp 1251
Imagebase:	0x4d0000
File size:	12'800 bytes
MD5 hash:	20A59FB950D8A191F7D35C4CA7DA9CAF
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	09:43:29
Start date:	01/02/2024
Path:	C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\nsh9BCF.tmp
Imagebase:	0x400000
File size:	192'512 bytes
MD5 hash:	F90AB999CA323DA846279F15FC70C470
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 0000001E.00000002.3306141637.0000000002B70000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 0000001E.00000002.3306141637.0000000002B70000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 0000001E.00000002.3308661443.0000000002BE5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000001E.00000002.3301685410.000000000043C000.00000040.00000001.01000000.00000015.sdmp, Author: Joe Security Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 0000001E.00000003.2588311330.0000000004760000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 0000001E.00000002.3311798789.0000000002C09000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 0000001E.00000002.3301685410.0000000000400000.00000040.00000001.01000000.00000015.sdmp, Author: Joe Security
Antivirus matches:	Detection: 32%, ReversingLabs
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	09:43:29
Start date:	01/02/2024
Path:	C:\Users\user\AppData\Local\Temp\99FE.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\99FE.exe" /SPAWNWND=$1049A /NOTIFYWND=$1043A
Imagebase:	0x400000
File size:	7'604'013 bytes
MD5 hash:	4D0BDD6E4F596B077EB8FAC05E502EDA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Show Windows behavior

Target ID:	32
Start time:	09:43:30
Start date:	01/02/2024
Path:	C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\is-QI89Q.tmp\99FE.tmp" /SL5="$204D0,7349384,54272,C:\Users\user\AppData\Local\Temp\99FE.exe" /SPAWNWND=$1049A /NOTIFYWND=$1043A
Imagebase:	0x400000
File size:	709'120 bytes
MD5 hash:	558517932AFFF8DEF7D6C9E9A2A51668
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 3%, ReversingLabs
Has exited:	false

Show Windows behavior

Target ID:	33
Start time:	09:43:30
Start date:	01/02/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\user\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
Imagebase:	0xa60000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	09:43:34
Start date:	01/02/2024
Path:	C:\Users\user\AppData\Local\Key Signatures verification\ksverify.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Key Signatures verification\ksverify.exe" -i
Imagebase:	0x400000
File size:	3'011'887 bytes
MD5 hash:	75BC189F3B2906887761C60E480B7CCF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	09:43:34
Start date:	01/02/2024
Path:	C:\Users\user\AppData\Local\Key Signatures verification\ksverify.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Key Signatures verification\ksverify.exe" -s
Imagebase:	0x400000
File size:	3'011'887 bytes
MD5 hash:	75BC189F3B2906887761C60E480B7CCF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Socks5Systemz, Description: Yara detected Socks5Systemz, Source: 00000023.00000002.4721026220.0000000000B21000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Socks5Systemz, Description: Yara detected Socks5Systemz, Source: 00000023.00000002.4714471412.00000000008BE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	36
Start time:	09:43:35
Start date:	01/02/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Sysnative\cmd.exe /C fodhelper
Imagebase:	0x7ff67a350000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	09:43:35
Start date:	01/02/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	09:43:35
Start date:	01/02/2024
Path:	C:\Users\user\AppData\Local\Temp\BD27.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\BD27.exe
Imagebase:	0x400000
File size:	193'024 bytes
MD5 hash:	31A6C56DA13533F4ADDEF7BAB188E395
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000026.00000002.2679986992.0000000002BC0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000026.00000003.2625881100.0000000002BD0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000026.00000002.2680038796.0000000002BD0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000026.00000002.2680038796.0000000002BD0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000026.00000002.2680618871.0000000002C79000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000026.00000002.2680205009.0000000002C11000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000026.00000002.2680205009.0000000002C11000.00000004.10000000.00040000.00000000.sdmp, Author: unknown
Has exited:	true

Show Windows behavior

Target ID:	39
Start time:	09:43:35
Start date:	01/02/2024
Path:	C:\Windows\System32\fodhelper.exe
Wow64 process (32bit):	false
Commandline:	fodhelper
Imagebase:	0x7ff6153d0000
File size:	49'664 bytes
MD5 hash:	85018BE1FD913656BC9FF541F017EACD
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	40
Start time:	09:43:36
Start date:	01/02/2024
Path:	C:\Windows\System32\fodhelper.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\fodhelper.exe"
Imagebase:	0x7ff6153d0000
File size:	49'664 bytes
MD5 hash:	85018BE1FD913656BC9FF541F017EACD
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	42
Start time:	09:43:36
Start date:	01/02/2024
Path:	C:\Windows\System32\fodhelper.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\fodhelper.exe"
Imagebase:	0x7ff6153d0000
File size:	49'664 bytes
MD5 hash:	85018BE1FD913656BC9FF541F017EACD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	43
Start time:	09:43:37
Start date:	01/02/2024
Path:	C:\ProgramData\Drivers\csrss.exe
Wow64 process (32bit):	true
Commandline:	"C:\ProgramData\Drivers\csrss.exe"
Imagebase:	0x400000
File size:	1'902'592 bytes
MD5 hash:	1274287F7DAA409EEA3E07059CF8FD51
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 0000002B.00000002.2660260455.0000000004E00000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 66%, ReversingLabs Detection: 55%, Virustotal, Browse
Has exited:	true

Show Windows behavior

Target ID:	44
Start time:	09:43:38
Start date:	01/02/2024
Path:	C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"
Imagebase:	0x400000
File size:	4'260'752 bytes
MD5 hash:	1E2FBA96A14DB95142038A3BD5277306
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 0000002C.00000002.2739842815.0000000004FE0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 0000002C.00000002.2728077355.0000000004BE0000.00000040.00000020.00020000.00000000.sdmp, Author: unknown Rule: JoeSecurity_Glupteba, Description: Yara detected Glupteba, Source: 0000002C.00000002.2695084948.0000000000843000.00000040.00000001.01000000.0000000F.sdmp, Author: Joe Security Rule: JoeSecurity_Glupteba, Description: Yara detected Glupteba, Source: 0000002C.00000003.2663525231.0000000005D12000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Glupteba, Description: Yara detected Glupteba, Source: 0000002C.00000002.2739842815.0000000005423000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	4.3%
Dynamic/Decrypted Code Coverage:	16%
Signature Coverage:	46.3%
Total number of Nodes:	175
Total number of Limit Nodes:	5

Executed Functions

Function 00428960 Relevance: 24.7, APIs: 3, Strings: 11, Instructions: 233
librarymemoryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNEL32(0043EE78,0BB7EA7B,4BBE82DD,2FC43CC7,52860AB1,6AD71B2C,43FE4454,34026A25), ref: 004291D8
GetProcAddress.KERNEL32(00000000,00435F64), ref: 004291E4
VirtualProtect.KERNELBASE(0043CD7C,0043F1FC,00000040,?), ref: 00429204

Strings

o:?, xrefs: 00428FFD
R'._, xrefs: 00428D60
:/X, xrefs: 00428C9B
)?u, xrefs: 00429075
U99x, xrefs: 00428AC2
6, xrefs: 00428AD8
F(+, xrefs: 00428A1E
O8##, xrefs: 00428BF4
dFfX, xrefs: 00428C85
X2R, xrefs: 00428B8F
v;^:, xrefs: 00428DB8

Memory Dump Source

Source File: 00000000.00000002.2122143654.000000000041B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0041B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41b000_v6SEx6rJ3E.jbxd

Similarity

API ID: AddressLibraryLoadProcProtectVirtual
String ID: )?u$:/X$F(+$O8##$R'._$U99x$X2R$dFfX$v;^:$o:?$6
API String ID: 3509694964-975362989
Opcode ID: c82d65674d401a7b1e414bfab665a5464b6362d272e7cd9f9191cd6ae349ec4d
Instruction ID: 0e50527ba4b031e140859e919ad1d7d9e103cce3504a35f0edd814b3be7eb076
Opcode Fuzzy Hash: c82d65674d401a7b1e414bfab665a5464b6362d272e7cd9f9191cd6ae349ec4d
Instruction Fuzzy Hash: 4C02A6B400E385CBD2B49F469689B8EBBE0BB95704F608A0CD5DD1A224CB754589CF97

Uniqueness

Uniqueness Score: -1.00%

Function 00401553 Relevance: 10.7, APIs: 7, Instructions: 208
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401617
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401644
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401667
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401685
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016C6
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016F7
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401719

Memory Dump Source

Source File: 00000000.00000002.2122123613.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_v6SEx6rJ3E.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 1cdcbea8673e3ba493c5bd81f578c50c028e74630b806944f59cf8ede5196817
Instruction ID: ffaca3094f7e189a6d1e876f152d3a102a579446f97b5118db7f8e4db1241ca1
Opcode Fuzzy Hash: 1cdcbea8673e3ba493c5bd81f578c50c028e74630b806944f59cf8ede5196817
Instruction Fuzzy Hash: FB613075A00204FBEB209F91CC49FAF7BB8EF85700F10412AF912BA1E5D7759941DB66

Uniqueness

Uniqueness Score: -1.00%

Function 0040156B Relevance: 10.7, APIs: 7, Instructions: 176
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401617
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401644
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401667
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401685
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016C6
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016F7
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401719

Memory Dump Source

Source File: 00000000.00000002.2122123613.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_v6SEx6rJ3E.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: c2bbe74deda3eb27cc46c97da06047b5daec93b008bb2466c6e516ff61897217
Instruction ID: bfc0b8c1e1aad88884ae744cc722ee3a04b4b25e2f03b0569bf5ee1b63965b96
Opcode Fuzzy Hash: c2bbe74deda3eb27cc46c97da06047b5daec93b008bb2466c6e516ff61897217
Instruction Fuzzy Hash: 34512B75900205BBEB209F91CC49FAF7BB8FF85B00F14412AF912BA2E5D7759941CB25

Uniqueness

Uniqueness Score: -1.00%

Function 00401561 Relevance: 10.7, APIs: 7, Instructions: 175
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401617
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401644
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401667
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401685
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016C6
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016F7
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401719

Memory Dump Source

Source File: 00000000.00000002.2122123613.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_v6SEx6rJ3E.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: f5d4f3e6d24d18269c7d341504c2ba3eacb72c3278c0acdc5b4cfb2713eaeaae
Instruction ID: 412e9309e7daddaa9b19f32dddfbffbd79934f2f1d3bc440b9a7152e2b53a84f
Opcode Fuzzy Hash: f5d4f3e6d24d18269c7d341504c2ba3eacb72c3278c0acdc5b4cfb2713eaeaae
Instruction Fuzzy Hash: 235119B1900205BFEB209F91CC49FAF7BB8EF85B00F14412AF912BA2E5D7759941CB25

Uniqueness

Uniqueness Score: -1.00%

Function 0040156F Relevance: 10.7, APIs: 7, Instructions: 172
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401617
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401644
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401667
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401685
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016C6
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016F7
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401719

Memory Dump Source

Source File: 00000000.00000002.2122123613.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_v6SEx6rJ3E.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 8d7d0f05522378b87eb0e5b73b0488eef97448bc713828db65d76f104e18ff93
Instruction ID: 5723072b253cbae10e330d7def6e8ce5ab34414c0c11206194204dab9df800f9
Opcode Fuzzy Hash: 8d7d0f05522378b87eb0e5b73b0488eef97448bc713828db65d76f104e18ff93
Instruction Fuzzy Hash: 6A5109B1900205BBEB209F91CC49FAF7BB8EF85B00F144129FA11BA2E5D6759945CB24

Uniqueness

Uniqueness Score: -1.00%

Function 00401583 Relevance: 10.7, APIs: 7, Instructions: 171
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401617
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401644
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401667
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401685
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016C6
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016F7
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401719

Memory Dump Source

Source File: 00000000.00000002.2122123613.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_v6SEx6rJ3E.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: bd72895939b5cf7358d34c5469aba93b22efce73c39120c4875d5ae9870c0d64
Instruction ID: be4f3395432beacb56dc40f225edc855b7308e08cbc6b66c5e1fe0de6445bc19
Opcode Fuzzy Hash: bd72895939b5cf7358d34c5469aba93b22efce73c39120c4875d5ae9870c0d64
Instruction Fuzzy Hash: D6510BB1900205BBEB209F91CC49FAF7BB8EF85B00F14412AFA11BA2E5D7759945CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00401587 Relevance: 10.7, APIs: 7, Instructions: 166
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401617
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401644
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401667
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401685
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016C6
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016F7
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401719

Memory Dump Source

Source File: 00000000.00000002.2122123613.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_v6SEx6rJ3E.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 1ec31b479fd08731287e8d0e55fe4d339ef2a67852c713b723290c7befe848b2
Instruction ID: c9324331886a871ff7b65cfc1a3adde32c11ca3f72b54674233341407885f4d3
Opcode Fuzzy Hash: 1ec31b479fd08731287e8d0e55fe4d339ef2a67852c713b723290c7befe848b2
Instruction Fuzzy Hash: 7E511A71900249BBEB209F91CC48FEF7BB8EF85B00F144169F911AA2E5D7759945CB24

Uniqueness

Uniqueness Score: -1.00%

Function 00401729 Relevance: 4.7, APIs: 3, Instructions: 179
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016C6
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016F7
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401719

Memory Dump Source

Source File: 00000000.00000002.2122123613.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_v6SEx6rJ3E.jbxd

Similarity

API ID: Section$View$Create
String ID:
API String ID: 33071139-0
Opcode ID: b6b7661ceeaa473891237c732f5305db374e8f07cd43916073c5c2763a81e662
Instruction ID: bb29a515743844fa426f6922f48e3936f90c9c278b9ffb8c9c9d974ad6050a99
Opcode Fuzzy Hash: b6b7661ceeaa473891237c732f5305db374e8f07cd43916073c5c2763a81e662
Instruction Fuzzy Hash: 69519272904104EBEB249A55CC44FAA77B5FF85700F24813BE842772F0D67C6942E65B

Uniqueness

Uniqueness Score: -1.00%

Function 0049097D Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 004909A5
Module32First.KERNEL32(00000000,00000224), ref: 004909C5

Memory Dump Source

Source File: 00000000.00000002.2122463373.000000000048D000.00000040.00000020.00020000.00000000.sdmp, Offset: 0048D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_48d000_v6SEx6rJ3E.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: 1b4e07b970897d26cb4bea9ae373650846bc7612b80d4fb0ac742b7143ed75cd
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: 02F062721007106FEB202AB5A88DB6F7AE8AF49725F10053AF642915C1DB74EC458669

Uniqueness

Uniqueness Score: -1.00%

Function 0208003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 0208024D

Strings

cess, xrefs: 0208018D
kernel32.dll, xrefs: 0208008F, 02080095

Memory Dump Source

Source File: 00000000.00000002.2122690423.0000000002080000.00000040.00001000.00020000.00000000.sdmp, Offset: 02080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2080000_v6SEx6rJ3E.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: 094ada9956a38843da231dd86c67634bf040858582ffe9a2bc1163de5be843d6
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: 7D527A75A01229DFDBA4CF58C984BADBBB1BF09304F1480D9E54DAB351DB30AA89DF14

Uniqueness

Uniqueness Score: -1.00%

Function 02080E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00000400,?,?,02080223,?,?), ref: 02080E19
SetErrorMode.KERNELBASE(00000000,?,?,02080223,?,?), ref: 02080E1E

Memory Dump Source

Source File: 00000000.00000002.2122690423.0000000002080000.00000040.00001000.00020000.00000000.sdmp, Offset: 02080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2080000_v6SEx6rJ3E.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: 0594162c44c975425590a9f4248303b472abad866a18c321087184769bf3c7dc
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: 20D0123214522877D7413A94DC09BCE7B5CDF05B66F008011FB0DD9080C770954046E5

Uniqueness

Uniqueness Score: -1.00%

Function 00429210 Relevance: 1.5, APIs: 1, Instructions: 9
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(0043B008,004297F1), ref: 00429240

Memory Dump Source

Source File: 00000000.00000002.2122143654.000000000041B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0041B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41b000_v6SEx6rJ3E.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 177fc11dcc205afec358612b5d0d20c0cb4e35a1d7222503bff46025a820a84b
Instruction ID: 80b939fd025755d65466c522ce09237161ee75e88e92ffac205c303e2f9a118c
Opcode Fuzzy Hash: 177fc11dcc205afec358612b5d0d20c0cb4e35a1d7222503bff46025a820a84b
Instruction Fuzzy Hash: 06D0C968555B80C9CB0D8F14AA497063E71EB1170CB40B06DD3B05A232D3B80148DBDD

Uniqueness

Uniqueness Score: -1.00%

Function 0040193E Relevance: 1.3, APIs: 1, Instructions: 63
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388,0000006E), ref: 00401999

Part of subcall function 00401553: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401617
Part of subcall function 00401553: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401644

Memory Dump Source

Source File: 00000000.00000002.2122123613.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_v6SEx6rJ3E.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: 71f746a8505fe108ed8da4cdd9973d259565c9a68103dfaed9332816d2b6fe75
Instruction ID: 4db8ba0b08380255fc5aa34ea3e13561f838480f888933e927f1079a64c57490
Opcode Fuzzy Hash: 71f746a8505fe108ed8da4cdd9973d259565c9a68103dfaed9332816d2b6fe75
Instruction Fuzzy Hash: 9A11CEF120C208FBEB006A959D62E7A3268AB40714F304137BA43790F1D57E8923F76B

Uniqueness

Uniqueness Score: -1.00%

Function 0040194A Relevance: 1.3, APIs: 1, Instructions: 57
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388,0000006E), ref: 00401999

Part of subcall function 00401553: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401617
Part of subcall function 00401553: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401644

Memory Dump Source

Source File: 00000000.00000002.2122123613.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_v6SEx6rJ3E.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: da38201a32f90b98934b488a65b371e434f1df0c2a04d29242935d2455de016b
Instruction ID: 0371ecd990254dd767a604aa567081474727263e4e3774a05daf7e54a603023c
Opcode Fuzzy Hash: da38201a32f90b98934b488a65b371e434f1df0c2a04d29242935d2455de016b
Instruction Fuzzy Hash: A901A1B120C204EBDB009A95DD62E7A3364AB40314F30453BBA437A1F1C67D9913E72B

Uniqueness

Uniqueness Score: -1.00%

Function 0040195C Relevance: 1.3, APIs: 1, Instructions: 52
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388,0000006E), ref: 00401999

Part of subcall function 00401553: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401617
Part of subcall function 00401553: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401644

Memory Dump Source

Source File: 00000000.00000002.2122123613.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_v6SEx6rJ3E.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: 5e3dbe5dd20a4fb5b92f76c9b13fda5f390ba4e8200e1751a23b03b4d52e4fb4
Instruction ID: 3b2e7dc224df146109f963d95c0ead7a9e1b698bafe8296883a7ac19869aede1
Opcode Fuzzy Hash: 5e3dbe5dd20a4fb5b92f76c9b13fda5f390ba4e8200e1751a23b03b4d52e4fb4
Instruction Fuzzy Hash: BA0171B5208204EADB006AD5DD71E7A3269AB44314F304537BA43791F1D57D8912F72B

Uniqueness

Uniqueness Score: -1.00%

Function 00401973 Relevance: 1.3, APIs: 1, Instructions: 51sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00001388,0000006E), ref: 00401999

Part of subcall function 00401553: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401617
Part of subcall function 00401553: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401644

Memory Dump Source

Source File: 00000000.00000002.2122123613.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_v6SEx6rJ3E.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: acb1fae293eb73a10805bbdd55e216ebbc49928181db8483aeacc3243d44ee5b
Instruction ID: 4b03b50232763afd30ab0c608f125a1a80ed78bb00471cf4ed55e3bed959d7b6
Opcode Fuzzy Hash: acb1fae293eb73a10805bbdd55e216ebbc49928181db8483aeacc3243d44ee5b
Instruction Fuzzy Hash: F80184B5208204EBDB006AD5DD71EBA3269AB44354F304537BA43790F1C57D8912F72B

Uniqueness

Uniqueness Score: -1.00%

Function 00401964 Relevance: 1.3, APIs: 1, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00001388,0000006E), ref: 00401999

Part of subcall function 00401553: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401617
Part of subcall function 00401553: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401644

Memory Dump Source

Source File: 00000000.00000002.2122123613.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_v6SEx6rJ3E.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: e5353c19dd0b10c2d892503bd00f36fba5e3f507ee708bcba0cfbdc82fbef293
Instruction ID: f592bab324d3cd5d6286c78059ef0a1e8702b22de7bd53a4ec4d5e19e7ef6e8c
Opcode Fuzzy Hash: e5353c19dd0b10c2d892503bd00f36fba5e3f507ee708bcba0cfbdc82fbef293
Instruction Fuzzy Hash: 0D0184B5208204EBDB006AC5DD62EBA3265AB44314F204537FA43791F1C57D8912F72B

Uniqueness

Uniqueness Score: -1.00%

Function 0049063C Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 0049068D

Memory Dump Source

Source File: 00000000.00000002.2122463373.000000000048D000.00000040.00000020.00020000.00000000.sdmp, Offset: 0048D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_48d000_v6SEx6rJ3E.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: 63f32d7fb71f5f1c3c07e54bff381220643d2d9478dff14604131c9053b11f78
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: 95113C79A00208EFDB01DF98C985E99BFF5AF09350F0580A5FA489B362D375EA50DF94

Uniqueness

Uniqueness Score: -1.00%

Function 00401987 Relevance: 1.3, APIs: 1, Instructions: 46sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00001388,0000006E), ref: 00401999

Part of subcall function 00401553: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401617
Part of subcall function 00401553: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401644

Memory Dump Source

Source File: 00000000.00000002.2122123613.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_v6SEx6rJ3E.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: 74fb996ba95ec06bb2abe22af5600ab9efc13f551b73dbf86f34961914988ff4
Instruction ID: 68c2b1bb8267a16b47d2b790190fa602822f098e0b694be4ddc2e306b3be1968
Opcode Fuzzy Hash: 74fb996ba95ec06bb2abe22af5600ab9efc13f551b73dbf86f34961914988ff4
Instruction Fuzzy Hash: 2AF086B5208204FADB006BD59D61EBA3768AB44354F204137BA13790F1C57D8912F72B

Uniqueness

Uniqueness Score: -1.00%

Function 0040197A Relevance: 1.3, APIs: 1, Instructions: 45sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00001388,0000006E), ref: 00401999

Part of subcall function 00401553: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401617
Part of subcall function 00401553: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401644

Memory Dump Source

Source File: 00000000.00000002.2122123613.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_v6SEx6rJ3E.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: f19d6598d7b3f8bbc47500c90c3d0bc6a0ede41a7b6f28d3ccddc132527cc834
Instruction ID: 49220a4dcaca44086484813bdb512237367292e15b320859d1a96440f4f24ef4
Opcode Fuzzy Hash: f19d6598d7b3f8bbc47500c90c3d0bc6a0ede41a7b6f28d3ccddc132527cc834
Instruction Fuzzy Hash: 7801A7B1208244FBDB016BD19D62EB93768AB05354F204537FA53790F2C67D8912E72B

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 004293E0 Relevance: 49.3, APIs: 26, Strings: 2, Instructions: 272timememoryCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 0042942D
GetLastError.KERNEL32(?,?,?,?,?,0043814C,?,?,?,?,004328D3,000000FF), ref: 00429433
GetConsoleAliasesA.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,0043814C,?,?,?,?,004328D3,000000FF), ref: 0042943F
CreateDirectoryW.KERNEL32(00000000,00000000,?,?,?,?,?,0043814C,?,?,?,?,004328D3,000000FF), ref: 0042945B
PulseEvent.KERNEL32(00000000), ref: 004294AF
FindResourceW.KERNEL32(00000000,00000000,00000000), ref: 004294BB
InterlockedIncrement.KERNEL32(?), ref: 004294D7
DestroyCursor.USER32(00000000), ref: 004294DF
SetDefaultCommConfigA.KERNEL32(00435F74,?,00000000), ref: 00429510
FreeEnvironmentStringsA.KERNEL32(00000000), ref: 00429518
GetCurrentDirectoryA.KERNEL32(00000000,?), ref: 00429527
EnumDateFormatsExW.KERNEL32(00000000,00000000,00000000), ref: 00429533
GetStartupInfoW.KERNEL32(00000000), ref: 00429544
GetModuleHandleExA.KERNEL32(00000000,00435F84,?), ref: 00429561
OpenJobObjectA.KERNEL32(00000000,00000000,00000000), ref: 0042960D
GetConsoleAliasesLengthW.KERNEL32(00000000), ref: 0042961F
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00429635
GetLocaleInfoA.KERNEL32(00000000,00000000,?,00000000), ref: 00429648
GlobalUnfix.KERNEL32(00000000), ref: 00429650
SystemTimeToTzSpecificLocalTime.KERNEL32(?,00000000,00000000), ref: 004296A9
SetCurrentDirectoryA.KERNEL32(00000000), ref: 004296B1
MoveFileExW.KERNEL32(00000000,00000000,00000000), ref: 004296BD
OpenWaitableTimerW.KERNEL32(00000000,00000000,00435FC0), ref: 004296CC
CompareStringW.KERNEL32(00000000,00000000,00436000,00000000,00435FF0,00000000), ref: 004296E4
GetProcessHeap.KERNEL32 ref: 004296EA
DuplicateToken.ADVAPI32(00000000,?,00000000), ref: 004297E4

Strings

tl_, xrefs: 00429480
rolawijejojomomadiyoc linomizocohu, xrefs: 00429579

Memory Dump Source

Source File: 00000000.00000002.2122143654.000000000041B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0041B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41b000_v6SEx6rJ3E.jbxd

Similarity

API ID: Directory$AliasesConsoleCurrentInfoOpenTime$ByteCharCommCompareConfigCountCreateCursorDateDefaultDestroyDuplicateEnumEnvironmentErrorEventFileFindFormatsFreeGlobalHandleHeapIncrementInterlockedLastLengthLocalLocaleModuleMoveMultiObjectProcessPulseResourceSpecificStartupStringStringsSystemTickTimerTokenUnfixWaitableWide
String ID: rolawijejojomomadiyoc linomizocohu$tl_
API String ID: 1921510943-543283259
Opcode ID: b12ee619fb321c931cc0e0a795eee1f3fdf153278b53ee1f33741cbf59ba91f2
Instruction ID: 383bfb50e9770760059b075bd7030f224d1257b594166e4078eddca920172dc2
Opcode Fuzzy Hash: b12ee619fb321c931cc0e0a795eee1f3fdf153278b53ee1f33741cbf59ba91f2
Instruction Fuzzy Hash: 75B18070E44214EBEB24EF51EC46BD97770BB08706F5051BAF209AA2D1D7B81A84CF5E

Uniqueness

Uniqueness Score: -1.00%

Function 00429330 Relevance: 6.0, APIs: 4, Instructions: 50pipetimeCOMMON

Download Yara Rule

APIs

Part of subcall function 004292A0: RtlAllocateHeap.NTDLL(00000000,00000000,00000000), ref: 004292B7
Part of subcall function 004292A0: LoadLibraryA.KERNEL32(00000000), ref: 004292BF

FreeEnvironmentStringsA.KERNEL32(00000000), ref: 0042936B
ReadEventLogA.ADVAPI32(00000000,00000000,00000000,?,00000000,?,?), ref: 00429388
CreateNamedPipeA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042939E
LocalFileTimeToFileTime.KERNEL32 ref: 004293BE

Memory Dump Source

Source File: 00000000.00000002.2122143654.000000000041B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0041B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41b000_v6SEx6rJ3E.jbxd

Similarity

API ID: FileTime$AllocateCreateEnvironmentEventFreeHeapLibraryLoadLocalNamedPipeReadStrings
String ID:
API String ID: 3811978434-0
Opcode ID: 443718bbd43fc4c96e3af459f3c541e8ec4a4aa86c5f93e77ac8b1c946b6dced
Instruction ID: 8cf1fd32eb33782c2d8b6dbf0dab4f1c630b3bf39d8709dcf0aeb079219da625
Opcode Fuzzy Hash: 443718bbd43fc4c96e3af459f3c541e8ec4a4aa86c5f93e77ac8b1c946b6dced
Instruction Fuzzy Hash: 1F014CB1244301EFD314DF54EC85F9AB7F4BB89705F40492DF2598B1A0D774AA48CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 0208092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON

Download Yara Rule

Strings

l, xrefs: 02080966
., xrefs: 0208095F
GetProcAddress., xrefs: 020809DC, 020809DF, 020809E4

Memory Dump Source

Source File: 00000000.00000002.2122690423.0000000002080000.00000040.00001000.00020000.00000000.sdmp, Offset: 02080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2080000_v6SEx6rJ3E.jbxd

Yara matches

Similarity

API ID:
String ID: .$GetProcAddress.$l
API String ID: 0-2784972518
Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction ID: 761247b40084aa777b878560d26c120f0ea522af0afc58718300f8bafaa69f72
Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
Instruction Fuzzy Hash: F5313BB6910709DFDB11DF99C880AAEBBF6FF48324F15405AD881A7310D771EA49CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0049025A Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2122463373.000000000048D000.00000040.00000020.00020000.00000000.sdmp, Offset: 0048D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_48d000_v6SEx6rJ3E.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction ID: fb1a716fe9db1e43bee3d0a918edc3b3ee08060a7df50d4d8171206925a38ee5
Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
Instruction Fuzzy Hash: 3211CE72340100AFDB40DF55DC85FA677EAFB88360B2980AAED04CB342D679EC02C760

Uniqueness

Uniqueness Score: -1.00%

Function 02080D90 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2122690423.0000000002080000.00000040.00001000.00020000.00000000.sdmp, Offset: 02080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2080000_v6SEx6rJ3E.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction ID: 62ef794621d5ea3b2d77e87dd9d73198f7d5adc64546af18e458383c1f14b76b
Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
Instruction Fuzzy Hash: C701F272A107008FDF22EF20C805BAB33E6FB86316F0540A4D94A97281E770A8498B80

Uniqueness

Uniqueness Score: -1.00%

Function 004023E5 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2122123613.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_v6SEx6rJ3E.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0f638128aba8f2e57abeaf16cd5152cf31c34a5a8aefa37a689e9950b3c5785
Instruction ID: d35cd02017a8908298582cacd0956aff43537afd2df8e264233619bb44fb754d
Opcode Fuzzy Hash: c0f638128aba8f2e57abeaf16cd5152cf31c34a5a8aefa37a689e9950b3c5785
Instruction Fuzzy Hash: 82C08C72D960008AE65BC6908A87644BB33F003830B341F2DC5018F126D272C2178220

Uniqueness

Uniqueness Score: -1.00%

Function 004026A0 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2122123613.0000000000400000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_v6SEx6rJ3E.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43de6de374997940977aed32f8962cbc5b01e7d76103009d4fd772cc687ca080
Instruction ID: b8708e0fd601c17419c4bee628408aeaf70cc106fe2e9d70b960fe5b7e9fb35e
Opcode Fuzzy Hash: 43de6de374997940977aed32f8962cbc5b01e7d76103009d4fd772cc687ca080
Instruction Fuzzy Hash: 0DC02B7308020940C754CE701A0010CF2D09555208F31FD234005FF182D260F1C755C2

Uniqueness

Uniqueness Score: -1.00%

Function 0042BD8B Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 106COMMON

Download Yara Rule

Strings

csm, xrefs: 0042BE89
MOC, xrefs: 0042BDB3
RCC, xrefs: 0042BDBE
csm, xrefs: 0042BDD2

Memory Dump Source

Source File: 00000000.00000002.2122143654.000000000041B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0041B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41b000_v6SEx6rJ3E.jbxd

Similarity

API ID:
String ID: MOC$RCC$csm$csm
API String ID: 0-1441736206
Opcode ID: 51ddc7d622768b648994bfc901679fd71fd89309388f9c8a2b7e661c37d1a842
Instruction ID: e6b5bf135bbd4fa504faa0114ddd5047e9e76c7fed377544e84da5609ec1682d
Opcode Fuzzy Hash: 51ddc7d622768b648994bfc901679fd71fd89309388f9c8a2b7e661c37d1a842
Instruction Fuzzy Hash: 6931AF316006258FCB309E59E4887EB73A8EF10305FDA886BDA85D7251D778DD448BDA

Uniqueness

Uniqueness Score: -1.00%

Function 0042AA4D Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 0042AA73

Part of subcall function 0042A862: __fltout2.LIBCMT ref: 0042A88D

__cftog_l.LIBCMT ref: 0042AA99
__cftoe_l.LIBCMT ref: 0042AACB

Memory Dump Source

Source File: 00000000.00000002.2122143654.000000000041B000.00000020.00000001.01000000.00000003.sdmp, Offset: 0041B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_41b000_v6SEx6rJ3E.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: 843931e506ad9f7667999f9533ecfb8930c9daf0a1febf59d810d17d1cd26479
Instruction ID: 03e6678406b2270711dd0135c87aafb7db3c484a9530a0e9959f614f83b4301a
Opcode Fuzzy Hash: 843931e506ad9f7667999f9533ecfb8930c9daf0a1febf59d810d17d1cd26479
Instruction Fuzzy Hash: A9117232100159BBCF125E85ED02CEE3F62BF18354B998816FE1954131C33AD9B1EB8A

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: esiffaiPID: 5052, Parent PID: 1064COMMON

Execution Graph

Execution Coverage:	4.2%
Dynamic/Decrypted Code Coverage:	16%
Signature Coverage:	0%
Total number of Nodes:	175
Total number of Limit Nodes:	5

Executed Functions

Function 00401553 Relevance: 10.7, APIs: 7, Instructions: 208
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401617
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401644
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401667
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401685
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016C6
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016F7
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401719

Memory Dump Source

Source File: 00000006.00000002.2362904408.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_esiffai.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 1cdcbea8673e3ba493c5bd81f578c50c028e74630b806944f59cf8ede5196817
Instruction ID: ffaca3094f7e189a6d1e876f152d3a102a579446f97b5118db7f8e4db1241ca1
Opcode Fuzzy Hash: 1cdcbea8673e3ba493c5bd81f578c50c028e74630b806944f59cf8ede5196817
Instruction Fuzzy Hash: FB613075A00204FBEB209F91CC49FAF7BB8EF85700F10412AF912BA1E5D7759941DB66

Uniqueness

Uniqueness Score: -1.00%

Function 0040156B Relevance: 10.7, APIs: 7, Instructions: 176
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401617
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401644
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401667
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401685
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016C6
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016F7
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401719

Memory Dump Source

Source File: 00000006.00000002.2362904408.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_esiffai.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: c2bbe74deda3eb27cc46c97da06047b5daec93b008bb2466c6e516ff61897217
Instruction ID: bfc0b8c1e1aad88884ae744cc722ee3a04b4b25e2f03b0569bf5ee1b63965b96
Opcode Fuzzy Hash: c2bbe74deda3eb27cc46c97da06047b5daec93b008bb2466c6e516ff61897217
Instruction Fuzzy Hash: 34512B75900205BBEB209F91CC49FAF7BB8FF85B00F14412AF912BA2E5D7759941CB25

Uniqueness

Uniqueness Score: -1.00%

Function 00401561 Relevance: 10.7, APIs: 7, Instructions: 175
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401617
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401644
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401667
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401685
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016C6
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016F7
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401719

Memory Dump Source

Source File: 00000006.00000002.2362904408.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_esiffai.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: f5d4f3e6d24d18269c7d341504c2ba3eacb72c3278c0acdc5b4cfb2713eaeaae
Instruction ID: 412e9309e7daddaa9b19f32dddfbffbd79934f2f1d3bc440b9a7152e2b53a84f
Opcode Fuzzy Hash: f5d4f3e6d24d18269c7d341504c2ba3eacb72c3278c0acdc5b4cfb2713eaeaae
Instruction Fuzzy Hash: 235119B1900205BFEB209F91CC49FAF7BB8EF85B00F14412AF912BA2E5D7759941CB25

Uniqueness

Uniqueness Score: -1.00%

Function 0040156F Relevance: 10.7, APIs: 7, Instructions: 172
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401617
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401644
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401667
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401685
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016C6
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016F7
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401719

Memory Dump Source

Source File: 00000006.00000002.2362904408.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_esiffai.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 8d7d0f05522378b87eb0e5b73b0488eef97448bc713828db65d76f104e18ff93
Instruction ID: 5723072b253cbae10e330d7def6e8ce5ab34414c0c11206194204dab9df800f9
Opcode Fuzzy Hash: 8d7d0f05522378b87eb0e5b73b0488eef97448bc713828db65d76f104e18ff93
Instruction Fuzzy Hash: 6A5109B1900205BBEB209F91CC49FAF7BB8EF85B00F144129FA11BA2E5D6759945CB24

Uniqueness

Uniqueness Score: -1.00%

Function 00401583 Relevance: 10.7, APIs: 7, Instructions: 171
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401617
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401644
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401667
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401685
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016C6
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016F7
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401719

Memory Dump Source

Source File: 00000006.00000002.2362904408.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_esiffai.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: bd72895939b5cf7358d34c5469aba93b22efce73c39120c4875d5ae9870c0d64
Instruction ID: be4f3395432beacb56dc40f225edc855b7308e08cbc6b66c5e1fe0de6445bc19
Opcode Fuzzy Hash: bd72895939b5cf7358d34c5469aba93b22efce73c39120c4875d5ae9870c0d64
Instruction Fuzzy Hash: D6510BB1900205BBEB209F91CC49FAF7BB8EF85B00F14412AFA11BA2E5D7759945CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00401587 Relevance: 10.7, APIs: 7, Instructions: 166
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401617
NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401644
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401667
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 00401685
NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016C6
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016F7
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401719

Memory Dump Source

Source File: 00000006.00000002.2362904408.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_esiffai.jbxd

Similarity

API ID: Section$View$Create$DuplicateObject
String ID:
API String ID: 1546783058-0
Opcode ID: 1ec31b479fd08731287e8d0e55fe4d339ef2a67852c713b723290c7befe848b2
Instruction ID: c9324331886a871ff7b65cfc1a3adde32c11ca3f72b54674233341407885f4d3
Opcode Fuzzy Hash: 1ec31b479fd08731287e8d0e55fe4d339ef2a67852c713b723290c7befe848b2
Instruction Fuzzy Hash: 7E511A71900249BBEB209F91CC48FEF7BB8EF85B00F144169F911AA2E5D7759945CB24

Uniqueness

Uniqueness Score: -1.00%

Function 00401729 Relevance: 4.7, APIs: 3, Instructions: 179
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 004016C6
NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016F7
NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401719

Memory Dump Source

Source File: 00000006.00000002.2362904408.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_esiffai.jbxd

Similarity

API ID: Section$View$Create
String ID:
API String ID: 33071139-0
Opcode ID: b6b7661ceeaa473891237c732f5305db374e8f07cd43916073c5c2763a81e662
Instruction ID: bb29a515743844fa426f6922f48e3936f90c9c278b9ffb8c9c9d974ad6050a99
Opcode Fuzzy Hash: b6b7661ceeaa473891237c732f5305db374e8f07cd43916073c5c2763a81e662
Instruction Fuzzy Hash: 69519272904104EBEB249A55CC44FAA77B5FF85700F24813BE842772F0D67C6942E65B

Uniqueness

Uniqueness Score: -1.00%

Function 00428960 Relevance: 24.7, APIs: 3, Strings: 11, Instructions: 233
librarymemoryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryW.KERNEL32(0043EE78,0BB7EA7B,4BBE82DD,2FC43CC7,52860AB1,6AD71B2C,43FE4454,34026A25), ref: 004291D8
GetProcAddress.KERNEL32(00000000,00435F64), ref: 004291E4
VirtualProtect.KERNELBASE(0043CD7C,0043F1FC,00000040,?), ref: 00429204

Strings

O8##, xrefs: 00428BF4
o:?, xrefs: 00428FFD
U99x, xrefs: 00428AC2
6, xrefs: 00428AD8
)?u, xrefs: 00429075
:/X, xrefs: 00428C9B
v;^:, xrefs: 00428DB8
F(+, xrefs: 00428A1E
dFfX, xrefs: 00428C85
R'._, xrefs: 00428D60
X2R, xrefs: 00428B8F

Memory Dump Source

Source File: 00000006.00000002.2362939701.000000000041B000.00000020.00000001.01000000.00000005.sdmp, Offset: 0041B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_41b000_esiffai.jbxd

Similarity

API ID: AddressLibraryLoadProcProtectVirtual
String ID: )?u$:/X$F(+$O8##$R'._$U99x$X2R$dFfX$v;^:$o:?$6
API String ID: 3509694964-975362989
Opcode ID: c82d65674d401a7b1e414bfab665a5464b6362d272e7cd9f9191cd6ae349ec4d
Instruction ID: 0e50527ba4b031e140859e919ad1d7d9e103cce3504a35f0edd814b3be7eb076
Opcode Fuzzy Hash: c82d65674d401a7b1e414bfab665a5464b6362d272e7cd9f9191cd6ae349ec4d
Instruction Fuzzy Hash: 4C02A6B400E385CBD2B49F469689B8EBBE0BB95704F608A0CD5DD1A224CB754589CF97

Uniqueness

Uniqueness Score: -1.00%

Function 004C003C Relevance: 11.0, APIs: 4, Strings: 2, Instructions: 515
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 004C024D

Strings

cess, xrefs: 004C018D
kernel32.dll, xrefs: 004C008F, 004C0095

Memory Dump Source

Source File: 00000006.00000002.2363431931.00000000004C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4c0000_esiffai.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: cess$kernel32.dll
API String ID: 4275171209-1230238691
Opcode ID: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction ID: 7172b0b9a9028b5bc288cbda9fb143cf9a5cc347473573ab14e018b37c9fdbfb
Opcode Fuzzy Hash: aaa6c488ea091c11cf1d14b1b8159415dd1a008d9b857f0942c425a8c5fa1e0a
Instruction Fuzzy Hash: 88527B78A01229DFDBA4CF58C984BA9BBB1BF09304F1480DAE50DA7351DB34AE85DF15

Uniqueness

Uniqueness Score: -1.00%

Function 005B1685 Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 005B16AD
Module32First.KERNEL32(00000000,00000224), ref: 005B16CD

Memory Dump Source

Source File: 00000006.00000002.2364391445.00000000005AE000.00000040.00000020.00020000.00000000.sdmp, Offset: 005AE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5ae000_esiffai.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: 5c42efa07a71ede5c5f25cd1f5b9e23848074a98e386ff01f4c538a86d741d1a
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: 9AF0C231600B116BD7603EB59C9DAAE7BECBF49364F940528E642918C0DA70F8054A68

Uniqueness

Uniqueness Score: -1.00%

Function 004C0E0F Relevance: 3.0, APIs: 2, Instructions: 15
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00000400,?,?,004C0223,?,?), ref: 004C0E19
SetErrorMode.KERNELBASE(00000000,?,?,004C0223,?,?), ref: 004C0E1E

Memory Dump Source

Source File: 00000006.00000002.2363431931.00000000004C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 004C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4c0000_esiffai.jbxd

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction ID: 37266e850fa7461fd680b01f9627d0ca78227899bd460c9d1794fc9cdfc8cad4
Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
Instruction Fuzzy Hash: 24D01235145128B7D7403A94DC09BDE7B1CDF05B62F008411FB0DD9180C774994046E9

Uniqueness

Uniqueness Score: -1.00%

Function 00429210 Relevance: 1.5, APIs: 1, Instructions: 9
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(0043B008,004297F1), ref: 00429240

Memory Dump Source

Source File: 00000006.00000002.2362939701.000000000041B000.00000020.00000001.01000000.00000005.sdmp, Offset: 0041B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_41b000_esiffai.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 177fc11dcc205afec358612b5d0d20c0cb4e35a1d7222503bff46025a820a84b
Instruction ID: 80b939fd025755d65466c522ce09237161ee75e88e92ffac205c303e2f9a118c
Opcode Fuzzy Hash: 177fc11dcc205afec358612b5d0d20c0cb4e35a1d7222503bff46025a820a84b
Instruction Fuzzy Hash: 06D0C968555B80C9CB0D8F14AA497063E71EB1170CB40B06DD3B05A232D3B80148DBDD

Uniqueness

Uniqueness Score: -1.00%

Function 0040193E Relevance: 1.3, APIs: 1, Instructions: 63
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388,0000006E), ref: 00401999

Part of subcall function 00401553: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401617
Part of subcall function 00401553: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401644

Memory Dump Source

Source File: 00000006.00000002.2362904408.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_esiffai.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: 71f746a8505fe108ed8da4cdd9973d259565c9a68103dfaed9332816d2b6fe75
Instruction ID: 4db8ba0b08380255fc5aa34ea3e13561f838480f888933e927f1079a64c57490
Opcode Fuzzy Hash: 71f746a8505fe108ed8da4cdd9973d259565c9a68103dfaed9332816d2b6fe75
Instruction Fuzzy Hash: 9A11CEF120C208FBEB006A959D62E7A3268AB40714F304137BA43790F1D57E8923F76B

Uniqueness

Uniqueness Score: -1.00%

Function 0040194A Relevance: 1.3, APIs: 1, Instructions: 57
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388,0000006E), ref: 00401999

Part of subcall function 00401553: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401617
Part of subcall function 00401553: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401644

Memory Dump Source

Source File: 00000006.00000002.2362904408.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_esiffai.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: da38201a32f90b98934b488a65b371e434f1df0c2a04d29242935d2455de016b
Instruction ID: 0371ecd990254dd767a604aa567081474727263e4e3774a05daf7e54a603023c
Opcode Fuzzy Hash: da38201a32f90b98934b488a65b371e434f1df0c2a04d29242935d2455de016b
Instruction Fuzzy Hash: A901A1B120C204EBDB009A95DD62E7A3364AB40314F30453BBA437A1F1C67D9913E72B

Uniqueness

Uniqueness Score: -1.00%

Function 0040195C Relevance: 1.3, APIs: 1, Instructions: 52
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(00001388,0000006E), ref: 00401999

Part of subcall function 00401553: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401617
Part of subcall function 00401553: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401644

Memory Dump Source

Source File: 00000006.00000002.2362904408.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_esiffai.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: 5e3dbe5dd20a4fb5b92f76c9b13fda5f390ba4e8200e1751a23b03b4d52e4fb4
Instruction ID: 3b2e7dc224df146109f963d95c0ead7a9e1b698bafe8296883a7ac19869aede1
Opcode Fuzzy Hash: 5e3dbe5dd20a4fb5b92f76c9b13fda5f390ba4e8200e1751a23b03b4d52e4fb4
Instruction Fuzzy Hash: BA0171B5208204EADB006AD5DD71E7A3269AB44314F304537BA43791F1D57D8912F72B

Uniqueness

Uniqueness Score: -1.00%

Function 00401973 Relevance: 1.3, APIs: 1, Instructions: 51sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00001388,0000006E), ref: 00401999

Part of subcall function 00401553: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401617
Part of subcall function 00401553: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401644

Memory Dump Source

Source File: 00000006.00000002.2362904408.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_esiffai.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: acb1fae293eb73a10805bbdd55e216ebbc49928181db8483aeacc3243d44ee5b
Instruction ID: 4b03b50232763afd30ab0c608f125a1a80ed78bb00471cf4ed55e3bed959d7b6
Opcode Fuzzy Hash: acb1fae293eb73a10805bbdd55e216ebbc49928181db8483aeacc3243d44ee5b
Instruction Fuzzy Hash: F80184B5208204EBDB006AD5DD71EBA3269AB44354F304537BA43790F1C57D8912F72B

Uniqueness

Uniqueness Score: -1.00%

Function 00401964 Relevance: 1.3, APIs: 1, Instructions: 50sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00001388,0000006E), ref: 00401999

Part of subcall function 00401553: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401617
Part of subcall function 00401553: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401644

Memory Dump Source

Source File: 00000006.00000002.2362904408.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_esiffai.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: e5353c19dd0b10c2d892503bd00f36fba5e3f507ee708bcba0cfbdc82fbef293
Instruction ID: f592bab324d3cd5d6286c78059ef0a1e8702b22de7bd53a4ec4d5e19e7ef6e8c
Opcode Fuzzy Hash: e5353c19dd0b10c2d892503bd00f36fba5e3f507ee708bcba0cfbdc82fbef293
Instruction Fuzzy Hash: 0D0184B5208204EBDB006AC5DD62EBA3265AB44314F204537FA43791F1C57D8912F72B

Uniqueness

Uniqueness Score: -1.00%

Function 005B1344 Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 005B1395

Memory Dump Source

Source File: 00000006.00000002.2364391445.00000000005AE000.00000040.00000020.00020000.00000000.sdmp, Offset: 005AE000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_5ae000_esiffai.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: 1cfbcb5bbc95422d3ec923f59a7a5c2fb8a9bcf8b5ea2854ae427bbe8753c6b0
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: E3113C79A00208EFDB01DF99C989E99BFF5AF08350F598094F9489B362D371EA50DF84

Uniqueness

Uniqueness Score: -1.00%

Function 00401987 Relevance: 1.3, APIs: 1, Instructions: 46sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00001388,0000006E), ref: 00401999

Part of subcall function 00401553: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401617
Part of subcall function 00401553: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401644

Memory Dump Source

Source File: 00000006.00000002.2362904408.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_esiffai.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: 74fb996ba95ec06bb2abe22af5600ab9efc13f551b73dbf86f34961914988ff4
Instruction ID: 68c2b1bb8267a16b47d2b790190fa602822f098e0b694be4ddc2e306b3be1968
Opcode Fuzzy Hash: 74fb996ba95ec06bb2abe22af5600ab9efc13f551b73dbf86f34961914988ff4
Instruction Fuzzy Hash: 2AF086B5208204FADB006BD59D61EBA3768AB44354F204137BA13790F1C57D8912F72B

Uniqueness

Uniqueness Score: -1.00%

Function 0040197A Relevance: 1.3, APIs: 1, Instructions: 45sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00001388,0000006E), ref: 00401999

Part of subcall function 00401553: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401617
Part of subcall function 00401553: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 00401644

Memory Dump Source

Source File: 00000006.00000002.2362904408.0000000000400000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_400000_esiffai.jbxd

Similarity

API ID: CreateDuplicateObjectSectionSleep
String ID:
API String ID: 4152845823-0
Opcode ID: f19d6598d7b3f8bbc47500c90c3d0bc6a0ede41a7b6f28d3ccddc132527cc834
Instruction ID: 49220a4dcaca44086484813bdb512237367292e15b320859d1a96440f4f24ef4
Opcode Fuzzy Hash: f19d6598d7b3f8bbc47500c90c3d0bc6a0ede41a7b6f28d3ccddc132527cc834
Instruction Fuzzy Hash: 7801A7B1208244FBDB016BD19D62EB93768AB05354F204537FA53790F2C67D8912E72B

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 004293E0 Relevance: 49.3, APIs: 26, Strings: 2, Instructions: 272timememoryCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 0042942D
GetLastError.KERNEL32(?,?,?,?,?,0043814C,?,?,?,?,004328D3,000000FF), ref: 00429433
GetConsoleAliasesA.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,0043814C,?,?,?,?,004328D3,000000FF), ref: 0042943F
CreateDirectoryW.KERNEL32(00000000,00000000,?,?,?,?,?,0043814C,?,?,?,?,004328D3,000000FF), ref: 0042945B
PulseEvent.KERNEL32(00000000), ref: 004294AF
FindResourceW.KERNEL32(00000000,00000000,00000000), ref: 004294BB
InterlockedIncrement.KERNEL32(?), ref: 004294D7
DestroyCursor.USER32(00000000), ref: 004294DF
SetDefaultCommConfigA.KERNEL32(00435F74,?,00000000), ref: 00429510
FreeEnvironmentStringsA.KERNEL32(00000000), ref: 00429518
GetCurrentDirectoryA.KERNEL32(00000000,?), ref: 00429527
EnumDateFormatsExW.KERNEL32(00000000,00000000,00000000), ref: 00429533
GetStartupInfoW.KERNEL32(00000000), ref: 00429544
GetModuleHandleExA.KERNEL32(00000000,00435F84,?), ref: 00429561
OpenJobObjectA.KERNEL32(00000000,00000000,00000000), ref: 0042960D
GetConsoleAliasesLengthW.KERNEL32(00000000), ref: 0042961F
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00429635
GetLocaleInfoA.KERNEL32(00000000,00000000,?,00000000), ref: 00429648
GlobalUnfix.KERNEL32(00000000), ref: 00429650
SystemTimeToTzSpecificLocalTime.KERNEL32(?,00000000,00000000), ref: 004296A9
SetCurrentDirectoryA.KERNEL32(00000000), ref: 004296B1
MoveFileExW.KERNEL32(00000000,00000000,00000000), ref: 004296BD
OpenWaitableTimerW.KERNEL32(00000000,00000000,00435FC0), ref: 004296CC
CompareStringW.KERNEL32(00000000,00000000,00436000,00000000,00435FF0,00000000), ref: 004296E4
GetProcessHeap.KERNEL32 ref: 004296EA
DuplicateToken.ADVAPI32(00000000,?,00000000), ref: 004297E4

Strings

tl_, xrefs: 00429480
rolawijejojomomadiyoc linomizocohu, xrefs: 00429579

Memory Dump Source

Source File: 00000006.00000002.2362939701.000000000041B000.00000020.00000001.01000000.00000005.sdmp, Offset: 0041B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_41b000_esiffai.jbxd

Similarity

API ID: Directory$AliasesConsoleCurrentInfoOpenTime$ByteCharCommCompareConfigCountCreateCursorDateDefaultDestroyDuplicateEnumEnvironmentErrorEventFileFindFormatsFreeGlobalHandleHeapIncrementInterlockedLastLengthLocalLocaleModuleMoveMultiObjectProcessPulseResourceSpecificStartupStringStringsSystemTickTimerTokenUnfixWaitableWide
String ID: rolawijejojomomadiyoc linomizocohu$tl_
API String ID: 1921510943-543283259
Opcode ID: b12ee619fb321c931cc0e0a795eee1f3fdf153278b53ee1f33741cbf59ba91f2
Instruction ID: 383bfb50e9770760059b075bd7030f224d1257b594166e4078eddca920172dc2
Opcode Fuzzy Hash: b12ee619fb321c931cc0e0a795eee1f3fdf153278b53ee1f33741cbf59ba91f2
Instruction Fuzzy Hash: 75B18070E44214EBEB24EF51EC46BD97770BB08706F5051BAF209AA2D1D7B81A84CF5E

Uniqueness

Uniqueness Score: -1.00%

Function 0042BD8B Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 106COMMON

Download Yara Rule

Strings

RCC, xrefs: 0042BDBE
MOC, xrefs: 0042BDB3
csm, xrefs: 0042BE89
csm, xrefs: 0042BDD2

Memory Dump Source

Source File: 00000006.00000002.2362939701.000000000041B000.00000020.00000001.01000000.00000005.sdmp, Offset: 0041B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_41b000_esiffai.jbxd

Similarity

API ID:
String ID: MOC$RCC$csm$csm
API String ID: 0-1441736206
Opcode ID: 51ddc7d622768b648994bfc901679fd71fd89309388f9c8a2b7e661c37d1a842
Instruction ID: e6b5bf135bbd4fa504faa0114ddd5047e9e76c7fed377544e84da5609ec1682d
Opcode Fuzzy Hash: 51ddc7d622768b648994bfc901679fd71fd89309388f9c8a2b7e661c37d1a842
Instruction Fuzzy Hash: 6931AF316006258FCB309E59E4887EB73A8EF10305FDA886BDA85D7251D778DD448BDA

Uniqueness

Uniqueness Score: -1.00%

Function 00429330 Relevance: 6.0, APIs: 4, Instructions: 50pipetimeCOMMON

Download Yara Rule

APIs

Part of subcall function 004292A0: RtlAllocateHeap.NTDLL(00000000,00000000,00000000), ref: 004292B7
Part of subcall function 004292A0: LoadLibraryA.KERNEL32(00000000), ref: 004292BF

FreeEnvironmentStringsA.KERNEL32(00000000), ref: 0042936B
ReadEventLogA.ADVAPI32(00000000,00000000,00000000,?,00000000,?,?), ref: 00429388
CreateNamedPipeA.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042939E
LocalFileTimeToFileTime.KERNEL32 ref: 004293BE

Memory Dump Source

Source File: 00000006.00000002.2362939701.000000000041B000.00000020.00000001.01000000.00000005.sdmp, Offset: 0041B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_41b000_esiffai.jbxd

Similarity

API ID: FileTime$AllocateCreateEnvironmentEventFreeHeapLibraryLoadLocalNamedPipeReadStrings
String ID:
API String ID: 3811978434-0
Opcode ID: 443718bbd43fc4c96e3af459f3c541e8ec4a4aa86c5f93e77ac8b1c946b6dced
Instruction ID: 8cf1fd32eb33782c2d8b6dbf0dab4f1c630b3bf39d8709dcf0aeb079219da625
Opcode Fuzzy Hash: 443718bbd43fc4c96e3af459f3c541e8ec4a4aa86c5f93e77ac8b1c946b6dced
Instruction Fuzzy Hash: 1F014CB1244301EFD314DF54EC85F9AB7F4BB89705F40492DF2598B1A0D774AA48CBAA

Uniqueness

Uniqueness Score: -1.00%

Function 0042AA4D Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 0042AA73

Part of subcall function 0042A862: __fltout2.LIBCMT ref: 0042A88D

__cftog_l.LIBCMT ref: 0042AA99
__cftoe_l.LIBCMT ref: 0042AACB

Memory Dump Source

Source File: 00000006.00000002.2362939701.000000000041B000.00000020.00000001.01000000.00000005.sdmp, Offset: 0041B000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_41b000_esiffai.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: 843931e506ad9f7667999f9533ecfb8930c9daf0a1febf59d810d17d1cd26479
Instruction ID: 03e6678406b2270711dd0135c87aafb7db3c484a9530a0e9959f614f83b4301a
Opcode Fuzzy Hash: 843931e506ad9f7667999f9533ecfb8930c9daf0a1febf59d810d17d1cd26479
Instruction Fuzzy Hash: A9117232100159BBCF125E85ED02CEE3F62BF18354B998816FE1954131C33AD9B1EB8A

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: 52CE.exePID: 2784, Parent PID: 4004COMMON

Execution Graph

Execution Coverage:	9.8%
Dynamic/Decrypted Code Coverage:	5.6%
Signature Coverage:	1.7%
Total number of Nodes:	1471
Total number of Limit Nodes:	15

Executed Functions

Function 0040B000 Relevance: 21.2, APIs: 9, Strings: 2, Instructions: 1986
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(?,?,00003000,00000004), ref: 0040B37B

Strings

MZx, xrefs: 0040B23D, 0040B24A, 0040B43E, 0040BD91
, xrefs: 0040BD4C

Memory Dump Source

Source File: 00000007.00000002.2523135411.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2522855241.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2523578065.000000000040E000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2523739174.0000000000410000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2524802549.000000000049A000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_52CE.jbxd

Similarity

API ID: AllocVirtual
String ID: $MZx
API String ID: 4275171209-1316729395
Opcode ID: 4a2474eb565b212194a4bfe7e53538efd1de2892c4db19d4714e606f7a06ef2b
Instruction ID: 45b563f8a9da24adf82b643251c92e3455615102c1c9a1f57bf90e080ebc8d3e
Opcode Fuzzy Hash: 4a2474eb565b212194a4bfe7e53538efd1de2892c4db19d4714e606f7a06ef2b
Instruction Fuzzy Hash: 96D27A37D1172D47E7148A3CCC847A8A522EBD9320F91E772D86DEB6D4C7388E858B85

Uniqueness

Uniqueness Score: -1.00%

Function 007979A0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 150
nativememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,?,00003000,00000040), ref: 00797B45
NtFreeVirtualMemory.NTDLL(000000FF,?,?,00008000), ref: 00797B7F

Strings

~%#M, xrefs: 00797A63

Memory Dump Source

Source File: 00000007.00000002.2526188437.0000000000741000.00000020.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: true

Associated: 00000007.00000002.2525834350.0000000000740000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2526664284.0000000000798000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2526781814.000000000079C000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2527037657.00000000007BB000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_740000_52CE.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID: ~%#M
API String ID: 292159236-585549556
Opcode ID: 08da30cf2241c79b55f0b8c815f226cc6511585eefbfcfde115a0ec72050045d
Instruction ID: 0dc7e584530ff37cb83cdeec6323ff50512c1688fded9e3b6bdfc3462734379c
Opcode Fuzzy Hash: 08da30cf2241c79b55f0b8c815f226cc6511585eefbfcfde115a0ec72050045d
Instruction Fuzzy Hash: 7F510A716042509FDB118F3CEC90BE63FF1EB5A328F14C359E6A09B2A2D63C9941CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00770EA0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 141
nativememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,00000001,00003000,00000040), ref: 0077102F
NtFreeVirtualMemory.NTDLL(000000FF,?,?,00008000), ref: 00771078

Strings

,, xrefs: 0077100A

Memory Dump Source

Source File: 00000007.00000002.2526188437.0000000000741000.00000020.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: true

Associated: 00000007.00000002.2525834350.0000000000740000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2526664284.0000000000798000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2526781814.000000000079C000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2527037657.00000000007BB000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_740000_52CE.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID: ,
API String ID: 292159236-3772416878
Opcode ID: 55dd4b0a047b289dbf1175d9f7c78585ef9d423a7828a7aff9892dd13706477c
Instruction ID: 20fd292b469f18e54f9e15d3fb3a462c85e695527a790a8752f33e0852f9ad8b
Opcode Fuzzy Hash: 55dd4b0a047b289dbf1175d9f7c78585ef9d423a7828a7aff9892dd13706477c
Instruction Fuzzy Hash: 0F5106F05082909FCB158F68DC51BA67FF1EB8B310F04C159EAA45B2A2D6789941CBB8

Uniqueness

Uniqueness Score: -1.00%

Function 00795B20 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 125
nativememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,?,00003000,00000040), ref: 00795C6F
NtFreeVirtualMemory.NTDLL(000000FF,?,?,00008000), ref: 00795CB9

Strings

(Lmu, xrefs: 00795B89

Memory Dump Source

Source File: 00000007.00000002.2526188437.0000000000741000.00000020.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: true

Associated: 00000007.00000002.2525834350.0000000000740000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2526664284.0000000000798000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2526781814.000000000079C000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2527037657.00000000007BB000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_740000_52CE.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID: (Lmu
API String ID: 292159236-3447634992
Opcode ID: e8b5cb143d114b0d489eb567eb342a14ce37743228792109da8b7fdb69082e81
Instruction ID: 94105b130a09c23cb363b2664b66da8c48a27ea0e551260516e4861e5466399f
Opcode Fuzzy Hash: e8b5cb143d114b0d489eb567eb342a14ce37743228792109da8b7fdb69082e81
Instruction Fuzzy Hash: A841D171904254AFCB11CF68DC40FAA7BF1FB4A310F158259FA609B3A1D73D9940CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0040BC8C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

___crtGetLocaleInfoEx.LIBCMTD ref: 0040BDAC

Strings

MZx, xrefs: 0040BD91
@, xrefs: 0040BCFD

Memory Dump Source

Source File: 00000007.00000002.2523135411.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2522855241.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2523578065.000000000040E000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2523739174.0000000000410000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2524802549.000000000049A000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_52CE.jbxd

Similarity

API ID: InfoLocale___crt
String ID: @$MZx
API String ID: 3761071962-3611936126
Opcode ID: 7dc45aaf0ae24adfa88c969375c3421c20029c290821bfc3e8b4291c4182fdf1
Instruction ID: e74ed471c171aa623d419fce0af554c18742599ac165b1d16f4e0130d675293a
Opcode Fuzzy Hash: 7dc45aaf0ae24adfa88c969375c3421c20029c290821bfc3e8b4291c4182fdf1
Instruction Fuzzy Hash: C011D775914528CBDB28CB04D990BE9F7B2EB64304F1481DAD58DBB282D7785EC0CF98

Uniqueness

Uniqueness Score: -1.00%

Function 00797B90 Relevance: 3.2, APIs: 2, Instructions: 159
nativememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,?,00003000,00000040), ref: 00797D53
NtFreeVirtualMemory.NTDLL(000000FF,?,?,00008000), ref: 00797D8E

Memory Dump Source

Source File: 00000007.00000002.2526188437.0000000000741000.00000020.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: true

Associated: 00000007.00000002.2525834350.0000000000740000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2526664284.0000000000798000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2526781814.000000000079C000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2527037657.00000000007BB000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_740000_52CE.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: cc85a1934c0826260f7122a4acaee529f39de8b5296307ebe5b9edd71fa0dc01
Instruction ID: 65e2ae499886fc3ac8f47e1c224b078b94f216309b474354c7ff2ceb025e6678
Opcode Fuzzy Hash: cc85a1934c0826260f7122a4acaee529f39de8b5296307ebe5b9edd71fa0dc01
Instruction Fuzzy Hash: AA51E7316042909FDB118F78AC51FE63FF0EB5A328F148355EAA0CB2A2D63C9645DB65

Uniqueness

Uniqueness Score: -1.00%

Function 00796930 Relevance: 3.2, APIs: 2, Instructions: 158
nativememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,?,00003000,00000040), ref: 00796AF3
NtFreeVirtualMemory.NTDLL(000000FF,?,?,00008000), ref: 00796B2E

Memory Dump Source

Source File: 00000007.00000002.2526188437.0000000000741000.00000020.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: true

Associated: 00000007.00000002.2525834350.0000000000740000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2526664284.0000000000798000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2526781814.000000000079C000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2527037657.00000000007BB000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_740000_52CE.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: 7a72d9b343627338bba18b14095cedcb5c1de53d1b013cb44d467bed7513df1e
Instruction ID: e95681106a18f8cafb63206995db426250c9e22a6528e9f4402fc465def7983c
Opcode Fuzzy Hash: 7a72d9b343627338bba18b14095cedcb5c1de53d1b013cb44d467bed7513df1e
Instruction Fuzzy Hash: 2D51B3741046C09FDB158F78AC60BE63FF1EB5A220B14C359E6A49B3E2C62C9749D768

Uniqueness

Uniqueness Score: -1.00%

Function 00796730 Relevance: 3.2, APIs: 2, Instructions: 151
nativememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,?,00003000,00000040), ref: 007968E5
NtFreeVirtualMemory.NTDLL(000000FF,?,?,00008000), ref: 0079691F

Memory Dump Source

Source File: 00000007.00000002.2526188437.0000000000741000.00000020.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: true

Associated: 00000007.00000002.2525834350.0000000000740000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2526664284.0000000000798000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2526781814.000000000079C000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2527037657.00000000007BB000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_740000_52CE.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: 49d58b5cd1a41f0c3db2bc87ca1e3c6c06f451c456f7ab337d542f33123b1075
Instruction ID: c5c5ad58d97ac557cb4fc74018690ec5096303e50af66352862eb0cf490d965a
Opcode Fuzzy Hash: 49d58b5cd1a41f0c3db2bc87ca1e3c6c06f451c456f7ab337d542f33123b1075
Instruction Fuzzy Hash: B951F7305046C1AFDF018F78AC54FA63FF1EB1A320F188359E6A09B2A2D63C9745D769

Uniqueness

Uniqueness Score: -1.00%

Function 007963D0 Relevance: 3.2, APIs: 2, Instructions: 151
nativememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,?,00003000,00000040), ref: 00796585
NtFreeVirtualMemory.NTDLL(000000FF,?,?,00008000), ref: 007965BA

Memory Dump Source

Source File: 00000007.00000002.2526188437.0000000000741000.00000020.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: true

Associated: 00000007.00000002.2525834350.0000000000740000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2526664284.0000000000798000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2526781814.000000000079C000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2527037657.00000000007BB000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_740000_52CE.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: a9141189395c23f360d2ce63a8a3de481c83c90ab02cafcde7ff5f0c7bd17bfa
Instruction ID: 4613b0d2a126e3bbb7813c5bc158b8c3cbf59e7398d5c6ebb1bcfc321b871abd
Opcode Fuzzy Hash: a9141189395c23f360d2ce63a8a3de481c83c90ab02cafcde7ff5f0c7bd17bfa
Instruction Fuzzy Hash: 7151E4705046D09FCB118F78AC51BA63FF1EB1A220F158385E6A0CB2A2D63C9B45DB69

Uniqueness

Uniqueness Score: -1.00%

Function 00793E10 Relevance: 3.1, APIs: 2, Instructions: 147
nativememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,?,00003000,00000040), ref: 00793FB5
NtFreeVirtualMemory.NTDLL(000000FF,?,?,00008000), ref: 00793FEA

Memory Dump Source

Source File: 00000007.00000002.2526188437.0000000000741000.00000020.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: true

Associated: 00000007.00000002.2525834350.0000000000740000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2526664284.0000000000798000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2526781814.000000000079C000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2527037657.00000000007BB000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_740000_52CE.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: 2503e3d35e40244d27148b7b3bd9c7e5a0337deba8897f71b23ed56af3a58ad6
Instruction ID: a616beba5c80b391e3f2208a80111e247ba0232b27109951b6a4c2ea7afdcc64
Opcode Fuzzy Hash: 2503e3d35e40244d27148b7b3bd9c7e5a0337deba8897f71b23ed56af3a58ad6
Instruction Fuzzy Hash: 09513A316042519FCF019F28EC90FE63FF1E71A310F148295EAA48B393D63C9A45CB68

Uniqueness

Uniqueness Score: -1.00%

Function 0078FFD0 Relevance: 3.1, APIs: 2, Instructions: 145
nativememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,00000001,00000000,?,00003000,00000040), ref: 0079016B
NtFreeVirtualMemory.NTDLL(000000FF,00000001,00000001,00008000), ref: 007901A3

Memory Dump Source

Source File: 00000007.00000002.2526188437.0000000000741000.00000020.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: true

Associated: 00000007.00000002.2525834350.0000000000740000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2526664284.0000000000798000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2526781814.000000000079C000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2527037657.00000000007BB000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_740000_52CE.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: 0ba723859a4fb872fbe2ef49bd50a7a571834bacf2ca0fb7fa1cdcf74d3c3809
Instruction ID: 3500afc6d34ed072a10fe1c145b95517bd0c70538ddb06e59bc204a5465dfe19
Opcode Fuzzy Hash: 0ba723859a4fb872fbe2ef49bd50a7a571834bacf2ca0fb7fa1cdcf74d3c3809
Instruction Fuzzy Hash: 6651FB716147449FDB118F39EC41B96BBF0FB8A320F14C71AE9A0973A1D738AA45CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00793C30 Relevance: 3.1, APIs: 2, Instructions: 144
nativememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,?,00003000,00000040), ref: 00793DC5
NtFreeVirtualMemory.NTDLL(000000FF,?,?,00008000), ref: 00793DF4

Memory Dump Source

Source File: 00000007.00000002.2526188437.0000000000741000.00000020.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: true

Associated: 00000007.00000002.2525834350.0000000000740000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2526664284.0000000000798000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2526781814.000000000079C000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2527037657.00000000007BB000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_740000_52CE.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: da067e4d5ef75842b40aadd9632530b98fe9c6057da86f2db2c9cd5fa0741717
Instruction ID: 7c52f8311345657b9fc53b62510175163436c55a9d75bf1915fe684a7af187d0
Opcode Fuzzy Hash: da067e4d5ef75842b40aadd9632530b98fe9c6057da86f2db2c9cd5fa0741717
Instruction Fuzzy Hash: 7151F8716082909FDB119F7CEC51BA63BF1E70A320F14C299EAA48B393C63C9945C769

Uniqueness

Uniqueness Score: -1.00%

Function 00795F40 Relevance: 3.1, APIs: 2, Instructions: 144
nativememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,?,00003000,00000040), ref: 007960E4
NtFreeVirtualMemory.NTDLL(000000FF,?,?,00008000), ref: 00796126

Memory Dump Source

Source File: 00000007.00000002.2526188437.0000000000741000.00000020.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: true

Associated: 00000007.00000002.2525834350.0000000000740000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2526664284.0000000000798000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2526781814.000000000079C000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2527037657.00000000007BB000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_740000_52CE.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: 4f9dee100105e0ac7d256492e8c759068924af24667e6300fb0fac105b5149fd
Instruction ID: b7387b340ca313447486775c760f88b8ec22f14c3ced9dd19e2b688158222eed
Opcode Fuzzy Hash: 4f9dee100105e0ac7d256492e8c759068924af24667e6300fb0fac105b5149fd
Instruction Fuzzy Hash: F25191745053909FDB018F69ACA0FA53FF0EB1A310F189389F7A49B2E2C62C9545DB79

Uniqueness

Uniqueness Score: -1.00%

Function 00784BB0 Relevance: 3.1, APIs: 2, Instructions: 126
nativememoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,?,00003000,00000040), ref: 00784D1C
NtFreeVirtualMemory.NTDLL(000000FF,?,?,00008000), ref: 00784D50

Memory Dump Source

Source File: 00000007.00000002.2526188437.0000000000741000.00000020.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: true

Associated: 00000007.00000002.2525834350.0000000000740000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2526664284.0000000000798000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2526781814.000000000079C000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2527037657.00000000007BB000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_740000_52CE.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: ce29da7690ed889b072513f8ad647cb21aaae14aacb258b9c3dfe09c315f1894
Instruction ID: 878a65ee42e8e21ddceca2475a0d03776cd565d3c19453b094f9871d3dde9c80
Opcode Fuzzy Hash: ce29da7690ed889b072513f8ad647cb21aaae14aacb258b9c3dfe09c315f1894
Instruction Fuzzy Hash: EC41F5702052D09FDB018FB89C51BA37FF4EB8B320F148265E9A49B3E2C63C4945CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00768370 Relevance: 3.1, APIs: 2, Instructions: 117nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,?,00003000,00000040), ref: 007684B9
NtFreeVirtualMemory.NTDLL(000000FF,?,?,00008000), ref: 007684E5

Memory Dump Source

Source File: 00000007.00000002.2526188437.0000000000741000.00000020.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: true

Associated: 00000007.00000002.2525834350.0000000000740000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2526664284.0000000000798000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2526781814.000000000079C000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2527037657.00000000007BB000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_740000_52CE.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: 1dd0453e98f431d410b6752da25e0a38726e4dc58d12a5ee9e365be227a9563f
Instruction ID: 86af35200a8b58298ad342f0b61b09f4d97b4dd0738cfbd898ec9b3cc8a91e0f
Opcode Fuzzy Hash: 1dd0453e98f431d410b6752da25e0a38726e4dc58d12a5ee9e365be227a9563f
Instruction Fuzzy Hash: F641D3751052919FEB108F28DC607A77BF4EB8B330F54C259E9619B3E1CA386909CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0078FEC0 Relevance: 3.1, APIs: 2, Instructions: 85nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,?,00003000,00000040), ref: 0078FF8C
NtFreeVirtualMemory.NTDLL(000000FF,?,?,00008000), ref: 0078FFC0

Memory Dump Source

Source File: 00000007.00000002.2526188437.0000000000741000.00000020.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: true

Associated: 00000007.00000002.2525834350.0000000000740000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2526664284.0000000000798000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2526781814.000000000079C000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2527037657.00000000007BB000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_740000_52CE.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID:
API String ID: 292159236-0
Opcode ID: 6b6f1355456d374758795575ad6a9201ce949d4d675f57d3132517913cf37ac7
Instruction ID: c881d20c470ebc4dfba2ae34be41599eb1caa3b3dd80a72ae1d76404aa253a2f
Opcode Fuzzy Hash: 6b6f1355456d374758795575ad6a9201ce949d4d675f57d3132517913cf37ac7
Instruction Fuzzy Hash: C631CE70600254ABDB219F18DC45FA6BBF4FF4A324F248755FA64AB3E0D7385980CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0078FDA0 Relevance: 1.5, APIs: 1, Instructions: 9memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(?,00000000,?), ref: 0078FDB5

Memory Dump Source

Source File: 00000007.00000002.2526188437.0000000000741000.00000020.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: true

Associated: 00000007.00000002.2525834350.0000000000740000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2526664284.0000000000798000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2526781814.000000000079C000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2527037657.00000000007BB000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_740000_52CE.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 1925a0617e5910eaf29626bd77cdd8ab55e39abb0ca59a2738d091b435ec9e03
Instruction ID: 41c72209e6ce8718be57c5200ef1fc4fc482f55b97806601f75587f1ce146c07
Opcode Fuzzy Hash: 1925a0617e5910eaf29626bd77cdd8ab55e39abb0ca59a2738d091b435ec9e03
Instruction Fuzzy Hash: 39C04C31340540AFDF259F10CE54F75776DEB40B40F144468F606C55D0C629DC42DB54

Uniqueness

Uniqueness Score: -1.00%

Function 0078FD80 Relevance: 1.5, APIs: 1, Instructions: 6memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,00000000,?), ref: 0078FD8F

Memory Dump Source

Source File: 00000007.00000002.2526188437.0000000000741000.00000020.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: true

Associated: 00000007.00000002.2525834350.0000000000740000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2526664284.0000000000798000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2526781814.000000000079C000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2527037657.00000000007BB000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_740000_52CE.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 9023fb4727125ba3298f026b6336c9ac2c6cfa96fbd088de1befec4bd2d8ff21
Instruction ID: 690d073b3a7b4eeefb612f23201a23d1c638506c128d8fcb6dcc73c82d336453
Opcode Fuzzy Hash: 9023fb4727125ba3298f026b6336c9ac2c6cfa96fbd088de1befec4bd2d8ff21
Instruction Fuzzy Hash: 44B09232180540EFCF129F40CE18F187B75FB44B00F144454B301864B0C2399810EB04

Uniqueness

Uniqueness Score: -1.00%

Function 004033EC Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

HeapCreate.KERNELBASE(00000000,00001000,00000000), ref: 00403401

Memory Dump Source

Source File: 00000007.00000002.2523135411.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2522855241.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2523578065.000000000040E000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2523739174.0000000000410000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2524802549.000000000049A000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_52CE.jbxd

Similarity

API ID: CreateHeap
String ID:
API String ID: 10892065-0
Opcode ID: 242878d187d5643130c6794d8ecc06df3bbe5c68090dea2f9b450bada74c94ef
Instruction ID: 864410e9f4108eee9f11c692568db61d701976dfad32a66d6ed26009e0d2a454
Opcode Fuzzy Hash: 242878d187d5643130c6794d8ecc06df3bbe5c68090dea2f9b450bada74c94ef
Instruction Fuzzy Hash: 1BD05E326547445AEB015F796D087663BDCD3883A5F10883ABA0CC6190E5B4C9519648

Uniqueness

Uniqueness Score: -1.00%

Function 0040DCB0 Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

FreeConsole.KERNELBASE ref: 0040DCB4

Memory Dump Source

Source File: 00000007.00000002.2523135411.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2522855241.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2523578065.000000000040E000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2523739174.0000000000410000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2524802549.000000000049A000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_52CE.jbxd

Similarity

API ID: ConsoleFree
String ID:
API String ID: 771614528-0
Opcode ID: 5fc21eec1f23c2ddc96ba810ee31830b4c04f9f96cda763a4c103ddf85a431ab
Instruction ID: 7b27de6d539aeb1644e4f2f03d983ee9e69fb45dd94d72c6f60c9f18749431db
Opcode Fuzzy Hash: 5fc21eec1f23c2ddc96ba810ee31830b4c04f9f96cda763a4c103ddf85a431ab
Instruction Fuzzy Hash: 6FB09BB480130CF7C700DBD5C90494E7BFCA704305F104454F50063201C775AA045B54

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00404C24 Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 004091E0
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 004091F5
UnhandledExceptionFilter.KERNEL32(0040F504), ref: 00409200
GetCurrentProcess.KERNEL32(C0000409), ref: 0040921C
TerminateProcess.KERNEL32(00000000), ref: 00409223

Memory Dump Source

Source File: 00000007.00000002.2523135411.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2522855241.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2523578065.000000000040E000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2523739174.0000000000410000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2524802549.000000000049A000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_52CE.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: f2bbd0da6f7b18c8355828f3f8a7afa88d88d0fcf61f3e80c7d782fe74e9c0ff
Instruction ID: bb8398d19da081a35822c54209d99ce72d36d9d7c0c958ebdc78be1de8c65a77
Opcode Fuzzy Hash: f2bbd0da6f7b18c8355828f3f8a7afa88d88d0fcf61f3e80c7d782fe74e9c0ff
Instruction Fuzzy Hash: 3A21BDB4921304DBEB14DFAAE9856483BA4FB28300F0054BFE908972A1EBB55D81CB5D

Uniqueness

Uniqueness Score: -1.00%

Function 0078DD00 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,?,00003000,00000040), ref: 0078DE83
NtFreeVirtualMemory.NTDLL(000000FF,?,?,00008000), ref: 0078DEBE

Strings

)_X, xrefs: 0078DD57

Memory Dump Source

Source File: 00000007.00000002.2526188437.0000000000741000.00000020.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: true

Associated: 00000007.00000002.2525834350.0000000000740000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2526664284.0000000000798000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2526781814.000000000079C000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2527037657.00000000007BB000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_740000_52CE.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID: )_X
API String ID: 292159236-3957395073
Opcode ID: b4a18c7197f094929c3d6aefa48e70c0e0bd1706b8690e3cfa64026571e825de
Instruction ID: 941e40e8aa67ca775d31fdd5a4103e1d8302d3345887ed98a45b8f7368aa6aa2
Opcode Fuzzy Hash: b4a18c7197f094929c3d6aefa48e70c0e0bd1706b8690e3cfa64026571e825de
Instruction Fuzzy Hash: 6851C4705053409FDB119F38DC11FA63FF1EB1A320F148359EAA49B2A3DA3C9902DB68

Uniqueness

Uniqueness Score: -1.00%

Function 00796180 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 131nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,?,00003000,00000040), ref: 007962E4
NtFreeVirtualMemory.NTDLL(000000FF,?,?,00008000), ref: 00796325

Strings

$, xrefs: 007962C2

Memory Dump Source

Source File: 00000007.00000002.2526188437.0000000000741000.00000020.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: true

Associated: 00000007.00000002.2525834350.0000000000740000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2526664284.0000000000798000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2526781814.000000000079C000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2527037657.00000000007BB000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_740000_52CE.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID: $
API String ID: 292159236-3993045852
Opcode ID: 362fb71397e42633bf9f8714364e546c57ba30653db1178551b3ca04e06f55b6
Instruction ID: 77fc8e3a83229065cf943c721a5251486862d1d894e155a370f60ee7d605a5cf
Opcode Fuzzy Hash: 362fb71397e42633bf9f8714364e546c57ba30653db1178551b3ca04e06f55b6
Instruction Fuzzy Hash: AC41D6701146D09FDB018F68AC50FA57FF1EB5A324F248345EBA05B2E2C63C5646CB68

Uniqueness

Uniqueness Score: -1.00%

Function 007908A0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 124nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,?,00003000,00000040), ref: 007909E5
NtFreeVirtualMemory.NTDLL(000000FF,?,?,00008000), ref: 00790A1F

Strings

Bj]K, xrefs: 007908ED

Memory Dump Source

Source File: 00000007.00000002.2526188437.0000000000741000.00000020.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: true

Associated: 00000007.00000002.2525834350.0000000000740000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2526664284.0000000000798000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2526781814.000000000079C000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2527037657.00000000007BB000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_740000_52CE.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID: Bj]K
API String ID: 292159236-3137518173
Opcode ID: f08f7682d6c8dce54f4587cfbae4de0164750879224630f57ade5f5e5c17312b
Instruction ID: 633320495b2e882f96823f0112708ab528fbb09bd06fb4f3a2cd8b658468c6a1
Opcode Fuzzy Hash: f08f7682d6c8dce54f4587cfbae4de0164750879224630f57ade5f5e5c17312b
Instruction Fuzzy Hash: E5410970A002559FDB118F28EC44FB67BF5FB49320F14C355EAA09B3A1C7399A81CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00768500 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 112nativememoryCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,?,00003000,00000040), ref: 0076862C
NtFreeVirtualMemory.NTDLL(000000FF,?,?,00008000), ref: 00768674

Strings

,, xrefs: 00768607

Memory Dump Source

Source File: 00000007.00000002.2526188437.0000000000741000.00000020.00001000.00020000.00000000.sdmp, Offset: 00740000, based on PE: true

Associated: 00000007.00000002.2525834350.0000000000740000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2526664284.0000000000798000.00000002.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2526781814.000000000079C000.00000004.00001000.00020000.00000000.sdmpDownload File
Associated: 00000007.00000002.2527037657.00000000007BB000.00000002.00001000.00020000.00000000.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_740000_52CE.jbxd

Similarity

API ID: MemoryVirtual$AllocateFree
String ID: ,
API String ID: 292159236-3772416878
Opcode ID: b02b5d897e57d16824a38759734c21c46e67bd2515db498a39f1685ea15bae2d
Instruction ID: 10ec8e981cf9cf5e091f79b200b3d951166e263ffb32f831de32d575dd05aec5
Opcode Fuzzy Hash: b02b5d897e57d16824a38759734c21c46e67bd2515db498a39f1685ea15bae2d
Instruction Fuzzy Hash: 1E41E5715052809FDB118F28DC50BA67FF5FB8A320F588345FA649B2E1C738A850CB59

Uniqueness

Uniqueness Score: -1.00%

Function 004020BA Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_00002078), ref: 004020BF

Memory Dump Source

Source File: 00000007.00000002.2523135411.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2522855241.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2523578065.000000000040E000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2523739174.0000000000410000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2524802549.000000000049A000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_52CE.jbxd

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 6321d3ceb2d2059ab83b90681c59ec3ce13bf0e241f9a3b10a0f10e91a84f823
Instruction ID: 6fc5fb511032e0d15556f0cccb8f46923c03f68380ba340147d361c76280a70e
Opcode Fuzzy Hash: 6321d3ceb2d2059ab83b90681c59ec3ce13bf0e241f9a3b10a0f10e91a84f823
Instruction Fuzzy Hash: 6690026069221046C60017759F0DA0525A45B98742B514871A251E80D4DAF44014E51A

Uniqueness

Uniqueness Score: -1.00%

Function 00402FB6 Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 57libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,0040F5C0,0000000C,004030F1,00000000,00000000,?,00000000,?,00401FFB,00000000,00010000,00030000,?,004012DA), ref: 00402FC8
__crt_waiting_on_module_handle.LIBCMT ref: 00402FD3

Part of subcall function 004020C8: Sleep.KERNEL32(000003E8,00000000,?,00402F19,KERNEL32.DLL,?,00402F65,?,00000000,?,00401FFB,00000000,00010000,00030000,?,004012DA), ref: 004020D4
Part of subcall function 004020C8: GetModuleHandleW.KERNEL32(00000000,?,00402F19,KERNEL32.DLL,?,00402F65,?,00000000,?,00401FFB,00000000,00010000,00030000,?,004012DA), ref: 004020DD

GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 00402FFC
GetProcAddress.KERNEL32(?,DecodePointer), ref: 0040300C
__lock.LIBCMT ref: 0040302E
InterlockedIncrement.KERNEL32(?), ref: 0040303B
__lock.LIBCMT ref: 0040304F
___addlocaleref.LIBCMT ref: 0040306D

Strings

DecodePointer, xrefs: 00403004
EncodePointer, xrefs: 00402FF0
KERNEL32.DLL, xrefs: 00402FC2, 00402FC7, 00402FD2

Memory Dump Source

Source File: 00000007.00000002.2523135411.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2522855241.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2523578065.000000000040E000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2523739174.0000000000410000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2524802549.000000000049A000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_52CE.jbxd

Similarity

API ID: AddressHandleModuleProc__lock$IncrementInterlockedSleep___addlocaleref__crt_waiting_on_module_handle
String ID: DecodePointer$EncodePointer$KERNEL32.DLL
API String ID: 1028249917-2843748187
Opcode ID: 41e6bf778d68cc2395c0aea3f6d940bc046e65b970a9a0c819c39b0f44fd7a57
Instruction ID: b405e1a5fff0d8971d57085e8ec84318b9a08ac337b96a55c307c2b657e29935
Opcode Fuzzy Hash: 41e6bf778d68cc2395c0aea3f6d940bc046e65b970a9a0c819c39b0f44fd7a57
Instruction Fuzzy Hash: D111C3719007019ED720EF3A9901B4ABFE4AF04314F10483FE599B62E1CBB89A408F2D

Uniqueness

Uniqueness Score: -1.00%

Function 00403903 Relevance: 7.5, APIs: 5, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 0040390F

Part of subcall function 00403116: __getptd_noexit.LIBCMT ref: 00403119
Part of subcall function 00403116: __amsg_exit.LIBCMT ref: 00403126

__amsg_exit.LIBCMT ref: 0040392F
__lock.LIBCMT ref: 0040393F
InterlockedDecrement.KERNEL32(?), ref: 0040395C
InterlockedIncrement.KERNEL32(00731688), ref: 00403987

Memory Dump Source

Source File: 00000007.00000002.2523135411.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2522855241.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2523578065.000000000040E000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2523739174.0000000000410000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2524802549.000000000049A000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_52CE.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
String ID:
API String ID: 4271482742-0
Opcode ID: d7e9336c9de47708607b77593e0ef1dd666ae62cca8d89cb20aa74521767eb11
Instruction ID: f46a030621376f0d32dd3c412e84f5a384dc0bb7fdec6185e1166b0dddd859e7
Opcode Fuzzy Hash: d7e9336c9de47708607b77593e0ef1dd666ae62cca8d89cb20aa74521767eb11
Instruction Fuzzy Hash: 8D01A571900625A7CB11AF2A980574A7B64BB05726F05043BE814772D0DB7C9E41CFDD

Uniqueness

Uniqueness Score: -1.00%

Function 00405870 Relevance: 7.5, APIs: 5, Instructions: 44memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

__lock.LIBCMT ref: 0040588E

Part of subcall function 00404FFA: __mtinitlocknum.LIBCMT ref: 00405010
Part of subcall function 00404FFA: __amsg_exit.LIBCMT ref: 0040501C
Part of subcall function 00404FFA: EnterCriticalSection.KERNEL32(?,?,?,00409AA2,00000004,0040F7B0,0000000C,00405959,00000000,?,00000000,00000000,00000000,?,004030C8,00000001), ref: 00405024

___sbh_find_block.LIBCMT ref: 00405899
___sbh_free_block.LIBCMT ref: 004058A8
HeapFree.KERNEL32(00000000,00000000,0040F730,0000000C,00404FDB,00000000,0040F690,0000000C,00405015,00000000,?,?,00409AA2,00000004,0040F7B0,0000000C), ref: 004058D8
GetLastError.KERNEL32(?,00409AA2,00000004,0040F7B0,0000000C,00405959,00000000,?,00000000,00000000,00000000,?,004030C8,00000001,00000214), ref: 004058E9

Memory Dump Source

Source File: 00000007.00000002.2523135411.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2522855241.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2523578065.000000000040E000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2523739174.0000000000410000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2524802549.000000000049A000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_52CE.jbxd

Similarity

API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
String ID:
API String ID: 2714421763-0
Opcode ID: a52e4c33ade83392b79ba9c1551cd723d8e59694c7c2c54b8399a5cf236615a4
Instruction ID: 74843043346d99ee986f6b0d7d2370b120e19c7988f11ed547b5d8d0c11fbe23
Opcode Fuzzy Hash: a52e4c33ade83392b79ba9c1551cd723d8e59694c7c2c54b8399a5cf236615a4
Instruction Fuzzy Hash: 7C017C72900B11AAEB217F76980A74F3B64EF40329F20803FF904BA1C1DA3C89509E5D

Uniqueness

Uniqueness Score: -1.00%

Function 0040204F Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(KERNEL32,004012CA), ref: 00402054
GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 00402064

Strings

IsProcessorFeaturePresent, xrefs: 0040205E
KERNEL32, xrefs: 0040204F

Memory Dump Source

Source File: 00000007.00000002.2523135411.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2522855241.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2523578065.000000000040E000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2523739174.0000000000410000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2524802549.000000000049A000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_52CE.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: IsProcessorFeaturePresent$KERNEL32
API String ID: 1646373207-3105848591
Opcode ID: d604e86d5082bfcf9618fae7bce2e3bf2821ede3a4950e8d2339623341658d94
Instruction ID: 457f048ded51d29ceac98a6aaaffafbbc0a85af5ba183fcc564f450b18b15760
Opcode Fuzzy Hash: d604e86d5082bfcf9618fae7bce2e3bf2821ede3a4950e8d2339623341658d94
Instruction Fuzzy Hash: 2EF03030A10A09D2EB101FB2BE0E76F7E78BB80745F9109B1D692B10D4DFB4C071D65A

Uniqueness

Uniqueness Score: -1.00%

Function 00401F1A Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 00401F40

Part of subcall function 00401D65: __fltout2.LIBCMT ref: 00401D91

__cftog_l.LIBCMT ref: 00401F66
__cftoe_l.LIBCMT ref: 00401F98

Memory Dump Source

Source File: 00000007.00000002.2523135411.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2522855241.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2523578065.000000000040E000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2523739174.0000000000410000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2524802549.000000000049A000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_52CE.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction ID: 6f0eb088b426d70b6ac64939a41f05a5c36cd5b2f33677077cf0186b13881a6f
Opcode Fuzzy Hash: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
Instruction Fuzzy Hash: 2811403200414EBBCF126ED5CC01CEE3F62BB18354B598426FE58691B1C33AC9B1AB85

Uniqueness

Uniqueness Score: -1.00%

Function 0040406F Relevance: 6.0, APIs: 4, Instructions: 31COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 0040407B

Part of subcall function 00403116: __getptd_noexit.LIBCMT ref: 00403119
Part of subcall function 00403116: __amsg_exit.LIBCMT ref: 00403126

__getptd.LIBCMT ref: 00404092
__amsg_exit.LIBCMT ref: 004040A0
__lock.LIBCMT ref: 004040B0

Memory Dump Source

Source File: 00000007.00000002.2523135411.0000000000401000.00000020.00000001.01000000.00000006.sdmp, Offset: 00400000, based on PE: true

Associated: 00000007.00000002.2522855241.0000000000400000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2523578065.000000000040E000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2523739174.0000000000410000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.2524802549.000000000049A000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_400000_52CE.jbxd

Similarity

API ID: __amsg_exit__getptd$__getptd_noexit__lock
String ID:
API String ID: 3521780317-0
Opcode ID: 8c01c81f1a62b0b7e64404e1064a776a0194946f2795335aef47cb6c63d8afef
Instruction ID: d8edd00d46edf09951c02bbc718113f866f85dc5d002b073e4af004cbc6efa85
Opcode Fuzzy Hash: 8c01c81f1a62b0b7e64404e1064a776a0194946f2795335aef47cb6c63d8afef
Instruction Fuzzy Hash: FBF06D72A407149BD621BF79890274D36A46F80719F10417FE7447B6D2CB7C9D01DB5A

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: 58CA.exePID: 796, Parent PID: 4004COMMON

Execution Graph

Execution Coverage:	42.8%
Dynamic/Decrypted Code Coverage:	86.7%
Signature Coverage:	26.7%
Total number of Nodes:	45
Total number of Limit Nodes:	8

Executed Functions

Function 04AC0110 Relevance: 21.2, APIs: 14, Instructions: 248
memorynativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,00002800,00001000,00000004), ref: 04AC0156
CreateProcessA.KERNELBASE(?,00000000), ref: 04AC0255
VirtualFree.KERNELBASE(?,00000000,00008000), ref: 04AC0270
VirtualAlloc.KERNELBASE(00000000,00000004,00001000,00000004), ref: 04AC0283
Wow64GetThreadContext.KERNEL32(00000000,?), ref: 04AC029F
ReadProcessMemory.KERNELBASE(00000000,?,?,00000004,00000000), ref: 04AC02C8
NtUnmapViewOfSection.NTDLL(00000000,?), ref: 04AC02E3
VirtualAllocEx.KERNELBASE(00000000,?,?,00003000,00000040), ref: 04AC0304
NtWriteVirtualMemory.NTDLL(00000000,?,?,00000000,00000000), ref: 04AC032A
NtWriteVirtualMemory.NTDLL(00000000,00000000,?,00000002,00000000), ref: 04AC0399
WriteProcessMemory.KERNELBASE(00000000,?,?,00000004,00000000), ref: 04AC03BF
Wow64SetThreadContext.KERNEL32(00000000,?), ref: 04AC03E1
ResumeThread.KERNELBASE(00000000), ref: 04AC03ED
ExitProcess.KERNEL32(00000000), ref: 04AC0412

Memory Dump Source

Source File: 00000009.00000002.2442077472.0000000004AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4ac0000_58CA.jbxd

Similarity

API ID: Virtual$MemoryProcess$AllocThreadWrite$ContextWow64$CreateExitFreeReadResumeSectionUnmapView
String ID:
API String ID: 3993611425-0
Opcode ID: ec80134effe49fee59cfb16798ca45a1398515b3278bf894a8b0bf22fdce02bc
Instruction ID: a50d5f73f4834131524884a89b112e381a9204be70164ce792614ec808f42add
Opcode Fuzzy Hash: ec80134effe49fee59cfb16798ca45a1398515b3278bf894a8b0bf22fdce02bc
Instruction Fuzzy Hash: FAB1B574A00208EFDB44CF98C895F9EBBB5BF88314F248158E909AB391D771AE41CF94

Uniqueness

Uniqueness Score: -1.00%

Function 04AC0420 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExA.USER32(00000200,saodkfnosa9uin,mfoaskdfnoa,00CF0000,80000000,80000000,000003E8,000003E8,00000000,00000000,00000000,00000000), ref: 04AC0533

Strings

mfoaskdfnoa, xrefs: 04AC0520, 04AC0523
saodkfnosa9uin, xrefs: 04AC04DA
0, xrefs: 04AC0492
d, xrefs: 04AC0584

Memory Dump Source

Source File: 00000009.00000002.2442077472.0000000004AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4ac0000_58CA.jbxd

Similarity

API ID: CreateWindow
String ID: 0$d$mfoaskdfnoa$saodkfnosa9uin
API String ID: 716092398-2341455598
Opcode ID: bb9b397fb3b679a7694c33bc0dbf232ca5c2d59a4e09fc52e4db1d59d2773c33
Instruction ID: 9a399749f104a2010d16d436b3208a6f01e87971e0fc8f632668d67a6284b957
Opcode Fuzzy Hash: bb9b397fb3b679a7694c33bc0dbf232ca5c2d59a4e09fc52e4db1d59d2773c33
Instruction Fuzzy Hash: FB510670D0838CDBEB11CBE8C849BADBFB2AF15708F144058D5447F286C7BA6659CB66

Uniqueness

Uniqueness Score: -1.00%

Function 04AC05B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetFileAttributesA.KERNELBASE(apfHQ), ref: 04AC05EC

Strings

o, xrefs: 04AC0600
apfHQ, xrefs: 04AC05E2, 04AC05E5

Memory Dump Source

Source File: 00000009.00000002.2442077472.0000000004AC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4ac0000_58CA.jbxd

Similarity

API ID: AttributesFile
String ID: apfHQ$o
API String ID: 3188754299-2999369273
Opcode ID: af0d3c0451304eea9a95bfbcf33a37b8699cda851cd8c30db079f59d0d7bd2d6
Instruction ID: 1b9890f9bfa1ca052dd0e9ec0b401abd3557ee54143b7b0ee42002469bd2d87e
Opcode Fuzzy Hash: af0d3c0451304eea9a95bfbcf33a37b8699cda851cd8c30db079f59d0d7bd2d6
Instruction Fuzzy Hash: 35011E70C0824CEEDB50DFD8C5183AEBFB5AF51308F14809DC4092B242D7B69B58CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 049057C6 Relevance: 3.0, APIs: 2, Instructions: 41
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 049057EE
Module32First.KERNEL32(00000000,00000224), ref: 0490580E

Memory Dump Source

Source File: 00000009.00000002.2441680458.0000000004905000.00000040.00000020.00020000.00000000.sdmp, Offset: 04905000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4905000_58CA.jbxd

Yara matches

Similarity

API ID: CreateFirstModule32SnapshotToolhelp32
String ID:
API String ID: 3833638111-0
Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction ID: 6dcc698c1730d34a72b8764a28f099603b5288bd8bf1061c2ce570ae5eaffb1a
Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
Instruction Fuzzy Hash: 68F06232200711BFD7207BB5A88DAAE76ECAF89735F118538EA42910C0DA70F8458A65

Uniqueness

Uniqueness Score: -1.00%

Function 04905485 Relevance: 1.3, APIs: 1, Instructions: 48
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 049054D6

Memory Dump Source

Source File: 00000009.00000002.2441680458.0000000004905000.00000040.00000020.00020000.00000000.sdmp, Offset: 04905000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4905000_58CA.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction ID: b356a5025bee928c9b083607fb28e9b05ba32da8682fbb4c942217c63663d472
Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
Instruction Fuzzy Hash: 1E112D79A00208FFDB01DF98C985E99BBF5AF08350F0580A4F9489B361D371EA50DF94

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: 5C46.exePID: 1468, Parent PID: 4004COMMON

Execution Graph

Execution Coverage:	7.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	6.1%
Total number of Nodes:	310
Total number of Limit Nodes:	5

Executed Functions

Function 00409543 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 78
memorylibrarynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409574
NtAllocateVirtualMemory.NTDLL(000000FF,0046C2D0,00000000,00001000,00003000,00000004), ref: 004095E1
EnterCriticalSection.KERNEL32(DB51E8EC), ref: 00409610
RtlInitUnicodeString.NTDLL(00000180,004E0000), ref: 00409626
RtlInitUnicodeString.NTDLL(00000178,004E0000), ref: 0040963C
LeaveCriticalSection.KERNEL32(DB51E8EC), ref: 00409649
LdrEnumerateLoadedModules.NTDLL(00000000,004050A2,00404393), ref: 0040965A

Strings

explorer.exe, xrefs: 004095A8

Memory Dump Source

Source File: 0000000A.00000002.2405682456.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2405664521.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2405705506.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2405732872.0000000000413000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2405778395.000000000046E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_5C46.jbxd

Yara matches

Similarity

API ID: CriticalInitSectionStringUnicode$AllocateDirectoryEnterEnumerateLeaveLoadedMemoryModulesVirtualWindows
String ID: explorer.exe
API String ID: 3728205514-3187896405
Opcode ID: 971d90eb416ca67aafcaf3557b906dfb5bbb6d99924e81ee9f7e95ee9359d988
Instruction ID: d3c5517ac64ebe0f4a93bb8fcf9093c65cacff95b6910bca11f849b0b04bbd4d
Opcode Fuzzy Hash: 971d90eb416ca67aafcaf3557b906dfb5bbb6d99924e81ee9f7e95ee9359d988
Instruction Fuzzy Hash: 4F3195B5940208EBC704DF90DCC5FA97775AB48305F1081BAFA05672D1E7B8AE85CB5D

Uniqueness

Uniqueness Score: -1.00%

Function 0040AEA4 Relevance: 3.0, APIs: 2, Instructions: 32
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000A.00000002.2405682456.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2405664521.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2405705506.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2405732872.0000000000413000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2405778395.000000000046E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_5C46.jbxd

Yara matches

Similarity

API ID: Module$FileHandleInitializeLibraryLoadName
String ID:
API String ID: 1691763914-0
Opcode ID: 1d1e830cd534af54437783b51cc9c08bc841a27dcc6edcfaa80d65915427b13e
Instruction ID: b20ac1345fbffd2ee6b09d0fcfa97f88ae309217d757d61775f2d603f36cc11d
Opcode Fuzzy Hash: 1d1e830cd534af54437783b51cc9c08bc841a27dcc6edcfaa80d65915427b13e
Instruction Fuzzy Hash: 0BF0BE70608345D6C6047FB38E4672A76B8AF0030DF10407FFD02B62D2EA7E9A11559F

Uniqueness

Uniqueness Score: -1.00%

Function 00405C4C Relevance: 12.1, APIs: 8, Instructions: 78
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNELBASE(00000000), ref: 00401244
LocalFree.KERNEL32(00000000), ref: 00403BD3
GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,00000000), ref: 00407A5F
LocalAlloc.KERNEL32(00000000,00000000), ref: 00407A6B
GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,00000000), ref: 00407A86
OpenProcessToken.ADVAPI32(000000FF,00000008,00000000), ref: 00409C94

Memory Dump Source

Source File: 0000000A.00000002.2405682456.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2405664521.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2405705506.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2405732872.0000000000413000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2405778395.000000000046E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_5C46.jbxd

Yara matches

Similarity

API ID: Token$InformationLocal$AllocChangeCloseFindFreeNotificationOpenProcess
String ID:
API String ID: 2854556994-0
Opcode ID: 2fabac034638274b2c3e67be2bc06953f5cdff95292f6c9f39c7e9c359d166b0
Instruction ID: 2e4b4cc31351ce880421fb230fd6ac05725b6f10eb8191371f756e524e2f733f
Opcode Fuzzy Hash: 2fabac034638274b2c3e67be2bc06953f5cdff95292f6c9f39c7e9c359d166b0
Instruction Fuzzy Hash: ED313CB4A04208FFDB14CFD4C948BAEBBF8AB48301F1081AAE511B72D4D774AB04DB65

Uniqueness

Uniqueness Score: -1.00%

Function 00404369 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 59
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000105), ref: 00404380
CoInitialize.OLE32(00000000), ref: 00404388

Part of subcall function 00409543: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409574
Part of subcall function 00409543: NtAllocateVirtualMemory.NTDLL(000000FF,0046C2D0,00000000,00001000,00003000,00000004), ref: 004095E1
Part of subcall function 00409543: EnterCriticalSection.KERNEL32(DB51E8EC), ref: 00409610
Part of subcall function 00409543: RtlInitUnicodeString.NTDLL(00000180,004E0000), ref: 00409626
Part of subcall function 00409543: RtlInitUnicodeString.NTDLL(00000178,004E0000), ref: 0040963C
Part of subcall function 00409543: LeaveCriticalSection.KERNEL32(DB51E8EC), ref: 00409649
Part of subcall function 00409543: LdrEnumerateLoadedModules.NTDLL(00000000,004050A2,00404393), ref: 0040965A

Part of subcall function 00405C4C: FindCloseChangeNotification.KERNELBASE(00000000), ref: 00401244
Part of subcall function 00405C4C: LocalFree.KERNEL32(00000000), ref: 00403BD3
Part of subcall function 00405C4C: OpenProcessToken.ADVAPI32(000000FF,00000008,00000000), ref: 00409C94

ExitProcess.KERNEL32 ref: 0040A945

Strings

/C , xrefs: 0040640F
%systemroot%\system32\cmd.exe, xrefs: 00406402

Memory Dump Source

Source File: 0000000A.00000002.2405682456.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2405664521.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2405705506.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2405732872.0000000000413000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2405778395.000000000046E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_5C46.jbxd

Yara matches

Similarity

API ID: CriticalInitProcessSectionStringUnicode$AllocateChangeCloseDirectoryEnterEnumerateExitFileFindFreeInitializeLeaveLoadedLocalMemoryModuleModulesNameNotificationOpenTokenVirtualWindows
String ID: %systemroot%\system32\cmd.exe$/C
API String ID: 41577365-3057154508
Opcode ID: c5e22f618a67b604fe27e09ba26f5c85a86b36c7864aea17beee92a495aee461
Instruction ID: 7b01f62542bec0b1d87828faea97dd6a3c55c304531570e4c9315d46f9a50642
Opcode Fuzzy Hash: c5e22f618a67b604fe27e09ba26f5c85a86b36c7864aea17beee92a495aee461
Instruction Fuzzy Hash: 9411ABB290430866D710BB60EC47FDE73299B54705F0045BBB709B50C2ED7997D88EAE

Uniqueness

Uniqueness Score: -1.00%

Function 00407AB9 Relevance: 6.1, APIs: 4, Instructions: 59
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNELBASE(00000000), ref: 00401244
LocalFree.KERNEL32(00000000), ref: 00403BD3
LocalAlloc.KERNEL32(00000000,00000000), ref: 00407A6B
GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,00000000), ref: 00407A86

Memory Dump Source

Source File: 0000000A.00000002.2405682456.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2405664521.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2405705506.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2405732872.0000000000413000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2405778395.000000000046E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_5C46.jbxd

Yara matches

Similarity

API ID: Local$AllocChangeCloseFindFreeInformationNotificationToken
String ID:
API String ID: 2094194634-0
Opcode ID: dfd389ba0a6e21506ee3ce54b84a7e53c4fc79e48b909ed38b184a154f02c170
Instruction ID: 8c14f008afbfcab52b1f24e0be9b5b67c8a06fc3440972dff98bedf792b56cd5
Opcode Fuzzy Hash: dfd389ba0a6e21506ee3ce54b84a7e53c4fc79e48b909ed38b184a154f02c170
Instruction Fuzzy Hash: 2E215E74D04208EFCB04CFE4C959AEEBBB5AB08305F1480AAE505B7394C7746B40DF29

Uniqueness

Uniqueness Score: -1.00%

Function 00409727 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 53
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Elevation:Administrator!new:, xrefs: 0040D196
$, xrefs: 0040D1CB

Memory Dump Source

Source File: 0000000A.00000002.2405682456.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2405664521.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2405705506.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2405732872.0000000000413000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2405778395.000000000046E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_5C46.jbxd

Yara matches

Similarity

API ID:
String ID: $$Elevation:Administrator!new:
API String ID: 0-4251798642
Opcode ID: 62b649c32f93d2337679038de5d7ba034d8f130c97f012f79e63509bd4f77841
Instruction ID: 0ae50f5eb3c30b6def060569edfd5a96dae8f03997bbe75f6d7b2be729599e56
Opcode Fuzzy Hash: 62b649c32f93d2337679038de5d7ba034d8f130c97f012f79e63509bd4f77841
Instruction Fuzzy Hash: B31154B1C1020CABCB10EF94DD85AEE7778AB54305F14456AFA097A181E738EB44CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0040D17F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CoGetObject.OLE32(?,00000024,?,?), ref: 0040D1EB

Strings

Elevation:Administrator!new:, xrefs: 0040D196
$, xrefs: 0040D1CB

Memory Dump Source

Source File: 0000000A.00000002.2405682456.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2405664521.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2405705506.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2405732872.0000000000413000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2405778395.000000000046E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_5C46.jbxd

Yara matches

Similarity

API ID: Object
String ID: $$Elevation:Administrator!new:
API String ID: 2936123098-4251798642
Opcode ID: 69272883a17b5f6f07e2d21893714d2c4baf9a1707031f0601c46702adeeea6a
Instruction ID: b31a3ccbf289bc63fcd2c03f84205c468a6b0dd351633bc6c62a4601e098767b
Opcode Fuzzy Hash: 69272883a17b5f6f07e2d21893714d2c4baf9a1707031f0601c46702adeeea6a
Instruction Fuzzy Hash: 140162B2810208ABCB05EF90DC95DDE7B78AB18305F08455EF9057A181EB39E748CB75

Uniqueness

Uniqueness Score: -1.00%

Function 004063CE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00405C4C: FindCloseChangeNotification.KERNELBASE(00000000), ref: 00401244
Part of subcall function 00405C4C: LocalFree.KERNEL32(00000000), ref: 00403BD3
Part of subcall function 00405C4C: OpenProcessToken.ADVAPI32(000000FF,00000008,00000000), ref: 00409C94

ExitProcess.KERNEL32 ref: 0040A945

Part of subcall function 00405312: RtlInitUnicodeString.NTDLL(?,00007FFD), ref: 00408342
Part of subcall function 00405312: RtlExpandEnvironmentStrings_U.NTDLL(00000000,?,?,00000000), ref: 00408372

Strings

/C , xrefs: 0040640F
%systemroot%\system32\cmd.exe, xrefs: 00406402

Memory Dump Source

Source File: 0000000A.00000002.2405682456.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2405664521.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2405705506.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2405732872.0000000000413000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2405778395.000000000046E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_5C46.jbxd

Yara matches

Similarity

API ID: Process$ChangeCloseEnvironmentExitExpandFindFreeInitLocalNotificationOpenStringStrings_TokenUnicode
String ID: %systemroot%\system32\cmd.exe$/C
API String ID: 1629495445-3057154508
Opcode ID: 74dd183bfbc60cce3caee40a229eb83cba66efea863e32e52d49e009b086718c
Instruction ID: 6885a5c3f576ce6d6f9b2f3c688c14414178aeb406d1450dcc701d4c4953fbe4
Opcode Fuzzy Hash: 74dd183bfbc60cce3caee40a229eb83cba66efea863e32e52d49e009b086718c
Instruction Fuzzy Hash: 88F0A4F280030866CB10EB70DC46FDA33389B14305F0045BAB609B60C2EE7997C88AAD

Uniqueness

Uniqueness Score: -1.00%

Function 004069BB Relevance: 1.5, APIs: 1, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(?,00F1B4B0,?,8B6DF01F,?), ref: 0040A53E

Memory Dump Source

Source File: 0000000A.00000002.2405682456.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2405664521.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2405705506.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2405732872.0000000000413000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2405778395.000000000046E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_5C46.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: f586a6cd2cf2dbeeef7eea32102fec9f33a1a5ead16db59af31ba7ceb6fdb687
Instruction ID: df007bf62870af7b74df0dbbe881ec21055e906183b30cdd37e1bfed71aa1605
Opcode Fuzzy Hash: f586a6cd2cf2dbeeef7eea32102fec9f33a1a5ead16db59af31ba7ceb6fdb687
Instruction Fuzzy Hash: 6FE0EC631002087AD7102995DC46FE7765DD7C83A9F508432F705E61D1D63DD95092AE

Uniqueness

Uniqueness Score: -1.00%

Function 00401352 Relevance: 1.5, APIs: 1, Instructions: 29
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,?,?,?,?,?,00000000,30DBCA36), ref: 0040139E

Memory Dump Source

Source File: 0000000A.00000002.2405682456.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2405664521.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2405705506.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2405732872.0000000000413000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2405778395.000000000046E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_5C46.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 23b8f15108349a094178a66cda89c25afec04ff88fbbd6386f4d34c7ae965c1b
Instruction ID: a34d84a8aa74edc03bf23277289f2878ef58b524965e171c6cbb9bf5a1c13c13
Opcode Fuzzy Hash: 23b8f15108349a094178a66cda89c25afec04ff88fbbd6386f4d34c7ae965c1b
Instruction Fuzzy Hash: 6EF01276C0020CFFCF01AFA5C995CADBF75FF08204B0484AEF90426162DB369A24EB04

Uniqueness

Uniqueness Score: -1.00%

Function 0040A554 Relevance: 1.5, APIs: 1, Instructions: 28
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(?,00F1B4B0,?,8B6DF01F,?), ref: 0040A53E

Memory Dump Source

Source File: 0000000A.00000002.2405682456.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2405664521.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2405705506.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2405732872.0000000000413000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2405778395.000000000046E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_5C46.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: e49d5435ce23adc9ba57d6308fbfbf1d6f88da9ad89fc2230d2c21acb333a382
Instruction ID: 523668955e0e2244aa789caa92f6427d01868abc63ade59164da16a1192ab317
Opcode Fuzzy Hash: e49d5435ce23adc9ba57d6308fbfbf1d6f88da9ad89fc2230d2c21acb333a382
Instruction Fuzzy Hash: A5E0D831004604ADCB11DE58EC8EBDA7298D705311F6498339906FD581CB3CDA85859F

Uniqueness

Uniqueness Score: -1.00%

Function 0040135E Relevance: 1.5, APIs: 1, Instructions: 28
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,?,?,?,?,?,00000000,30DBCA36), ref: 0040139E

Memory Dump Source

Source File: 0000000A.00000002.2405682456.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2405664521.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2405705506.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2405732872.0000000000413000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2405778395.000000000046E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_5C46.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: fe7d76ad10c6a880bf5e1dfd2e6ced56b71b8bba822c6e1022d11efbb5b05653
Instruction ID: c3339b175f8b132734afde4b87bcd326777cd273dbfa93b5593f16fc1374389e
Opcode Fuzzy Hash: fe7d76ad10c6a880bf5e1dfd2e6ced56b71b8bba822c6e1022d11efbb5b05653
Instruction Fuzzy Hash: 3DF0F876C0020CBFCF01AFA5D955C9DBFB9FF48200F0084AEB91466162D7369A20AB54

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00408958 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(\\.\C:,00000000,00000003,00000000,00000003,00000000,00000000), ref: 00408972
DeviceIoControl.KERNEL32(?,00560000,00000000,00000000,?,00000020,?,00000000), ref: 00408994

Strings

\\.\PHYSICALDRIVE0, xrefs: 004089A0
\\.\C:, xrefs: 0040896D

Memory Dump Source

Source File: 0000000A.00000002.2405682456.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2405664521.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2405705506.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2405732872.0000000000413000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2405778395.000000000046E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_5C46.jbxd

Yara matches

Similarity

API ID: ControlCreateDeviceFile
String ID: \\.\C:$\\.\PHYSICALDRIVE0
API String ID: 107608037-2160117148
Opcode ID: 320e27fcbf62a17e998bc26e42cf0c1a2d27fdc4df0059520f6dda202d1693b9
Instruction ID: 6179182b2b83b9443c5bd9d33f461fa1aeab268a59a3a7b7debce46551af33e6
Opcode Fuzzy Hash: 320e27fcbf62a17e998bc26e42cf0c1a2d27fdc4df0059520f6dda202d1693b9
Instruction Fuzzy Hash: AF216D38640348EFD718CF68ED45F99BBB4EB48701F10C1AAE905AB3E1D6B49B40CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0040895B Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 57fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(\\.\C:,00000000,00000003,00000000,00000003,00000000,00000000), ref: 00408972
DeviceIoControl.KERNEL32(?,00560000,00000000,00000000,?,00000020,?,00000000), ref: 00408994

Strings

\\.\PHYSICALDRIVE0, xrefs: 004089A0
\\.\C:, xrefs: 0040896D

Memory Dump Source

Source File: 0000000A.00000002.2405682456.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2405664521.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2405705506.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2405732872.0000000000413000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2405778395.000000000046E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_5C46.jbxd

Yara matches

Similarity

API ID: ControlCreateDeviceFile
String ID: \\.\C:$\\.\PHYSICALDRIVE0
API String ID: 107608037-2160117148
Opcode ID: 6e1c8ed08f6fcb21cf0fed49fef2ed80236c62ed62855b81c13f5c76d91f0969
Instruction ID: 711083b2bbb86b7d36e7a7c78397dedf6b4307ebbdc5261e1e4f3fe33cb2826c
Opcode Fuzzy Hash: 6e1c8ed08f6fcb21cf0fed49fef2ed80236c62ed62855b81c13f5c76d91f0969
Instruction Fuzzy Hash: 6F215C38600308AFD718CF58DC46F99BBB4AB48701F10C0AAE905AB3E1D6B4AA40CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00408951 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 56fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(\\.\C:,00000000,00000003,00000000,00000003,00000000,00000000), ref: 00408972
DeviceIoControl.KERNEL32(?,00560000,00000000,00000000,?,00000020,?,00000000), ref: 00408994

Strings

\\.\PHYSICALDRIVE0, xrefs: 004089A0
\\.\C:, xrefs: 0040896D

Memory Dump Source

Source File: 0000000A.00000002.2405682456.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2405664521.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2405705506.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2405732872.0000000000413000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2405778395.000000000046E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_5C46.jbxd

Yara matches

Similarity

API ID: ControlCreateDeviceFile
String ID: \\.\C:$\\.\PHYSICALDRIVE0
API String ID: 107608037-2160117148
Opcode ID: 43b5c774c06db54b38c673015130514d13990ffabb50efddd8f557c0ac6fe542
Instruction ID: 389e508c5a35674a8dec956cf5ed0ace9ff19c3110c7d277eeff61c57732489a
Opcode Fuzzy Hash: 43b5c774c06db54b38c673015130514d13990ffabb50efddd8f557c0ac6fe542
Instruction Fuzzy Hash: 79216D78604348EFD708CF58E855BA9BBB4EB48711F10C1AAE905AB3E1D7B49B40CB59

Uniqueness

Uniqueness Score: -1.00%

Function 004082B6 Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

CheckTokenMembership.ADVAPI32(00000000,?,00000000), ref: 00404845
AllocateAndInitializeSid.ADVAPI32(00000000,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 004082F8
FreeSid.ADVAPI32(?), ref: 0040AA9C

Memory Dump Source

Source File: 0000000A.00000002.2405682456.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2405664521.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2405705506.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2405732872.0000000000413000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2405778395.000000000046E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_5C46.jbxd

Yara matches

Similarity

API ID: AllocateCheckFreeInitializeMembershipToken
String ID:
API String ID: 3429775523-0
Opcode ID: a4effce1087fb57fd00f7ec72273620cf91c437d6a0f92fe25e66b5b43bbe758
Instruction ID: 1502378442f3bba6843c10e462c5ea7b9d530f023e777048d123248eda5abe90
Opcode Fuzzy Hash: a4effce1087fb57fd00f7ec72273620cf91c437d6a0f92fe25e66b5b43bbe758
Instruction Fuzzy Hash: C9014470A04348FAEB10DBE4C948BEEBFB8AB15705F008499E101BA1C1D3B89B04DB66

Uniqueness

Uniqueness Score: -1.00%

Function 0040B453 Relevance: 1.6, APIs: 1, Instructions: 119COMMON

Download Yara Rule

APIs

DeviceIoControl.KERNEL32(00000000,0004D004,?,00000000,?,00000000,00000000,00000000), ref: 0040B613

Memory Dump Source

Source File: 0000000A.00000002.2405682456.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2405664521.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2405705506.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2405732872.0000000000413000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2405778395.000000000046E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_5C46.jbxd

Yara matches

Similarity

API ID: ControlDevice
String ID:
API String ID: 2352790924-0
Opcode ID: a18e5d1472410fca8ca710374cb3d90e60d246b078c147aac9527c84940cfddb
Instruction ID: 4278b43e27663415cba18f20cd4f792bdb1a65b806582fdca38cb5ba5a4c1545
Opcode Fuzzy Hash: a18e5d1472410fca8ca710374cb3d90e60d246b078c147aac9527c84940cfddb
Instruction Fuzzy Hash: 5D515B75A04244DFEB08CF98C590BAABBB2EF94304F2881E9D9015B387C675EE41DB91

Uniqueness

Uniqueness Score: -1.00%

Function 0040D1F6 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 169libraryCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,0040AEB6,?,?,004046B5), ref: 0040D1FE
LoadLibraryA.KERNEL32(advapi32.dll), ref: 0040D336
LoadLibraryA.KERNEL32(ntdll.dll), ref: 0040D3A8

Strings

ntdll.dll, xrefs: 0040D3A3
advapi32.dll, xrefs: 0040D331
kernel32.dll, xrefs: 0040D1F9

Memory Dump Source

Source File: 0000000A.00000002.2405682456.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2405664521.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2405705506.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2405732872.0000000000413000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2405778395.000000000046E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_5C46.jbxd

Yara matches

Similarity

API ID: LibraryLoad$HandleModule
String ID: advapi32.dll$kernel32.dll$ntdll.dll
API String ID: 2593893887-1356967432
Opcode ID: 77f18392bb993366c1df7b453053b3aeb51cb4a2013aefc10122c1c1374fb3f4
Instruction ID: ca720bcfbdb204521244a6d16e88fbee784b87e4b750a5d7fd7297a05bd30f3d
Opcode Fuzzy Hash: 77f18392bb993366c1df7b453053b3aeb51cb4a2013aefc10122c1c1374fb3f4
Instruction Fuzzy Hash: DC511DF2D10210EFD304BFA1BCC28393AB5E649305744457FF985A72A1F6B9A9448B6B

Uniqueness

Uniqueness Score: -1.00%

Function 004023F2 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 82libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(advapi32.dll), ref: 00402404
LoadLibraryA.KERNEL32(NTDLL.DLL), ref: 004024D2

Strings

advapi32.dll, xrefs: 004023FF
SeShutdownPrivilege, xrefs: 00402481
NTDLL.DLL, xrefs: 004024CD

Memory Dump Source

Source File: 0000000A.00000002.2405682456.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2405664521.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2405705506.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2405732872.0000000000413000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2405778395.000000000046E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_5C46.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: NTDLL.DLL$SeShutdownPrivilege$advapi32.dll
API String ID: 1029625771-2471717051
Opcode ID: e654aa5178626686adecf490f11625747cc8277270b74630ebdda96dc98469bc
Instruction ID: 3c0ce9a7761a6e63309c521fc4ca6a6d9466e377a545f21450368ef7aac56ae8
Opcode Fuzzy Hash: e654aa5178626686adecf490f11625747cc8277270b74630ebdda96dc98469bc
Instruction Fuzzy Hash: F13146B1E10209EBDB04DFE0CD46BEEBB74EB44701F20416AF501B66C0E7795A44CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00405312 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

RtlNtStatusToDosError.NTDLL(C0000023), ref: 004037E8
RtlRestoreLastWin32Error.NTDLL(00000000), ref: 004037EF
RtlInitUnicodeString.NTDLL(?,00007FFD), ref: 00408342
RtlExpandEnvironmentStrings_U.NTDLL(00000000,?,?,00000000), ref: 00408372

Strings

#, xrefs: 00408385

Memory Dump Source

Source File: 0000000A.00000002.2405682456.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2405664521.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2405705506.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2405732872.0000000000413000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2405778395.000000000046E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_5C46.jbxd

Yara matches

Similarity

API ID: Error$EnvironmentExpandInitLastRestoreStatusStringStrings_UnicodeWin32
String ID: #
API String ID: 4202685462-1885708031
Opcode ID: d2950aec320787fbfdd949c7a338a73876b2f1d301fb6a4be3977a861f702f93
Instruction ID: 2625ad76528c3a05819e41784e94355af3192e6a8ec1aace2841fc774e878e1c
Opcode Fuzzy Hash: d2950aec320787fbfdd949c7a338a73876b2f1d301fb6a4be3977a861f702f93
Instruction Fuzzy Hash: D5115175D14209EFDB14DFE4C984AAEBB79EF08301F10856AE915B32C0EB789705CB56

Uniqueness

Uniqueness Score: -1.00%

Function 004050A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30COMMON

Download Yara Rule

APIs

RtlInitUnicodeString.NTDLL(?,004E0000), ref: 004050CC
RtlInitUnicodeString.NTDLL(?,explorer.exe), ref: 004050DE

Strings

explorer.exe, xrefs: 004050D2

Memory Dump Source

Source File: 0000000A.00000002.2405682456.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2405664521.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2405705506.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2405732872.0000000000413000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2405778395.000000000046E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_5C46.jbxd

Yara matches

Similarity

API ID: InitStringUnicode
String ID: explorer.exe
API String ID: 4228678080-3187896405
Opcode ID: 7d548acef704560823f98ce8b990f017fce1fd689d344c9a11bc31deb3c59b97
Instruction ID: 050ed0569a6514cfdb40d37d4b6a842c1993e2635d6f26a1999b978f90a0d4ff
Opcode Fuzzy Hash: 7d548acef704560823f98ce8b990f017fce1fd689d344c9a11bc31deb3c59b97
Instruction Fuzzy Hash: BAF09074204248EFCB04CF54C880E6ABBA6FB49304F20855AFC0597381C674ED91CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00403AEE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15synchronizationCOMMON

Download Yara Rule

APIs

CreateMutexW.KERNEL32(00000000,00000000,jmuZVxzUSQKZJ,?,?,004044C1,?,?,004046B5), ref: 00403AFB
GetLastError.KERNEL32(?,?,004044C1,?,?,004046B5), ref: 00403B06

Strings

jmuZVxzUSQKZJ, xrefs: 00403AF2

Memory Dump Source

Source File: 0000000A.00000002.2405682456.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000A.00000002.2405664521.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2405705506.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2405732872.0000000000413000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 0000000A.00000002.2405778395.000000000046E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_400000_5C46.jbxd

Yara matches

Similarity

API ID: CreateErrorLastMutex
String ID: jmuZVxzUSQKZJ
API String ID: 1925916568-1615886713
Opcode ID: 97f4a8950689e7290d3bb4c401befd14a09affdda078bd002e7cbc94f52d7475
Instruction ID: 0594eaefbf50b0c8ed9c9a89b72dfe51cd43608961eacb7f94053228cce8ae52
Opcode Fuzzy Hash: 97f4a8950689e7290d3bb4c401befd14a09affdda078bd002e7cbc94f52d7475
Instruction Fuzzy Hash: 32D017B044A304FAE3008F50DE4DB587EA4EB10702F208036E2026A2D4E3F85A45564A

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: regsvr32.exePID: 4904, Parent PID: 6104COMMON

Execution Graph

Execution Coverage:	20.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	43
Total number of Limit Nodes:	10

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 04DF4794 Relevance: 6.4, APIs: 4, Instructions: 450
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 04DF4ACB
VirtualProtect.KERNELBASE(?,?,?,?), ref: 04DF4AF2
VirtualProtect.KERNELBASE(?,?,?,?), ref: 04DF4B19
VirtualAlloc.KERNELBASE(?,?,?,?), ref: 04DF4CBE

Memory Dump Source

Source File: 0000000F.00000002.2436935322.0000000004DF1000.00000020.00001000.00020000.00000000.sdmp, Offset: 04DF1000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4df1000_regsvr32.jbxd

Similarity

API ID: Virtual$Protect$Alloc
String ID:
API String ID: 2541858876-0
Opcode ID: c6fa37e7156b2d9bc114be9aec815dce0315df63942087551865d445c91e420f
Instruction ID: db82b9d7a7f41e54aaa3c4d3993c07cc6f041e415313bb54d5d09bf234fddbcc
Opcode Fuzzy Hash: c6fa37e7156b2d9bc114be9aec815dce0315df63942087551865d445c91e420f
Instruction Fuzzy Hash: F102D5726083459FD738CF24CC51BABB7E2FBD8314F05892EE59AD7391DA34A8418B91

Uniqueness

Uniqueness Score: -1.00%

Function 04F210BB Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 117
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(?,?,?,?), ref: 04F2110E

Strings

rt, xrefs: 04F210E5

Memory Dump Source

Source File: 0000000F.00000002.2437055607.0000000004F21000.00000020.00001000.00020000.00000000.sdmp, Offset: 04F21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4f21000_regsvr32.jbxd

Similarity

API ID: AllocVirtual
String ID: rt
API String ID: 4275171209-53332257
Opcode ID: fb503d677f2e942f89b2bfd609028a942a9fd1b7ab1ee0eab820d1912be1db24
Instruction ID: c324fb062313b1e2ef513875f64e4477a8233aafeb203e9604ef81315f60e8f1
Opcode Fuzzy Hash: fb503d677f2e942f89b2bfd609028a942a9fd1b7ab1ee0eab820d1912be1db24
Instruction Fuzzy Hash: AB418832614B118FD324CE39CA8151BBBE7BFD8310F16892CE4A697A25D774F8468B41

Uniqueness

Uniqueness Score: -1.00%

Function 04F247E0 Relevance: 1.7, APIs: 1, Instructions: 199
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

MapViewOfFile.KERNELBASE(?,?,?,?,?), ref: 04F2493A

Memory Dump Source

Source File: 0000000F.00000002.2437055607.0000000004F21000.00000020.00001000.00020000.00000000.sdmp, Offset: 04F21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4f21000_regsvr32.jbxd

Similarity

API ID: FileView
String ID:
API String ID: 3314676101-0
Opcode ID: 7c03f317e237237c409e374b2b7a449f3cfa859b77b9780b79fa9c53c0beaf4f
Instruction ID: 38605dffea1453f4e074f5bb839bdd4477fe2665f9ab3cb2ce255040b9750e6b
Opcode Fuzzy Hash: 7c03f317e237237c409e374b2b7a449f3cfa859b77b9780b79fa9c53c0beaf4f
Instruction Fuzzy Hash: 89818E76A183618FC714CF68D98065AFBE2BFC8314F168A1CE994A7354D771F806CB92

Uniqueness

Uniqueness Score: -1.00%

Function 04F258B8 Relevance: 1.7, APIs: 1, Instructions: 160
nativethreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtCreateThreadEx.NTDLL(?,?,?,?,?,?,?,?,?,?,?), ref: 04F258F9

Memory Dump Source

Source File: 0000000F.00000002.2437055607.0000000004F21000.00000020.00001000.00020000.00000000.sdmp, Offset: 04F21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4f21000_regsvr32.jbxd

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 576f73e74e6d3e27801d0072f3dd9d74aec0c3754bd2baff566bcdf410d9d1f9
Instruction ID: 5bdb51a7b2de648e205574950de76f3f23b78eb276d9a802782efcdd52d6f64a
Opcode Fuzzy Hash: 576f73e74e6d3e27801d0072f3dd9d74aec0c3754bd2baff566bcdf410d9d1f9
Instruction Fuzzy Hash: 0A714176E00129DFDF18CF64C991AEDBBB2FF88310F558199D40AA7245DB34AA86CF50

Uniqueness

Uniqueness Score: -1.00%

Function 04F252AB Relevance: 1.6, APIs: 1, Instructions: 137
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 04F252CB

Memory Dump Source

Source File: 0000000F.00000002.2437055607.0000000004F21000.00000020.00001000.00020000.00000000.sdmp, Offset: 04F21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4f21000_regsvr32.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: c919524f0c6088d8906ac656826ad06a8c2b86e6c03e2da1ffa45af9e8662c52
Instruction ID: 9cdf5d56de2b82a8f7ded3dc6e3463725a6329999d9479564f2083dd9ecd5c86
Opcode Fuzzy Hash: c919524f0c6088d8906ac656826ad06a8c2b86e6c03e2da1ffa45af9e8662c52
Instruction Fuzzy Hash: 34519236A182519FD718CE64C59092FFBF2BFC8310F15992DE58697280CB74BC46CB92

Uniqueness

Uniqueness Score: -1.00%

Function 04F2E191 Relevance: 1.6, APIs: 1, Instructions: 137
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileMappingW.KERNELBASE(?,?,?), ref: 04F2E215

Memory Dump Source

Source File: 0000000F.00000002.2437055607.0000000004F21000.00000020.00001000.00020000.00000000.sdmp, Offset: 04F21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4f21000_regsvr32.jbxd

Similarity

API ID: CreateFileMapping
String ID:
API String ID: 524692379-0
Opcode ID: 5ad7bde200f08201916453e7abe513e1485586c8e499965509060148490c425e
Instruction ID: c36b9f1299e4c7efef38fd646f29a6b57bf61b78ae4f5669d14fceb2eca7aae1
Opcode Fuzzy Hash: 5ad7bde200f08201916453e7abe513e1485586c8e499965509060148490c425e
Instruction Fuzzy Hash: C551B0776082518FC711CF28C98169ABBF2FFC9310F56892DE596A7210DB34B856CF82

Uniqueness

Uniqueness Score: -1.00%

Function 04F21972 Relevance: 1.4, APIs: 1, Instructions: 116
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualFree.KERNELBASE(?,?,?), ref: 04F219A2

Memory Dump Source

Source File: 0000000F.00000002.2437055607.0000000004F21000.00000020.00001000.00020000.00000000.sdmp, Offset: 04F21000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4f21000_regsvr32.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 97ecfdfe9a5b6f5d7e9d3bc02082496cf8fd2744cd5a17908d288bca4f8a1f9b
Instruction ID: 7c7e30479f234281748a1f7ac7196014a170a40c43c418bea727dbbc9bc58c57
Opcode Fuzzy Hash: 97ecfdfe9a5b6f5d7e9d3bc02082496cf8fd2744cd5a17908d288bca4f8a1f9b
Instruction Fuzzy Hash: 21417B322183518FD318CF29D991A5AB7E2BFC8304F148A1DE19ACB355DB30E846CB56

Uniqueness

Uniqueness Score: -1.00%

Function 030C17F1 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 93
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualProtect.KERNELBASE ref: 030C1A34

Strings

`, xrefs: 030C1967

Memory Dump Source

Source File: 0000000F.00000002.2436721964.00000000030C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_30c0000_regsvr32.jbxd

Similarity

API ID: ProtectVirtual
String ID: `
API String ID: 544645111-2679148245
Opcode ID: d7d7dceef974ff3c716b1f8b1089e7a265db3eedff0d0a724122a09d65dd6324
Instruction ID: e5069f2152010cb2ae2de3a54fcb20ff213208a2cb0ffba55598994d5162e6e5
Opcode Fuzzy Hash: d7d7dceef974ff3c716b1f8b1089e7a265db3eedff0d0a724122a09d65dd6324
Instruction Fuzzy Hash: 5D41ADB5E002288FDB54CF48C980B89FBF1FF49314F1581AAC949AB356D735AA85CF91

Uniqueness

Uniqueness Score: -1.00%

Function 030C1B18 Relevance: 1.3, APIs: 1, Instructions: 86
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE ref: 030C1B90

Memory Dump Source

Source File: 0000000F.00000002.2436721964.00000000030C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 030C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_30c0000_regsvr32.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 4b7059f85b080fa01b4642cf3eac78d38002d63109ef6a0a3d63f93cb4654bc9
Instruction ID: 008b0fbaa583de4024e51ec4232d1846b891d188ad115a87f78aae6d74ea8534
Opcode Fuzzy Hash: 4b7059f85b080fa01b4642cf3eac78d38002d63109ef6a0a3d63f93cb4654bc9
Instruction Fuzzy Hash: 124113B49012058FDB08DFA4C5947AEBBF0FF48308F2485ADD858AB351D37AA946CF95

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: 5C46.exePID: 1656, Parent PID: 1444COMMON

Execution Graph

Execution Coverage:	14.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	422
Total number of Limit Nodes:	24

Executed Functions

Function 004023F2 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 82
librarynativeshutdownCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(advapi32.dll), ref: 00402404
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00402488
AdjustTokenPrivileges.KERNELBASE(?,00000000,00000001,00000000,00000000,?), ref: 004024B4
LoadLibraryA.KERNEL32(NTDLL.DLL), ref: 004024D2
NtShutdownSystem.NTDLL(00000001), ref: 004024F1

Strings

SeShutdownPrivilege, xrefs: 00402481
advapi32.dll, xrefs: 004023FF
NTDLL.DLL, xrefs: 004024CD

Memory Dump Source

Source File: 00000010.00000002.2442180440.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.2442154924.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000010.00000002.2442206283.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000010.00000002.2442232703.0000000000413000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000010.00000002.2442281740.000000000046E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_5C46.jbxd

Yara matches

Similarity

API ID: LibraryLoad$AdjustLookupPrivilegePrivilegesShutdownSystemTokenValue
String ID: NTDLL.DLL$SeShutdownPrivilege$advapi32.dll
API String ID: 2117616786-2471717051
Opcode ID: e654aa5178626686adecf490f11625747cc8277270b74630ebdda96dc98469bc
Instruction ID: 3c0ce9a7761a6e63309c521fc4ca6a6d9466e377a545f21450368ef7aac56ae8
Opcode Fuzzy Hash: e654aa5178626686adecf490f11625747cc8277270b74630ebdda96dc98469bc
Instruction Fuzzy Hash: F13146B1E10209EBDB04DFE0CD46BEEBB74EB44701F20416AF501B66C0E7795A44CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00409543 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 78
memorylibrarynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409574
NtAllocateVirtualMemory.NTDLL(000000FF,0046C2D0,00000000,00001000,00003000,00000004), ref: 004095E1
EnterCriticalSection.KERNEL32(DB51E8EC), ref: 00409610
RtlInitUnicodeString.NTDLL(00000180,00630000), ref: 00409626
RtlInitUnicodeString.NTDLL(00000178,00630000), ref: 0040963C
LeaveCriticalSection.KERNEL32(DB51E8EC), ref: 00409649
LdrEnumerateLoadedModules.NTDLL(00000000,004050A2,00404393), ref: 0040965A

Strings

explorer.exe, xrefs: 004095A8

Memory Dump Source

Source File: 00000010.00000002.2442180440.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.2442154924.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000010.00000002.2442206283.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000010.00000002.2442232703.0000000000413000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000010.00000002.2442281740.000000000046E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_5C46.jbxd

Yara matches

Similarity

API ID: CriticalInitSectionStringUnicode$AllocateDirectoryEnterEnumerateLeaveLoadedMemoryModulesVirtualWindows
String ID: explorer.exe
API String ID: 3728205514-3187896405
Opcode ID: 971d90eb416ca67aafcaf3557b906dfb5bbb6d99924e81ee9f7e95ee9359d988
Instruction ID: d3c5517ac64ebe0f4a93bb8fcf9093c65cacff95b6910bca11f849b0b04bbd4d
Opcode Fuzzy Hash: 971d90eb416ca67aafcaf3557b906dfb5bbb6d99924e81ee9f7e95ee9359d988
Instruction Fuzzy Hash: 4F3195B5940208EBC704DF90DCC5FA97775AB48305F1081BAFA05672D1E7B8AE85CB5D

Uniqueness

Uniqueness Score: -1.00%

Function 00408958 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 004047E4
CreateFileA.KERNELBASE(\\.\C:,00000000,00000003,00000000,00000003,00000000,00000000), ref: 00408972
DeviceIoControl.KERNELBASE(?,00560000,00000000,00000000,?,00000020,?,00000000), ref: 00408994

Strings

\\.\C:, xrefs: 0040896D
\\.\PHYSICALDRIVE0, xrefs: 004089A0

Memory Dump Source

Source File: 00000010.00000002.2442180440.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.2442154924.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000010.00000002.2442206283.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000010.00000002.2442232703.0000000000413000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000010.00000002.2442281740.000000000046E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_5C46.jbxd

Yara matches

Similarity

API ID: ChangeCloseControlCreateDeviceFileFindNotification
String ID: \\.\C:$\\.\PHYSICALDRIVE0
API String ID: 1020254441-2160117148
Opcode ID: 320e27fcbf62a17e998bc26e42cf0c1a2d27fdc4df0059520f6dda202d1693b9
Instruction ID: 6179182b2b83b9443c5bd9d33f461fa1aeab268a59a3a7b7debce46551af33e6
Opcode Fuzzy Hash: 320e27fcbf62a17e998bc26e42cf0c1a2d27fdc4df0059520f6dda202d1693b9
Instruction Fuzzy Hash: AF216D38640348EFD718CF68ED45F99BBB4EB48701F10C1AAE905AB3E1D6B49B40CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0040895B Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 004047E4
CreateFileA.KERNELBASE(\\.\C:,00000000,00000003,00000000,00000003,00000000,00000000), ref: 00408972
DeviceIoControl.KERNELBASE(?,00560000,00000000,00000000,?,00000020,?,00000000), ref: 00408994

Strings

\\.\C:, xrefs: 0040896D
\\.\PHYSICALDRIVE0, xrefs: 004089A0

Memory Dump Source

Source File: 00000010.00000002.2442180440.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.2442154924.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000010.00000002.2442206283.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000010.00000002.2442232703.0000000000413000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000010.00000002.2442281740.000000000046E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_5C46.jbxd

Yara matches

Similarity

API ID: ChangeCloseControlCreateDeviceFileFindNotification
String ID: \\.\C:$\\.\PHYSICALDRIVE0
API String ID: 1020254441-2160117148
Opcode ID: 6e1c8ed08f6fcb21cf0fed49fef2ed80236c62ed62855b81c13f5c76d91f0969
Instruction ID: 711083b2bbb86b7d36e7a7c78397dedf6b4307ebbdc5261e1e4f3fe33cb2826c
Opcode Fuzzy Hash: 6e1c8ed08f6fcb21cf0fed49fef2ed80236c62ed62855b81c13f5c76d91f0969
Instruction Fuzzy Hash: 6F215C38600308AFD718CF58DC46F99BBB4AB48701F10C0AAE905AB3E1D6B4AA40CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00408951 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 56
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 004047E4
CreateFileA.KERNELBASE(\\.\C:,00000000,00000003,00000000,00000003,00000000,00000000), ref: 00408972
DeviceIoControl.KERNELBASE(?,00560000,00000000,00000000,?,00000020,?,00000000), ref: 00408994

Strings

\\.\C:, xrefs: 0040896D
\\.\PHYSICALDRIVE0, xrefs: 004089A0

Memory Dump Source

Source File: 00000010.00000002.2442180440.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.2442154924.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000010.00000002.2442206283.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000010.00000002.2442232703.0000000000413000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000010.00000002.2442281740.000000000046E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_5C46.jbxd

Yara matches

Similarity

API ID: ChangeCloseControlCreateDeviceFileFindNotification
String ID: \\.\C:$\\.\PHYSICALDRIVE0
API String ID: 1020254441-2160117148
Opcode ID: 43b5c774c06db54b38c673015130514d13990ffabb50efddd8f557c0ac6fe542
Instruction ID: 389e508c5a35674a8dec956cf5ed0ace9ff19c3110c7d277eeff61c57732489a
Opcode Fuzzy Hash: 43b5c774c06db54b38c673015130514d13990ffabb50efddd8f557c0ac6fe542
Instruction Fuzzy Hash: 79216D78604348EFD708CF58E855BA9BBB4EB48711F10C1AAE905AB3E1D7B49B40CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00401B2C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 39
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtQueryInformationProcess.NTDLL(00000000,00000000,00000020,00000020,00000000), ref: 00402AA8

Strings

, xrefs: 00402A93

Memory Dump Source

Source File: 00000010.00000002.2442180440.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.2442154924.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000010.00000002.2442206283.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000010.00000002.2442232703.0000000000413000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000010.00000002.2442281740.000000000046E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_5C46.jbxd

Yara matches

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-3916222277
Opcode ID: 99cf6030004cc14fcfbf758772858fa4ef28e9fcd54024a0ddfc1a5f41bc18d2
Instruction ID: b5fb0c1052741472a29b3626a296402ee31a9556d555090f334d473f401f16ea
Opcode Fuzzy Hash: 99cf6030004cc14fcfbf758772858fa4ef28e9fcd54024a0ddfc1a5f41bc18d2
Instruction Fuzzy Hash: 0E01A471D04308FBDB00DF90C98A7EDBBB8AB05314F24506AE540772C1E7BC9685A75A

Uniqueness

Uniqueness Score: -1.00%

Function 0040AEA4 Relevance: 3.0, APIs: 2, Instructions: 32
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000010.00000002.2442180440.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.2442154924.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000010.00000002.2442206283.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000010.00000002.2442232703.0000000000413000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000010.00000002.2442281740.000000000046E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_5C46.jbxd

Yara matches

Similarity

API ID: Module$FileHandleInitializeLibraryLoadName
String ID:
API String ID: 1691763914-0
Opcode ID: 7a2ac303de4b0b2ba4ade585fa2e29916ceed782501468d31b7631315bf6b27d
Instruction ID: b20ac1345fbffd2ee6b09d0fcfa97f88ae309217d757d61775f2d603f36cc11d
Opcode Fuzzy Hash: 7a2ac303de4b0b2ba4ade585fa2e29916ceed782501468d31b7631315bf6b27d
Instruction Fuzzy Hash: 0BF0BE70608345D6C6047FB38E4672A76B8AF0030DF10407FFD02B62D2EA7E9A11559F

Uniqueness

Uniqueness Score: -1.00%

Function 00407D21 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 00407D33

Memory Dump Source

Source File: 00000010.00000002.2442180440.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.2442154924.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000010.00000002.2442206283.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000010.00000002.2442232703.0000000000413000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000010.00000002.2442281740.000000000046E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_5C46.jbxd

Yara matches

Similarity

API ID: CurrentProcess
String ID:
API String ID: 2050909247-0
Opcode ID: 5469e9984ee0613fe67692c8399fce14f271ad5feb70d4257aac3e9e61b94720
Instruction ID: 2d0ccdd24a91546423dca3ee3cf720458c613a0087a6006a7f2d7a66fbfa4b10
Opcode Fuzzy Hash: 5469e9984ee0613fe67692c8399fce14f271ad5feb70d4257aac3e9e61b94720
Instruction Fuzzy Hash: 4CF065B4D00348EFC704EFA599896ADBBB4AB04701F10857AE85277395E2BC5644CF9A

Uniqueness

Uniqueness Score: -1.00%

Function 0040E52B Relevance: 13.8, APIs: 11, Instructions: 60
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LocalAlloc.KERNELBASE(00000040,00004000,004046B5,?,0040C145,004046B5,?,00401BD7), ref: 0040E53D
LocalAlloc.KERNEL32(00000040,00004000,?,0040C145,004046B5,?,00401BD7), ref: 0040E54F
LocalAlloc.KERNEL32(00000040,00004000,?,0040C145,004046B5,?,00401BD7), ref: 0040E561
LocalAlloc.KERNEL32(00000040,00001000,?,0040C145,004046B5,?,00401BD7), ref: 0040E573
LocalAlloc.KERNEL32(00000040,00001000,?,0040C145,004046B5,?,00401BD7), ref: 0040E585
LocalAlloc.KERNEL32(00000040,00008000,?,0040C145,004046B5,?,00401BD7), ref: 0040E597
LocalAlloc.KERNEL32(00000040,00008004,?,0040C145,004046B5,?,00401BD7), ref: 0040E5A9
LocalAlloc.KERNEL32(00000040,000001F4,?,0040C145,004046B5,?,00401BD7), ref: 0040E5E5
LocalAlloc.KERNEL32(00000040,000000FC,?,0040C145,004046B5,?,00401BD7), ref: 0040E5F7
LocalAlloc.KERNEL32(00000040,00000400,?,0040C145,004046B5,?,00401BD7), ref: 0040E609
LocalAlloc.KERNEL32(00000040,00010000,?,0040C145,004046B5,?,00401BD7), ref: 0040E61B

Memory Dump Source

Source File: 00000010.00000002.2442180440.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.2442154924.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000010.00000002.2442206283.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000010.00000002.2442232703.0000000000413000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000010.00000002.2442281740.000000000046E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_5C46.jbxd

Yara matches

Similarity

API ID: AllocLocal
String ID:
API String ID: 3494564517-0
Opcode ID: 65ac8032e033309efcc9f8c0d48804f40c42494c7e65b2be43682c95c20d6d53
Instruction ID: 884c2741ace77f4595bd006b1489b08cdeecc1dacb1c364e852769e485284a96
Opcode Fuzzy Hash: 65ac8032e033309efcc9f8c0d48804f40c42494c7e65b2be43682c95c20d6d53
Instruction Fuzzy Hash: 44213CB4A41300AFF354AF65AC56B743AA0F708B59F108035FB89A63E0F6F455858E5F

Uniqueness

Uniqueness Score: -1.00%

Function 00405C4C Relevance: 12.1, APIs: 8, Instructions: 78
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNELBASE(00000000), ref: 00401244
LocalFree.KERNEL32(00000000), ref: 00403BD3
GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,00000000), ref: 00407A5F
LocalAlloc.KERNEL32(00000000,00000000), ref: 00407A6B
GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,00000000), ref: 00407A86
OpenProcessToken.ADVAPI32(000000FF,00000008,00000000), ref: 00409C94

Memory Dump Source

Source File: 00000010.00000002.2442180440.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.2442154924.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000010.00000002.2442206283.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000010.00000002.2442232703.0000000000413000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000010.00000002.2442281740.000000000046E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_5C46.jbxd

Yara matches

Similarity

API ID: Token$InformationLocal$AllocChangeCloseFindFreeNotificationOpenProcess
String ID:
API String ID: 2854556994-0
Opcode ID: 2fabac034638274b2c3e67be2bc06953f5cdff95292f6c9f39c7e9c359d166b0
Instruction ID: 2e4b4cc31351ce880421fb230fd6ac05725b6f10eb8191371f756e524e2f733f
Opcode Fuzzy Hash: 2fabac034638274b2c3e67be2bc06953f5cdff95292f6c9f39c7e9c359d166b0
Instruction Fuzzy Hash: ED313CB4A04208FFDB14CFD4C948BAEBBF8AB48301F1081AAE511B72D4D774AB04DB65

Uniqueness

Uniqueness Score: -1.00%

Function 00404369 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 59
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000105), ref: 00404380
CoInitialize.OLE32(00000000), ref: 00404388

Part of subcall function 00409543: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 00409574
Part of subcall function 00409543: NtAllocateVirtualMemory.NTDLL(000000FF,0046C2D0,00000000,00001000,00003000,00000004), ref: 004095E1
Part of subcall function 00409543: EnterCriticalSection.KERNEL32(DB51E8EC), ref: 00409610
Part of subcall function 00409543: RtlInitUnicodeString.NTDLL(00000180,00630000), ref: 00409626
Part of subcall function 00409543: RtlInitUnicodeString.NTDLL(00000178,00630000), ref: 0040963C
Part of subcall function 00409543: LeaveCriticalSection.KERNEL32(DB51E8EC), ref: 00409649
Part of subcall function 00409543: LdrEnumerateLoadedModules.NTDLL(00000000,004050A2,00404393), ref: 0040965A

Part of subcall function 00405C4C: FindCloseChangeNotification.KERNELBASE(00000000), ref: 00401244
Part of subcall function 00405C4C: LocalFree.KERNEL32(00000000), ref: 00403BD3
Part of subcall function 00405C4C: OpenProcessToken.ADVAPI32(000000FF,00000008,00000000), ref: 00409C94

ExitProcess.KERNEL32 ref: 0040A945

Strings

%systemroot%\system32\cmd.exe, xrefs: 00406402
/C , xrefs: 0040640F

Memory Dump Source

Source File: 00000010.00000002.2442180440.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.2442154924.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000010.00000002.2442206283.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000010.00000002.2442232703.0000000000413000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000010.00000002.2442281740.000000000046E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_5C46.jbxd

Yara matches

Similarity

API ID: CriticalInitProcessSectionStringUnicode$AllocateChangeCloseDirectoryEnterEnumerateExitFileFindFreeInitializeLeaveLoadedLocalMemoryModuleModulesNameNotificationOpenTokenVirtualWindows
String ID: %systemroot%\system32\cmd.exe$/C
API String ID: 41577365-3057154508
Opcode ID: a438ef9f5f25d9aebddb8c854ded96209a6b7bafee1d22157f4d592698697d9c
Instruction ID: 7b01f62542bec0b1d87828faea97dd6a3c55c304531570e4c9315d46f9a50642
Opcode Fuzzy Hash: a438ef9f5f25d9aebddb8c854ded96209a6b7bafee1d22157f4d592698697d9c
Instruction Fuzzy Hash: 9411ABB290430866D710BB60EC47FDE73299B54705F0045BBB709B50C2ED7997D88EAE

Uniqueness

Uniqueness Score: -1.00%

Function 00407AB9 Relevance: 6.1, APIs: 4, Instructions: 59
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNELBASE(00000000), ref: 00401244
LocalFree.KERNEL32(00000000), ref: 00403BD3
LocalAlloc.KERNEL32(00000000,00000000), ref: 00407A6B
GetTokenInformation.KERNELBASE(00000000,00000019(TokenIntegrityLevel),00000000,00000000,00000000), ref: 00407A86

Memory Dump Source

Source File: 00000010.00000002.2442180440.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.2442154924.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000010.00000002.2442206283.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000010.00000002.2442232703.0000000000413000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000010.00000002.2442281740.000000000046E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_5C46.jbxd

Yara matches

Similarity

API ID: Local$AllocChangeCloseFindFreeInformationNotificationToken
String ID:
API String ID: 2094194634-0
Opcode ID: dfd389ba0a6e21506ee3ce54b84a7e53c4fc79e48b909ed38b184a154f02c170
Instruction ID: 8c14f008afbfcab52b1f24e0be9b5b67c8a06fc3440972dff98bedf792b56cd5
Opcode Fuzzy Hash: dfd389ba0a6e21506ee3ce54b84a7e53c4fc79e48b909ed38b184a154f02c170
Instruction Fuzzy Hash: 2E215E74D04208EFCB04CFE4C959AEEBBB5AB08305F1480AAE505B7394C7746B40DF29

Uniqueness

Uniqueness Score: -1.00%

Function 00403AEE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateMutexW.KERNELBASE(00000000,00000000,jmuZVxzUSQKZJ,?,?,004044C1,?,?,004046B5), ref: 00403AFB
GetLastError.KERNEL32(?,?,004044C1,?,?,004046B5), ref: 00403B06

Strings

jmuZVxzUSQKZJ, xrefs: 00403AF2

Memory Dump Source

Source File: 00000010.00000002.2442180440.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.2442154924.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000010.00000002.2442206283.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000010.00000002.2442232703.0000000000413000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000010.00000002.2442281740.000000000046E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_5C46.jbxd

Yara matches

Similarity

API ID: CreateErrorLastMutex
String ID: jmuZVxzUSQKZJ
API String ID: 1925916568-1615886713
Opcode ID: 97f4a8950689e7290d3bb4c401befd14a09affdda078bd002e7cbc94f52d7475
Instruction ID: 0594eaefbf50b0c8ed9c9a89b72dfe51cd43608961eacb7f94053228cce8ae52
Opcode Fuzzy Hash: 97f4a8950689e7290d3bb4c401befd14a09affdda078bd002e7cbc94f52d7475
Instruction Fuzzy Hash: 32D017B044A304FAE3008F50DE4DB587EA4EB10702F208036E2026A2D4E3F85A45564A

Uniqueness

Uniqueness Score: -1.00%

Function 00403072 Relevance: 4.6, APIs: 3, Instructions: 81
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040895B: FindCloseChangeNotification.KERNELBASE(?), ref: 004047E4
Part of subcall function 0040895B: CreateFileA.KERNELBASE(\\.\C:,00000000,00000003,00000000,00000003,00000000,00000000), ref: 00408972
Part of subcall function 0040895B: DeviceIoControl.KERNELBASE(?,00560000,00000000,00000000,?,00000020,?,00000000), ref: 00408994

CreateFileA.KERNELBASE(?,C0000000,00000003,00000000,00000003,30000080,00000000), ref: 0040309A
DeviceIoControl.KERNELBASE(000001F8,0007405C,00000000,00000000,0046CB60,00000008,?,00000000), ref: 0040882A

Memory Dump Source

Source File: 00000010.00000002.2442180440.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.2442154924.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000010.00000002.2442206283.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000010.00000002.2442232703.0000000000413000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000010.00000002.2442281740.000000000046E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_5C46.jbxd

Yara matches

Similarity

API ID: ControlCreateDeviceFile$ChangeCloseFindNotification
String ID:
API String ID: 678468364-0
Opcode ID: f40e64bbfca4cb1d53614c19df2d38540b9dd2651b1b1209df5de0d054ee8c58
Instruction ID: a0e7df79db3949de73361334ad2b5bb9c35e9f163141fb49d4e1771874b744e5
Opcode Fuzzy Hash: f40e64bbfca4cb1d53614c19df2d38540b9dd2651b1b1209df5de0d054ee8c58
Instruction Fuzzy Hash: FB317574F50201EBD750DB61FDC2B663364A704B08F10863AE985A62E0F7B8A5029F6F

Uniqueness

Uniqueness Score: -1.00%

Function 00403923 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 23
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LocalAlloc.KERNELBASE(00000040,00000000,0040234A,00000000), ref: 0040393C

Strings

J#@, xrefs: 0040392F

Memory Dump Source

Source File: 00000010.00000002.2442180440.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.2442154924.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000010.00000002.2442206283.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000010.00000002.2442232703.0000000000413000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000010.00000002.2442281740.000000000046E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_5C46.jbxd

Yara matches

Similarity

API ID: AllocLocal
String ID: J#@
API String ID: 3494564517-1245308917
Opcode ID: 19467080a526decec66838046e26b9bb124c136d8231779d530f3707eec05e2f
Instruction ID: 96f7a68253a7caa59ed99d58a6af94cef16a1ec6a7eb00646cb3d5ddcbfd36b8
Opcode Fuzzy Hash: 19467080a526decec66838046e26b9bb124c136d8231779d530f3707eec05e2f
Instruction Fuzzy Hash: B8F09BB8E04208EFCB04DF88D68189DFBF5EB48310F2081A9E948A7340D630AE41DB95

Uniqueness

Uniqueness Score: -1.00%

Function 0040B485 Relevance: 1.6, APIs: 1, Instructions: 133
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeviceIoControl.KERNELBASE(000001F8,0004D004,?,00000000,?,00000000,00000000,00000000), ref: 0040B613

Memory Dump Source

Source File: 00000010.00000002.2442180440.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.2442154924.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000010.00000002.2442206283.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000010.00000002.2442232703.0000000000413000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000010.00000002.2442281740.000000000046E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_5C46.jbxd

Yara matches

Similarity

API ID: ControlDevice
String ID:
API String ID: 2352790924-0
Opcode ID: 61738139d7721975275484778ac13903525e9063b07367c5274bb8a2ff343b39
Instruction ID: 955b2810cad582ab64bab9f2fc00926d3d94ddd31486b38c3d76b0e6824925a9
Opcode Fuzzy Hash: 61738139d7721975275484778ac13903525e9063b07367c5274bb8a2ff343b39
Instruction Fuzzy Hash: CF514975A00208EFEB04CF98C591B9EBBB1EF94304F2881E9D9006B386C675EF41DB91

Uniqueness

Uniqueness Score: -1.00%

Function 0040CCC4 Relevance: 1.6, APIs: 1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.2442180440.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.2442154924.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000010.00000002.2442206283.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000010.00000002.2442232703.0000000000413000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000010.00000002.2442281740.000000000046E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_5C46.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52feb7105ccc154861b194a815cc79ff19998883af9ca8cb1e6121868c2185b6
Instruction ID: b0a1cca4c76cdf7f661d8f2e5d02ec42dbbd4e19700d0716b40d81d1197e7497
Opcode Fuzzy Hash: 52feb7105ccc154861b194a815cc79ff19998883af9ca8cb1e6121868c2185b6
Instruction Fuzzy Hash: A6513975A00108EFDB08CF98C594B9EBBB1EB94304F2481A9E9056B3C2C775EF41DB91

Uniqueness

Uniqueness Score: -1.00%

Function 0040B453 Relevance: 1.6, APIs: 1, Instructions: 119COMMON

Download Yara Rule

APIs

DeviceIoControl.KERNELBASE(000001F8,0004D004,?,00000000,?,00000000,00000000,00000000), ref: 0040B613

Memory Dump Source

Source File: 00000010.00000002.2442180440.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.2442154924.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000010.00000002.2442206283.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000010.00000002.2442232703.0000000000413000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000010.00000002.2442281740.000000000046E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_5C46.jbxd

Yara matches

Similarity

API ID: ControlDevice
String ID:
API String ID: 2352790924-0
Opcode ID: a18e5d1472410fca8ca710374cb3d90e60d246b078c147aac9527c84940cfddb
Instruction ID: 4278b43e27663415cba18f20cd4f792bdb1a65b806582fdca38cb5ba5a4c1545
Opcode Fuzzy Hash: a18e5d1472410fca8ca710374cb3d90e60d246b078c147aac9527c84940cfddb
Instruction Fuzzy Hash: 5D515B75A04244DFEB08CF98C590BAABBB2EF94304F2881E9D9015B387C675EE41DB91

Uniqueness

Uniqueness Score: -1.00%

Function 004069BB Relevance: 1.5, APIs: 1, Instructions: 36libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,00F1B4B0,?,8B6DF01F,?), ref: 0040A53E

Memory Dump Source

Source File: 00000010.00000002.2442180440.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.2442154924.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000010.00000002.2442206283.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000010.00000002.2442232703.0000000000413000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000010.00000002.2442281740.000000000046E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_5C46.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: f586a6cd2cf2dbeeef7eea32102fec9f33a1a5ead16db59af31ba7ceb6fdb687
Instruction ID: df007bf62870af7b74df0dbbe881ec21055e906183b30cdd37e1bfed71aa1605
Opcode Fuzzy Hash: f586a6cd2cf2dbeeef7eea32102fec9f33a1a5ead16db59af31ba7ceb6fdb687
Instruction Fuzzy Hash: 6FE0EC631002087AD7102995DC46FE7765DD7C83A9F508432F705E61D1D63DD95092AE

Uniqueness

Uniqueness Score: -1.00%

Function 0040158C Relevance: 1.5, APIs: 1, Instructions: 33COMMON

Download Yara Rule

APIs

DeviceIoControl.KERNELBASE(000001F8,0007405C,00000000,00000000,?,00000008,00405A0B,00000000), ref: 004015AE

Memory Dump Source

Source File: 00000010.00000002.2442180440.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.2442154924.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000010.00000002.2442206283.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000010.00000002.2442232703.0000000000413000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000010.00000002.2442281740.000000000046E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_5C46.jbxd

Yara matches

Similarity

API ID: ControlDevice
String ID:
API String ID: 2352790924-0
Opcode ID: 98b00b6936f3a10efa9a674e71bb74e0dcfe603724a387bcbcad0dffbf1469cf
Instruction ID: 99371d9e342f55f1bbc85bd8c476da0c26e9402948ab4de55a1e54ae49f6dd3b
Opcode Fuzzy Hash: 98b00b6936f3a10efa9a674e71bb74e0dcfe603724a387bcbcad0dffbf1469cf
Instruction Fuzzy Hash: 5BF03076E44204BAE714EBA48C82F6B776DE744704F1081A9B605F61C0EA74AA018BBA

Uniqueness

Uniqueness Score: -1.00%

Function 00401352 Relevance: 1.5, APIs: 1, Instructions: 29memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?,?,?,00000000,30DBCA36), ref: 0040139E

Memory Dump Source

Source File: 00000010.00000002.2442180440.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.2442154924.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000010.00000002.2442206283.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000010.00000002.2442232703.0000000000413000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000010.00000002.2442281740.000000000046E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_5C46.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 23b8f15108349a094178a66cda89c25afec04ff88fbbd6386f4d34c7ae965c1b
Instruction ID: a34d84a8aa74edc03bf23277289f2878ef58b524965e171c6cbb9bf5a1c13c13
Opcode Fuzzy Hash: 23b8f15108349a094178a66cda89c25afec04ff88fbbd6386f4d34c7ae965c1b
Instruction Fuzzy Hash: 6EF01276C0020CFFCF01AFA5C995CADBF75FF08204B0484AEF90426162DB369A24EB04

Uniqueness

Uniqueness Score: -1.00%

Function 0040A554 Relevance: 1.5, APIs: 1, Instructions: 28libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,00F1B4B0,?,8B6DF01F,?), ref: 0040A53E

Memory Dump Source

Source File: 00000010.00000002.2442180440.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.2442154924.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000010.00000002.2442206283.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000010.00000002.2442232703.0000000000413000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000010.00000002.2442281740.000000000046E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_5C46.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: e49d5435ce23adc9ba57d6308fbfbf1d6f88da9ad89fc2230d2c21acb333a382
Instruction ID: 523668955e0e2244aa789caa92f6427d01868abc63ade59164da16a1192ab317
Opcode Fuzzy Hash: e49d5435ce23adc9ba57d6308fbfbf1d6f88da9ad89fc2230d2c21acb333a382
Instruction Fuzzy Hash: A5E0D831004604ADCB11DE58EC8EBDA7298D705311F6498339906FD581CB3CDA85859F

Uniqueness

Uniqueness Score: -1.00%

Function 0040135E Relevance: 1.5, APIs: 1, Instructions: 28memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?,?,?,00000000,30DBCA36), ref: 0040139E

Memory Dump Source

Source File: 00000010.00000002.2442180440.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.2442154924.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000010.00000002.2442206283.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000010.00000002.2442232703.0000000000413000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000010.00000002.2442281740.000000000046E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_5C46.jbxd

Yara matches

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: fe7d76ad10c6a880bf5e1dfd2e6ced56b71b8bba822c6e1022d11efbb5b05653
Instruction ID: c3339b175f8b132734afde4b87bcd326777cd273dbfa93b5593f16fc1374389e
Opcode Fuzzy Hash: fe7d76ad10c6a880bf5e1dfd2e6ced56b71b8bba822c6e1022d11efbb5b05653
Instruction Fuzzy Hash: 3DF0F876C0020CBFCF01AFA5D955C9DBFB9FF48200F0084AEB91466162D7369A20AB54

Uniqueness

Uniqueness Score: -1.00%

Function 004047DB Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(?), ref: 004047E4

Memory Dump Source

Source File: 00000010.00000002.2442180440.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.2442154924.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000010.00000002.2442206283.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000010.00000002.2442232703.0000000000413000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000010.00000002.2442281740.000000000046E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_5C46.jbxd

Yara matches

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 425319291f41f57d8ddd7af97c040428323980b2498e4bb20d22353919547d1b
Instruction ID: c9214f333475bc89ecd2d70b7295bcdaad91083d6e94d736a289ab9c47a493dc
Opcode Fuzzy Hash: 425319291f41f57d8ddd7af97c040428323980b2498e4bb20d22353919547d1b
Instruction Fuzzy Hash: B1B01261D0D14C13CF209B3168041947B29E6D5609B1003DCEC0D201229B13D41047A3

Uniqueness

Uniqueness Score: -1.00%

Function 0040930C Relevance: 1.3, APIs: 1, Instructions: 13memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNELBASE(00000040,?,?,?,00401D6F,?,00000004), ref: 0040931A

Memory Dump Source

Source File: 00000010.00000002.2442180440.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.2442154924.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000010.00000002.2442206283.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000010.00000002.2442232703.0000000000413000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000010.00000002.2442281740.000000000046E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_5C46.jbxd

Yara matches

Similarity

API ID: AllocLocal
String ID:
API String ID: 3494564517-0
Opcode ID: fbf826679867081d8f65b02a643174af9db75dbf243e506da0a382be49be1460
Instruction ID: c1ed8782e068432966769c92f22ccf836d2bf65aa78af723960710e09a7f87a5
Opcode Fuzzy Hash: fbf826679867081d8f65b02a643174af9db75dbf243e506da0a382be49be1460
Instruction Fuzzy Hash: 6BD0C975A0420CBBCB00DF88E942D59BBECEB09214F004195FE0CDB240D671AE008A95

Uniqueness

Uniqueness Score: -1.00%

Function 0040CC5F Relevance: 1.3, APIs: 1, Instructions: 8memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNELBASE(00000000,00405A18,?,00405A18,00000070,?,?,?,00401322), ref: 0040CC68

Memory Dump Source

Source File: 00000010.00000002.2442180440.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.2442154924.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000010.00000002.2442206283.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000010.00000002.2442232703.0000000000413000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000010.00000002.2442281740.000000000046E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_5C46.jbxd

Yara matches

Similarity

API ID: AllocLocal
String ID:
API String ID: 3494564517-0
Opcode ID: f3e2705f243469e8b18360c5bb887dd51615c543d62bfa3a82b819ceace6c8ed
Instruction ID: 4f1da3139afef55b26450597318142262e87c8731a1b2672ee4cfa4472a97f69
Opcode Fuzzy Hash: f3e2705f243469e8b18360c5bb887dd51615c543d62bfa3a82b819ceace6c8ed
Instruction Fuzzy Hash: 7CB0123564430CBBD6006BC8EC05FE5379CE708A1AF000010FA0C86140D6A0B84046A6

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0040D1F6 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 169libraryCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll,?,0040AEB6,?,?,004046B5), ref: 0040D1FE
LoadLibraryA.KERNEL32(advapi32.dll), ref: 0040D336
LoadLibraryA.KERNEL32(ntdll.dll), ref: 0040D3A8

Strings

ntdll.dll, xrefs: 0040D3A3
kernel32.dll, xrefs: 0040D1F9
advapi32.dll, xrefs: 0040D331

Memory Dump Source

Source File: 00000010.00000002.2442180440.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.2442154924.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000010.00000002.2442206283.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000010.00000002.2442232703.0000000000413000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000010.00000002.2442281740.000000000046E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_5C46.jbxd

Yara matches

Similarity

API ID: LibraryLoad$HandleModule
String ID: advapi32.dll$kernel32.dll$ntdll.dll
API String ID: 2593893887-1356967432
Opcode ID: 77f18392bb993366c1df7b453053b3aeb51cb4a2013aefc10122c1c1374fb3f4
Instruction ID: ca720bcfbdb204521244a6d16e88fbee784b87e4b750a5d7fd7297a05bd30f3d
Opcode Fuzzy Hash: 77f18392bb993366c1df7b453053b3aeb51cb4a2013aefc10122c1c1374fb3f4
Instruction Fuzzy Hash: DC511DF2D10210EFD304BFA1BCC28393AB5E649305744457FF985A72A1F6B9A9448B6B

Uniqueness

Uniqueness Score: -1.00%

Function 00405312 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

RtlNtStatusToDosError.NTDLL(C0000023), ref: 004037E8
RtlRestoreLastWin32Error.NTDLL(00000000), ref: 004037EF
RtlInitUnicodeString.NTDLL(?,00007FFD), ref: 00408342
RtlExpandEnvironmentStrings_U.NTDLL(00000000,?,?,00000000), ref: 00408372

Strings

#, xrefs: 00408385

Memory Dump Source

Source File: 00000010.00000002.2442180440.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.2442154924.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000010.00000002.2442206283.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000010.00000002.2442232703.0000000000413000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000010.00000002.2442281740.000000000046E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_5C46.jbxd

Yara matches

Similarity

API ID: Error$EnvironmentExpandInitLastRestoreStatusStringStrings_UnicodeWin32
String ID: #
API String ID: 4202685462-1885708031
Opcode ID: d2950aec320787fbfdd949c7a338a73876b2f1d301fb6a4be3977a861f702f93
Instruction ID: 2625ad76528c3a05819e41784e94355af3192e6a8ec1aace2841fc774e878e1c
Opcode Fuzzy Hash: d2950aec320787fbfdd949c7a338a73876b2f1d301fb6a4be3977a861f702f93
Instruction Fuzzy Hash: D5115175D14209EFDB14DFE4C984AAEBB79EF08301F10856AE915B32C0EB789705CB56

Uniqueness

Uniqueness Score: -1.00%

Function 00409727 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 53COMMON

Download Yara Rule

Strings

$, xrefs: 0040D1CB
Elevation:Administrator!new:, xrefs: 0040D196

Memory Dump Source

Source File: 00000010.00000002.2442180440.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.2442154924.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000010.00000002.2442206283.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000010.00000002.2442232703.0000000000413000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000010.00000002.2442281740.000000000046E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_5C46.jbxd

Yara matches

Similarity

API ID:
String ID: $$Elevation:Administrator!new:
API String ID: 0-4251798642
Opcode ID: 62b649c32f93d2337679038de5d7ba034d8f130c97f012f79e63509bd4f77841
Instruction ID: 0ae50f5eb3c30b6def060569edfd5a96dae8f03997bbe75f6d7b2be729599e56
Opcode Fuzzy Hash: 62b649c32f93d2337679038de5d7ba034d8f130c97f012f79e63509bd4f77841
Instruction Fuzzy Hash: B31154B1C1020CABCB10EF94DD85AEE7778AB54305F14456AFA097A181E738EB44CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 0040D17F Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 38COMMON

Download Yara Rule

APIs

CoGetObject.OLE32(?,00000024,?,?), ref: 0040D1EB

Strings

$, xrefs: 0040D1CB
Elevation:Administrator!new:, xrefs: 0040D196

Memory Dump Source

Source File: 00000010.00000002.2442180440.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.2442154924.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000010.00000002.2442206283.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000010.00000002.2442232703.0000000000413000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000010.00000002.2442281740.000000000046E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_5C46.jbxd

Yara matches

Similarity

API ID: Object
String ID: $$Elevation:Administrator!new:
API String ID: 2936123098-4251798642
Opcode ID: 69272883a17b5f6f07e2d21893714d2c4baf9a1707031f0601c46702adeeea6a
Instruction ID: b31a3ccbf289bc63fcd2c03f84205c468a6b0dd351633bc6c62a4601e098767b
Opcode Fuzzy Hash: 69272883a17b5f6f07e2d21893714d2c4baf9a1707031f0601c46702adeeea6a
Instruction Fuzzy Hash: 140162B2810208ABCB05EF90DC95DDE7B78AB18305F08455EF9057A181EB39E748CB75

Uniqueness

Uniqueness Score: -1.00%

Function 004063CE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 00405C4C: FindCloseChangeNotification.KERNELBASE(00000000), ref: 00401244
Part of subcall function 00405C4C: LocalFree.KERNEL32(00000000), ref: 00403BD3
Part of subcall function 00405C4C: OpenProcessToken.ADVAPI32(000000FF,00000008,00000000), ref: 00409C94

ExitProcess.KERNEL32 ref: 0040A945

Part of subcall function 00405312: RtlInitUnicodeString.NTDLL(?,00007FFD), ref: 00408342
Part of subcall function 00405312: RtlExpandEnvironmentStrings_U.NTDLL(00000000,?,?,00000000), ref: 00408372

Strings

%systemroot%\system32\cmd.exe, xrefs: 00406402
/C , xrefs: 0040640F

Memory Dump Source

Source File: 00000010.00000002.2442180440.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.2442154924.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000010.00000002.2442206283.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000010.00000002.2442232703.0000000000413000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000010.00000002.2442281740.000000000046E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_5C46.jbxd

Yara matches

Similarity

API ID: Process$ChangeCloseEnvironmentExitExpandFindFreeInitLocalNotificationOpenStringStrings_TokenUnicode
String ID: %systemroot%\system32\cmd.exe$/C
API String ID: 1629495445-3057154508
Opcode ID: e58d919228d2999fb42e63e86339d7c771dc9b38e1630fc07efea9b8c1ce01d4
Instruction ID: 6885a5c3f576ce6d6f9b2f3c688c14414178aeb406d1450dcc701d4c4953fbe4
Opcode Fuzzy Hash: e58d919228d2999fb42e63e86339d7c771dc9b38e1630fc07efea9b8c1ce01d4
Instruction Fuzzy Hash: 88F0A4F280030866CB10EB70DC46FDA33389B14305F0045BAB609B60C2EE7997C88AAD

Uniqueness

Uniqueness Score: -1.00%

Function 004050A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 30COMMON

Download Yara Rule

APIs

RtlInitUnicodeString.NTDLL(?,00630000), ref: 004050CC
RtlInitUnicodeString.NTDLL(?,explorer.exe), ref: 004050DE

Strings

explorer.exe, xrefs: 004050D2

Memory Dump Source

Source File: 00000010.00000002.2442180440.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true

Associated: 00000010.00000002.2442154924.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000010.00000002.2442206283.0000000000410000.00000002.00000001.01000000.00000008.sdmpDownload File
Associated: 00000010.00000002.2442232703.0000000000413000.00000004.00000001.01000000.00000008.sdmpDownload File
Associated: 00000010.00000002.2442281740.000000000046E000.00000002.00000001.01000000.00000008.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_400000_5C46.jbxd

Yara matches

Similarity

API ID: InitStringUnicode
String ID: explorer.exe
API String ID: 4228678080-3187896405
Opcode ID: 7d548acef704560823f98ce8b990f017fce1fd689d344c9a11bc31deb3c59b97
Instruction ID: 050ed0569a6514cfdb40d37d4b6a842c1993e2635d6f26a1999b978f90a0d4ff
Opcode Fuzzy Hash: 7d548acef704560823f98ce8b990f017fce1fd689d344c9a11bc31deb3c59b97
Instruction Fuzzy Hash: BAF09074204248EFCB04CF54C880E6ABBA6FB49304F20855AFC0597381C674ED91CB9A

Uniqueness

Uniqueness Score: -1.00%

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute malicious payloads via loading shared modules. Shared modules are executable files that are loaded into processes to provide access to reusable code, such as specific custom functions or invoking OS API functions (i.e., Native API ).
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use bootkits to persist on systems. Bootkits reside at a layer below the operating system and may make it difficult to perform full remediation unless an organization suspects one was used and can act accordingly.
Tactics:	Defense Evasion, Persistence
Data Sources:	Drive: Drive Modification
Platforms:	Linux, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may circumvent mechanisms designed to control elevate privileges to gain higher-level permissions. Most modern systems contain native elevation control mechanisms that are intended to limit privileges that a user can perform on a machine. Authorization has to be granted to specific users in order to perform tasks that can be considered of higher risk. An adversary can perform several methods to take advantage of built-in control mechanisms in order to escalate privileges on a system.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Modification, Windows Registry: Windows Registry Key Modification
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report v6SEx6rJ3E.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: StealC

Threatname: LummaC

Threatname: SmokeLoader

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Exploits

Privilege Escalation

Bitcoin Miner

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\AEBKKECBGIIJJKECGIJE

C:\ProgramData\BAEHIEBGHDAFIEBGIEHJECGCGC

C:\ProgramData\BGHIDGCAFCBAAAAAFHDAEHCFIE

C:\ProgramData\BKJKJEHJJDAKECBFCGIDBGCAEG

Windows Analysis Report
v6SEx6rJ3E.exe

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Regsvr32.exe to proxy execution of malicious code. Regsvr32.exe is a command-line program used to register and unregister object linking and embedding controls, including dynamic link libraries (DLLs), on Windows systems. The Regsvr32.exe binary may also be signed by Microsoft.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Module: Module Load, Network Traffic: Network Connection Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre