Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
AV4b38nlhN.exe

Overview

General Information

Sample name:AV4b38nlhN.exe
renamed because original name is a hash value
Original sample name:d6bfab9dde06d4baddec652f65c16319.exe
Analysis ID:1576157
MD5:d6bfab9dde06d4baddec652f65c16319
SHA1:c51e91131088afd83262f5aa7ba8df98399ec225
SHA256:cd5383086089a354036d4404547addc916f98422817e5fe53606d7fc7113610d
Tags:exeuser-abuse_ch
Infos:

Detection

Score:84
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Creates multiple autostart registry keys
Drops PE files to the startup folder
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: New RUN Key Pointing to Suspicious Folder
Uses schtasks.exe or at.exe to add and modify task schedules
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Drops PE files
Enables debug privileges
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Stores files to the Windows start menu directory

Classification

Process Tree

  • System is w10x64
  • AV4b38nlhN.exe (PID: 3544 cmdline: "C:\Users\user\Desktop\AV4b38nlhN.exe" MD5: D6BFAB9DDE06D4BADDEC652F65C16319)
    • schtasks.exe (PID: 3416 cmdline: "schtasks.exe" /create /tn "MyClientAppTask_638699391290709030" /tr "C:\Users\user\AppData\Local\Temp\dhk3y0j3.gg3\AV4b38nlhN.exe" /sc onlogon /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
      • conhost.exe (PID: 5644 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • dw20.exe (PID: 6920 cmdline: dw20.exe -x -s 980 MD5: 29F49B77C60A7F0A6A614C167FE64E3C)
    • backgroundTaskHost.exe (PID: 3416 cmdline: "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca MD5: DA7063B17DBB8BBB3015351016868006)
  • AV4b38nlhN.exe (PID: 2216 cmdline: C:\Users\user\AppData\Local\Temp\dhk3y0j3.gg3\AV4b38nlhN.exe MD5: D6BFAB9DDE06D4BADDEC652F65C16319)
    • schtasks.exe (PID: 3404 cmdline: "schtasks.exe" /create /tn "MyClientAppTask_638699391308679816" /tr "C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exe" /sc onlogon /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
      • conhost.exe (PID: 5916 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • dw20.exe (PID: 5588 cmdline: dw20.exe -x -s 1192 MD5: 29F49B77C60A7F0A6A614C167FE64E3C)
  • AV4b38nlhN.exe (PID: 2936 cmdline: "C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exe" MD5: D6BFAB9DDE06D4BADDEC652F65C16319)
    • schtasks.exe (PID: 2128 cmdline: "schtasks.exe" /create /tn "MyClientAppTask_638699391446656104" /tr "C:\Users\user\AppData\Local\Temp\q5ax5g5h.01m\AV4b38nlhN.exe" /sc onlogon /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
      • conhost.exe (PID: 3648 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • dw20.exe (PID: 5812 cmdline: dw20.exe -x -s 880 MD5: 29F49B77C60A7F0A6A614C167FE64E3C)
  • AV4b38nlhN.exe (PID: 4788 cmdline: "C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exe" MD5: D6BFAB9DDE06D4BADDEC652F65C16319)
    • schtasks.exe (PID: 6244 cmdline: "schtasks.exe" /create /tn "MyClientAppTask_638699391551663456" /tr "C:\Users\user\AppData\Local\Temp\ed1yuowm.r2t\AV4b38nlhN.exe" /sc onlogon /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
      • conhost.exe (PID: 5688 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • dw20.exe (PID: 6892 cmdline: dw20.exe -x -s 1152 MD5: 29F49B77C60A7F0A6A614C167FE64E3C)
  • AV4b38nlhN.exe (PID: 5916 cmdline: "C:\Users\user\AppData\Local\Temp\q5ax5g5h.01m\AV4b38nlhN.exe" MD5: D6BFAB9DDE06D4BADDEC652F65C16319)
    • schtasks.exe (PID: 4144 cmdline: "schtasks.exe" /create /tn "MyClientAppTask_638699391675304437" /tr "C:\Users\user\AppData\Local\Temp\f3x15nhp.vew\AV4b38nlhN.exe" /sc onlogon /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
      • conhost.exe (PID: 5356 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • dw20.exe (PID: 4160 cmdline: dw20.exe -x -s 1172 MD5: 29F49B77C60A7F0A6A614C167FE64E3C)
  • AV4b38nlhN.exe (PID: 7004 cmdline: "C:\Users\user\AppData\Local\Temp\ed1yuowm.r2t\AV4b38nlhN.exe" MD5: D6BFAB9DDE06D4BADDEC652F65C16319)
    • schtasks.exe (PID: 6860 cmdline: "schtasks.exe" /create /tn "MyClientAppTask_638699391812619093" /tr "C:\Users\user\AppData\Local\Temp\hayuutbg.cwy\AV4b38nlhN.exe" /sc onlogon /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
      • conhost.exe (PID: 6820 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • dw20.exe (PID: 5976 cmdline: dw20.exe -x -s 992 MD5: 29F49B77C60A7F0A6A614C167FE64E3C)
  • AV4b38nlhN.exe (PID: 612 cmdline: "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AV4b38nlhN.exe" MD5: D6BFAB9DDE06D4BADDEC652F65C16319)
    • schtasks.exe (PID: 1396 cmdline: "schtasks.exe" /create /tn "MyClientAppTask_638699391947448790" /tr "C:\Users\user\AppData\Local\Temp\h4ljp22h.k2l\AV4b38nlhN.exe" /sc onlogon /f MD5: 76CD6626DD8834BD4A42E6A565104DC2)
      • conhost.exe (PID: 4132 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • dw20.exe (PID: 1336 cmdline: dw20.exe -x -s 1172 MD5: 29F49B77C60A7F0A6A614C167FE64E3C)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

System Summary

barindex
Sigma detected: New RUN Key Pointing to Suspicious Folder
Source: Registry Key setAuthor: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\user\AppData\Local\Temp\dhk3y0j3.gg3\AV4b38nlhN.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\AV4b38nlhN.exe, ProcessId: 3544, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MyClientApp
Sigma detected: CurrentVersion Autorun Keys Modification
Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\Temp\dhk3y0j3.gg3\AV4b38nlhN.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\AV4b38nlhN.exe, ProcessId: 3544, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MyClientApp
Sigma detected: Startup Folder File Write
Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\AV4b38nlhN.exe, ProcessId: 3544, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AV4b38nlhN.exe
Sigma detected: Suspicious Add Scheduled Task Parent
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "schtasks.exe" /create /tn "MyClientAppTask_638699391308679816" /tr "C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exe" /sc onlogon /f, CommandLine: "schtasks.exe" /create /tn "MyClientAppTask_638699391308679816" /tr "C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exe" /sc onlogon /f, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Local\Temp\dhk3y0j3.gg3\AV4b38nlhN.exe, ParentImage: C:\Users\user\AppData\Local\Temp\dhk3y0j3.gg3\AV4b38nlhN.exe, ParentProcessId: 2216, ParentProcessName: AV4b38nlhN.exe, ProcessCommandLine: "schtasks.exe" /create /tn "MyClientAppTask_638699391308679816" /tr "C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exe" /sc onlogon /f, ProcessId: 3404, ProcessName: schtasks.exe
Sigma detected: Suspicious Schtasks From Env Var Folder
Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "schtasks.exe" /create /tn "MyClientAppTask_638699391290709030" /tr "C:\Users\user\AppData\Local\Temp\dhk3y0j3.gg3\AV4b38nlhN.exe" /sc onlogon /f, CommandLine: "schtasks.exe" /create /tn "MyClientAppTask_638699391290709030" /tr "C:\Users\user\AppData\Local\Temp\dhk3y0j3.gg3\AV4b38nlhN.exe" /sc onlogon /f, CommandLine|base64offset|contains: j, Image: C:\Windows\System32\schtasks.exe, NewProcessName: C:\Windows\System32\schtasks.exe, OriginalFileName: C:\Windows\System32\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\AV4b38nlhN.exe", ParentImage: C:\Users\user\Desktop\AV4b38nlhN.exe, ParentProcessId: 3544, ParentProcessName: AV4b38nlhN.exe, ProcessCommandLine: "schtasks.exe" /create /tn "MyClientAppTask_638699391290709030" /tr "C:\Users\user\AppData\Local\Temp\dhk3y0j3.gg3\AV4b38nlhN.exe" /sc onlogon /f, ProcessId: 3416, ProcessName: schtasks.exe

Suricata Signatures

No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exeReversingLabs: Detection: 18%
Source: C:\Users\user\AppData\Local\Temp\dhk3y0j3.gg3\AV4b38nlhN.exeReversingLabs: Detection: 18%
Source: C:\Users\user\AppData\Local\Temp\ed1yuowm.r2t\AV4b38nlhN.exeReversingLabs: Detection: 18%
Source: C:\Users\user\AppData\Local\Temp\f3x15nhp.vew\AV4b38nlhN.exeReversingLabs: Detection: 18%
Source: C:\Users\user\AppData\Local\Temp\h4ljp22h.k2l\AV4b38nlhN.exeReversingLabs: Detection: 18%
Source: C:\Users\user\AppData\Local\Temp\hayuutbg.cwy\AV4b38nlhN.exeReversingLabs: Detection: 18%
Source: C:\Users\user\AppData\Local\Temp\q5ax5g5h.01m\AV4b38nlhN.exeReversingLabs: Detection: 18%
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AV4b38nlhN.exeReversingLabs: Detection: 18%
Multi AV Scanner detection for submitted file
Source: AV4b38nlhN.exeReversingLabs: Detection: 18%
AI detected suspicious sample
Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\h4ljp22h.k2l\AV4b38nlhN.exeJoe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\q5ax5g5h.01m\AV4b38nlhN.exeJoe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\hayuutbg.cwy\AV4b38nlhN.exeJoe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exeJoe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\dhk3y0j3.gg3\AV4b38nlhN.exeJoe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\ed1yuowm.r2t\AV4b38nlhN.exeJoe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\dhk3y0j3.gg3\AV4b38nlhN.exeJoe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\f3x15nhp.vew\AV4b38nlhN.exeJoe Sandbox ML: detected
Machine Learning detection for sample
Source: AV4b38nlhN.exeJoe Sandbox ML: detected
Source: C:\Users\user\Desktop\AV4b38nlhN.exeFile opened: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_88e266cb2fac7c0d\MSVCR80.dllJump to behavior
Source: AV4b38nlhN.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Users\user\AppData\Local\Temp\dhk3y0j3.gg3\System.pdbRPROFIL source: AV4b38nlhN.exe, 00000004.00000002.3076956330.0000000000F33000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\seven\Desktop\tt\System\System\obj\Release\System.pdb source: AV4b38nlhN.exe, 00000010.00000002.3183908314.00000000007F2000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\exe\System.pdbd source: AV4b38nlhN.exe, 00000013.00000002.3305493646.0000000000DEB000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.pdb% source: AV4b38nlhN.exe, 00000000.00000002.2972265541.0000000001586000.00000004.00000020.00020000.00000000.sdmp, AV4b38nlhN.exe, 00000008.00000002.3024411839.0000000001416000.00000004.00000020.00020000.00000000.sdmp, AV4b38nlhN.exe, 0000000C.00000002.3053343087.00000000013F6000.00000004.00000020.00020000.00000000.sdmp, AV4b38nlhN.exe, 00000010.00000002.3184646982.0000000001226000.00000004.00000020.00020000.00000000.sdmp, AV4b38nlhN.exe, 00000013.00000002.3306473097.00000000015B6000.00000004.00000020.00020000.00000000.sdmp, AV4b38nlhN.exe, 00000018.00000002.3439620043.0000000001446000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\seven\Desktop\tt\System\System\obj\Release\System.pdb" source: AV4b38nlhN.exe, 00000000.00000002.2972265541.0000000001586000.00000004.00000020.00020000.00000000.sdmp, AV4b38nlhN.exe, 00000008.00000002.3024411839.0000000001416000.00000004.00000020.00020000.00000000.sdmp, AV4b38nlhN.exe, 0000000C.00000002.3053343087.00000000013F6000.00000004.00000020.00020000.00000000.sdmp, AV4b38nlhN.exe, 00000010.00000002.3184646982.0000000001226000.00000004.00000020.00020000.00000000.sdmp, AV4b38nlhN.exe, 00000013.00000002.3306473097.00000000015B6000.00000004.00000020.00020000.00000000.sdmp, AV4b38nlhN.exe, 00000018.00000002.3439620043.0000000001446000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: AV4b38nlhN.PDB source: AV4b38nlhN.exe, 00000004.00000002.3075213335.00000000008F2000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: C:\Users\seven\Desktop\tt\System\System\obj\Release\System.pdb( source: AV4b38nlhN.exe, 00000004.00000002.3076956330.0000000000F33000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\ed1yuowm.r2t\AV4b38nlhN.PDB source: AV4b38nlhN.exe, 00000013.00000002.3305493646.0000000000D98000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\exe\System.pdbq source: AV4b38nlhN.exe, 00000008.00000002.3024411839.0000000001416000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: sers\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System.pdbexe source: AV4b38nlhN.exe, 00000018.00000002.3439041588.000000000116A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: 91C:\Users\user\Desktop\AV4b38nlhN.PDB source: AV4b38nlhN.exe, 00000000.00000002.2970439481.0000000000CF2000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\AppData\Local\Temp\ed1yuowm.r2t\System.pdb: source: AV4b38nlhN.exe, 00000013.00000002.3305395115.0000000000CF2000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: hC:\Windows\System.pdb` source: AV4b38nlhN.exe, 00000000.00000002.2970439481.0000000000CF2000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\exe\System.pdb4 source: AV4b38nlhN.exe, 0000000C.00000002.3052912296.0000000001217000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdbSTEM32 source: AV4b38nlhN.exe, 00000018.00000002.3439041588.000000000116A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\System.pdbu source: AV4b38nlhN.exe, 00000018.00000002.3439620043.0000000001446000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\System.pdb=C:\Wi source: AV4b38nlhN.exe, 00000004.00000002.3076956330.0000000000F33000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\System.pdb source: AV4b38nlhN.exe, 00000008.00000002.3024411839.0000000001416000.00000004.00000020.00020000.00000000.sdmp, AV4b38nlhN.exe, 0000000C.00000002.3053343087.00000000013F6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.pdb8 source: AV4b38nlhN.exe, 00000000.00000002.2970599744.0000000000E2A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.pdb7 source: AV4b38nlhN.exe, 00000008.00000002.3021171367.000000000117A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\seven\Desktop\tt\System\System\obj\Release\System.pdbP source: AV4b38nlhN.exe, 00000013.00000002.3305395115.0000000000CF2000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.pdbmx source: AV4b38nlhN.exe, 00000018.00000002.3439041588.00000000011B8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System.pdb source: AV4b38nlhN.exe, 00000018.00000002.3438991451.00000000010F4000.00000004.00000010.00020000.00000000.sdmp, AV4b38nlhN.exe, 00000018.00000002.3439620043.0000000001446000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.pdb0 source: AV4b38nlhN.exe, 00000004.00000002.3075899276.0000000000A0C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\dhk3y0j3.gg3\AV4b38nlhN.PDB4e089 source: AV4b38nlhN.exe, 00000004.00000002.3075899276.0000000000A0C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\System.pdb source: AV4b38nlhN.exe, 00000000.00000002.2972265541.0000000001586000.00000004.00000020.00020000.00000000.sdmp, AV4b38nlhN.exe, 00000008.00000002.3024411839.0000000001416000.00000004.00000020.00020000.00000000.sdmp, AV4b38nlhN.exe, 00000008.00000002.3021016971.0000000000DE2000.00000004.00000010.00020000.00000000.sdmp, AV4b38nlhN.exe, 0000000C.00000002.3052694248.0000000000D72000.00000004.00000010.00020000.00000000.sdmp, AV4b38nlhN.exe, 0000000C.00000002.3053343087.00000000013F6000.00000004.00000020.00020000.00000000.sdmp, AV4b38nlhN.exe, 00000010.00000002.3183908314.00000000007F2000.00000004.00000010.00020000.00000000.sdmp, AV4b38nlhN.exe, 00000010.00000002.3184646982.0000000001226000.00000004.00000020.00020000.00000000.sdmp, AV4b38nlhN.exe, 00000013.00000002.3305395115.0000000000CF2000.00000004.00000010.00020000.00000000.sdmp, AV4b38nlhN.exe, 00000018.00000002.3439620043.0000000001446000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.pdbe source: AV4b38nlhN.exe, 00000010.00000002.3184646982.0000000001226000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\seven\Desktop\tt\System\System\obj\Release\System.pdbNGINE source: AV4b38nlhN.exe, 00000004.00000002.3076956330.0000000000F33000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\AppData\Local\Temp\ed1yuowm.r2t\System.pdb source: AV4b38nlhN.exe, 00000013.00000002.3306473097.00000000015B6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\seven\Desktop\tt\System\System\obj\Release\System.pdb`} source: AV4b38nlhN.exe, 00000004.00000002.3075213335.00000000008F2000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exe.pdb source: AV4b38nlhN.exe, 00000008.00000002.3021016971.0000000000DE2000.00000004.00000010.00020000.00000000.sdmp, AV4b38nlhN.exe, 0000000C.00000002.3052694248.0000000000D72000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: C:\Windows\dll\System.pdb source: AV4b38nlhN.exe, 00000008.00000002.3024411839.0000000001416000.00000004.00000020.00020000.00000000.sdmp, AV4b38nlhN.exe, 00000010.00000002.3184646982.0000000001226000.00000004.00000020.00020000.00000000.sdmp, AV4b38nlhN.exe, 00000013.00000002.3306473097.00000000015B6000.00000004.00000020.00020000.00000000.sdmp, AV4b38nlhN.exe, 00000018.00000002.3439620043.0000000001446000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\exe\System.pdbc source: AV4b38nlhN.exe, 00000000.00000002.2970599744.0000000000E2A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\q5ax5g5h.01m\AV4b38nlhN.PDB source: AV4b38nlhN.exe, 00000010.00000002.3184058329.0000000000C1B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\AppData\Local\Temp\ed1yuowm.r2t\AV4b38nlhN.exe.pdb source: AV4b38nlhN.exe, 00000013.00000002.3305395115.0000000000CF2000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\AppData\Local\Temp\dhk3y0j3.gg3\AV4b38nlhN.PDB source: AV4b38nlhN.exe, 00000004.00000002.3075213335.00000000008F2000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\System.pdb: source: AV4b38nlhN.exe, 00000008.00000002.3021171367.000000000117A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: AV4b38nlhN.PDBD source: AV4b38nlhN.exe, 00000018.00000002.3438991451.00000000010F4000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\Desktop\AV4b38nlhN.exe.pdb source: AV4b38nlhN.exe, 00000000.00000002.2970439481.0000000000CF2000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\System.pdbd, source: AV4b38nlhN.exe, 0000000C.00000002.3052912296.0000000001217000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: AV4b38nlhN.PDBA source: AV4b38nlhN.exe, 00000008.00000002.3021016971.0000000000DE2000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.pdb source: AV4b38nlhN.exe, 00000000.00000002.2970599744.0000000000E2A000.00000004.00000020.00020000.00000000.sdmp, AV4b38nlhN.exe, 00000004.00000002.3075899276.0000000000A0C000.00000004.00000020.00020000.00000000.sdmp, AV4b38nlhN.exe, 00000013.00000002.3305493646.0000000000D98000.00000004.00000020.00020000.00000000.sdmp, AV4b38nlhN.exe, 00000018.00000002.3439041588.000000000116A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: AV4b38nlhN.PDB? source: AV4b38nlhN.exe, 0000000C.00000002.3052694248.0000000000D72000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdb.EXEH source: AV4b38nlhN.exe, 00000013.00000002.3305493646.0000000000D98000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\exe\System.pdb source: AV4b38nlhN.exe, 00000000.00000002.2972265541.0000000001586000.00000004.00000020.00020000.00000000.sdmp, AV4b38nlhN.exe, 0000000C.00000002.3053343087.00000000013F6000.00000004.00000020.00020000.00000000.sdmp, AV4b38nlhN.exe, 00000010.00000002.3184646982.0000000001226000.00000004.00000020.00020000.00000000.sdmp, AV4b38nlhN.exe, 00000013.00000002.3306473097.00000000015B6000.00000004.00000020.00020000.00000000.sdmp, AV4b38nlhN.exe, 00000018.00000002.3439620043.0000000001446000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\Desktop\System.pdbh source: AV4b38nlhN.exe, 00000000.00000002.2970599744.0000000000E7B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: symbols\exe\System.pdbP source: AV4b38nlhN.exe, 00000000.00000002.2970439481.0000000000CF2000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: C:\Windows\exe\System.pdbC:t source: AV4b38nlhN.exe, 00000004.00000002.3076956330.0000000000F33000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\AppData\Local\Temp\ed1yuowm.r2t\AV4b38nlhN.PDB[ source: AV4b38nlhN.exe, 00000013.00000002.3305395115.0000000000CF2000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\AppData\Local\Temp\q5ax5g5h.01m\AV4b38nlhN.exe.pdb source: AV4b38nlhN.exe, 00000010.00000002.3183908314.00000000007F2000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: System.pdb(7 source: AV4b38nlhN.exe, 0000000C.00000002.3053343087.00000000013F6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\AppData\Local\Temp\q5ax5g5h.01m\System.pdb: source: AV4b38nlhN.exe, 00000010.00000002.3183908314.00000000007F2000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\exe\System.pdbO source: AV4b38nlhN.exe, 00000008.00000002.3021171367.000000000117A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: symbols\exe\System.pdb@ source: AV4b38nlhN.exe, 00000008.00000002.3021016971.0000000000DE2000.00000004.00000010.00020000.00000000.sdmp, AV4b38nlhN.exe, 0000000C.00000002.3052694248.0000000000D72000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: AV4b38nlhN.PDB" source: AV4b38nlhN.exe, 00000010.00000002.3183908314.00000000007F2000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\Desktop\AV4b38nlhN.PDBv9.0} source: AV4b38nlhN.exe, 00000000.00000002.2970599744.0000000000E2A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\AppData\Local\Temp\q5ax5g5h.01m\System.pdb source: AV4b38nlhN.exe, 00000010.00000002.3184646982.0000000001226000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\Desktop\System.pdb source: AV4b38nlhN.exe, 00000000.00000002.2972265541.0000000001586000.00000004.00000020.00020000.00000000.sdmp, AV4b38nlhN.exe, 00000000.00000002.2970439481.0000000000CF2000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: 91C:\Users\user\AppData\Local\Temp\q5ax5g5h.01m\AV4b38nlhN.PDB:\W source: AV4b38nlhN.exe, 00000010.00000002.3183908314.00000000007F2000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: C:\Users\seven\Desktop\tt\System\System\obj\Release\System.pdbPrograms\Startup\System.pdb source: AV4b38nlhN.exe, 00000018.00000002.3438991451.00000000010F4000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: C:\Windows\System.pdb" source: AV4b38nlhN.exe, 00000013.00000002.3306473097.00000000015B6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: 91C:\Users\user\AppData\Local\Temp\ed1yuowm.r2t\AV4b38nlhN.PDB:\W source: AV4b38nlhN.exe, 00000013.00000002.3305395115.0000000000CF2000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\dhk3y0j3.gg3\System.pdb} source: AV4b38nlhN.exe, 00000004.00000002.3075899276.0000000000A5A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: XC:\Windows\System.pdb source: AV4b38nlhN.exe, 00000004.00000002.3075213335.00000000008F2000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: AV4b38nlhN.PDBX source: AV4b38nlhN.exe, 00000000.00000002.2970439481.0000000000CF2000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\System.pdbme="de source: AV4b38nlhN.exe, 00000008.00000002.3021171367.00000000011DB000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: AV4b38nlhN.PDB[ source: AV4b38nlhN.exe, 00000013.00000002.3305395115.0000000000CF2000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.PDB? source: AV4b38nlhN.exe, 0000000C.00000002.3052694248.0000000000D72000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.PDBA source: AV4b38nlhN.exe, 00000008.00000002.3021016971.0000000000DE2000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\AppData\Local\Temp\dhk3y0j3.gg3\System.pdb: source: AV4b38nlhN.exe, 00000004.00000002.3075213335.00000000008F2000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: C:\Windows\dll\System.pdb=3 source: AV4b38nlhN.exe, 0000000C.00000002.3053343087.00000000013F6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\dll\System.pdbs\, source: AV4b38nlhN.exe, 00000004.00000002.3076956330.0000000000F33000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\System.pdbR source: AV4b38nlhN.exe, 00000010.00000002.3184058329.0000000000BBA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.pdbu source: AV4b38nlhN.exe, 00000004.00000002.3076956330.0000000000F33000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\seven\Desktop\tt\System\System\obj\Release\System.pdb source: AV4b38nlhN.exe, AV4b38nlhN.exe.24.dr, AV4b38nlhN.exe.8.dr, AV4b38nlhN.exe.19.dr, AV4b38nlhN.exe.4.dr, AV4b38nlhN.exe0.0.dr, AV4b38nlhN.exe.12.dr, AV4b38nlhN.exe.0.dr, AV4b38nlhN.exe.16.dr
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\System.pdbe089E source: AV4b38nlhN.exe, 0000000C.00000002.3052912296.0000000001217000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\System.pdb source: AV4b38nlhN.exe, 00000013.00000002.3305493646.0000000000DEB000.00000004.00000020.00020000.00000000.sdmp, AV4b38nlhN.exe, 00000018.00000002.3439041588.00000000011B8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\exe\System.pdbnt source: AV4b38nlhN.exe, 00000004.00000002.3075899276.00000000009C9000.00000004.00000020.00020000.00000000.sdmp, AV4b38nlhN.exe, 0000000C.00000002.3052912296.0000000001217000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.PDBm.dll source: AV4b38nlhN.exe, 00000008.00000002.3021171367.000000000117A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdb source: AV4b38nlhN.exe, 00000004.00000002.3076956330.0000000000F33000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: 91C:\Users\user\AppData\Local\Temp\dhk3y0j3.gg3\AV4b38nlhN.PDB:\W source: AV4b38nlhN.exe, 00000004.00000002.3075213335.00000000008F2000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: C:\Windows\System.pdbZ source: AV4b38nlhN.exe, 00000018.00000002.3438991451.00000000010F4000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: C:\Windows\System.pdbpdb q source: AV4b38nlhN.exe, 00000000.00000002.2972265541.0000000001586000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\symbols\dll\System.pdbom0y source: AV4b38nlhN.exe, 00000004.00000002.3076956330.0000000000F33000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\AppData\Local\Temp\q5ax5g5h.01m\AV4b38nlhN.PDB" source: AV4b38nlhN.exe, 00000010.00000002.3183908314.00000000007F2000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: C:\Users\seven\Desktop\tt\System\System\obj\Release\System.pdb3@M@ ?@_CorExeMainmscoree.dll source: AV4b38nlhN.exe, AV4b38nlhN.exe.24.dr, AV4b38nlhN.exe.8.dr, AV4b38nlhN.exe.19.dr, AV4b38nlhN.exe.4.dr, AV4b38nlhN.exe0.0.dr, AV4b38nlhN.exe.12.dr, AV4b38nlhN.exe.0.dr, AV4b38nlhN.exe.16.dr
Source: Binary string: em.pdb source: AV4b38nlhN.exe, 00000004.00000002.3075213335.00000000008F2000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\Desktop\AV4b38nlhN.PDB source: AV4b38nlhN.exe, 00000000.00000002.2970439481.0000000000CF2000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\ed1yuowm.r2t\System.pdbe089 source: AV4b38nlhN.exe, 00000013.00000002.3305493646.0000000000DEB000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\System.pdb: source: AV4b38nlhN.exe, 00000008.00000002.3021016971.0000000000DE2000.00000004.00000010.00020000.00000000.sdmp, AV4b38nlhN.exe, 0000000C.00000002.3052694248.0000000000D72000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.pdbO source: AV4b38nlhN.exe, 00000010.00000002.3184058329.0000000000BBA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.pdb source: AV4b38nlhN.exe, 00000000.00000002.2972265541.0000000001586000.00000004.00000020.00020000.00000000.sdmp, AV4b38nlhN.exe, 00000008.00000002.3024411839.0000000001416000.00000004.00000020.00020000.00000000.sdmp, AV4b38nlhN.exe, 0000000C.00000002.3053343087.00000000013F6000.00000004.00000020.00020000.00000000.sdmp, AV4b38nlhN.exe, 00000010.00000002.3184646982.0000000001226000.00000004.00000020.00020000.00000000.sdmp, AV4b38nlhN.exe, 00000013.00000002.3306473097.00000000015B6000.00000004.00000020.00020000.00000000.sdmp, AV4b38nlhN.exe, 00000018.00000002.3439620043.0000000001446000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\q5ax5g5h.01m\System.pdb source: AV4b38nlhN.exe, 00000010.00000002.3184058329.0000000000BBA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\exe\System.pdb source: AV4b38nlhN.exe, 00000004.00000002.3075899276.0000000000A00000.00000004.00000020.00020000.00000000.sdmp, AV4b38nlhN.exe, 00000010.00000002.3184058329.0000000000BBA000.00000004.00000020.00020000.00000000.sdmp, AV4b38nlhN.exe, 00000018.00000002.3439041588.00000000011B8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\seven\Desktop\tt\System\System\obj\Release\System.pdb~ source: AV4b38nlhN.exe, 0000000C.00000002.3052694248.0000000000D72000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: 91C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.PDB:\W source: AV4b38nlhN.exe, 00000008.00000002.3021016971.0000000000DE2000.00000004.00000010.00020000.00000000.sdmp, AV4b38nlhN.exe, 0000000C.00000002.3052694248.0000000000D72000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: C:\Windows\symbols\exe\System.pdb-- source: AV4b38nlhN.exe, 00000004.00000002.3076956330.0000000000F33000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: symbols\exe\System.pdb source: AV4b38nlhN.exe, 00000004.00000002.3075213335.00000000008F2000.00000004.00000010.00020000.00000000.sdmp, AV4b38nlhN.exe, 00000010.00000002.3183908314.00000000007F2000.00000004.00000010.00020000.00000000.sdmp, AV4b38nlhN.exe, 00000013.00000002.3305395115.0000000000CF2000.00000004.00000010.00020000.00000000.sdmp, AV4b38nlhN.exe, 00000018.00000002.3438991451.00000000010F4000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.PDB4e089, source: AV4b38nlhN.exe, 0000000C.00000002.3052912296.0000000001217000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AV4b38nlhN.PDB source: AV4b38nlhN.exe, 00000018.00000002.3438991451.00000000010F4000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\AppData\Local\Temp\dhk3y0j3.gg3\AV4b38nlhN.exe.pdb source: AV4b38nlhN.exe, 00000004.00000002.3075213335.00000000008F2000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: C:\Windows\System.pdbF source: AV4b38nlhN.exe, 00000013.00000002.3306473097.00000000015B6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ws\System.pdbpdbtem.pdbDA source: AV4b38nlhN.exe, 00000004.00000002.3076956330.0000000000F33000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ws\System.pdbpdbtem.pdb source: AV4b38nlhN.exe, 00000000.00000002.2972265541.0000000001586000.00000004.00000020.00020000.00000000.sdmp, AV4b38nlhN.exe, 00000004.00000002.3076956330.0000000000F33000.00000004.00000020.00020000.00000000.sdmp, AV4b38nlhN.exe, 00000008.00000002.3024411839.0000000001416000.00000004.00000020.00020000.00000000.sdmp, AV4b38nlhN.exe, 0000000C.00000002.3053343087.00000000013F6000.00000004.00000020.00020000.00000000.sdmp, AV4b38nlhN.exe, 00000010.00000002.3184646982.0000000001226000.00000004.00000020.00020000.00000000.sdmp, AV4b38nlhN.exe, 00000013.00000002.3306473097.00000000015B6000.00000004.00000020.00020000.00000000.sdmp, AV4b38nlhN.exe, 00000018.00000002.3439620043.0000000001446000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\symbols\exe\System.pdb source: AV4b38nlhN.exe, 00000000.00000002.2972265541.0000000001586000.00000004.00000020.00020000.00000000.sdmp, AV4b38nlhN.exe, 00000008.00000002.3024411839.0000000001416000.00000004.00000020.00020000.00000000.sdmp, AV4b38nlhN.exe, 0000000C.00000002.3053343087.00000000013F6000.00000004.00000020.00020000.00000000.sdmp, AV4b38nlhN.exe, 00000010.00000002.3184646982.0000000001226000.00000004.00000020.00020000.00000000.sdmp, AV4b38nlhN.exe, 00000013.00000002.3306473097.00000000015B6000.00000004.00000020.00020000.00000000.sdmp, AV4b38nlhN.exe, 00000018.00000002.3439620043.0000000001446000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\exe\System.pdb source: AV4b38nlhN.exe, 00000000.00000002.2970599744.0000000000E7B000.00000004.00000020.00020000.00000000.sdmp, AV4b38nlhN.exe, 00000010.00000002.3184058329.0000000000BBA000.00000004.00000020.00020000.00000000.sdmp, AV4b38nlhN.exe, 00000018.00000002.3439041588.00000000011B8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\System.pdb6)ProgramW6432=C:\Program FilesPSMod source: AV4b38nlhN.exe, 00000004.00000002.3076956330.0000000000F33000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.pdbs source: AV4b38nlhN.exe, 0000000C.00000002.3052912296.0000000001217000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: em.pdb-- source: AV4b38nlhN.exe, 00000004.00000002.3075213335.00000000008F2000.00000004.00000010.00020000.00000000.sdmp
Source: global trafficTCP traffic: 192.168.2.6:49713 -> 193.58.121.250:7174
Source: unknownTCP traffic detected without corresponding DNS query: 193.58.121.250
Source: unknownTCP traffic detected without corresponding DNS query: 193.58.121.250
Source: unknownTCP traffic detected without corresponding DNS query: 193.58.121.250
Source: unknownTCP traffic detected without corresponding DNS query: 193.58.121.250
Source: unknownTCP traffic detected without corresponding DNS query: 193.58.121.250
Source: unknownTCP traffic detected without corresponding DNS query: 193.58.121.250
Source: unknownTCP traffic detected without corresponding DNS query: 193.58.121.250
Source: unknownTCP traffic detected without corresponding DNS query: 193.58.121.250
Source: unknownTCP traffic detected without corresponding DNS query: 193.58.121.250
Source: unknownTCP traffic detected without corresponding DNS query: 193.58.121.250
Source: unknownTCP traffic detected without corresponding DNS query: 193.58.121.250
Source: unknownTCP traffic detected without corresponding DNS query: 193.58.121.250
Source: unknownTCP traffic detected without corresponding DNS query: 193.58.121.250
Source: unknownTCP traffic detected without corresponding DNS query: 193.58.121.250
Source: unknownTCP traffic detected without corresponding DNS query: 193.58.121.250
Source: unknownTCP traffic detected without corresponding DNS query: 193.58.121.250
Source: unknownTCP traffic detected without corresponding DNS query: 193.58.121.250
Source: unknownTCP traffic detected without corresponding DNS query: 193.58.121.250
Source: unknownTCP traffic detected without corresponding DNS query: 193.58.121.250
Source: unknownTCP traffic detected without corresponding DNS query: 193.58.121.250
Source: unknownTCP traffic detected without corresponding DNS query: 193.58.121.250
Source: unknownTCP traffic detected without corresponding DNS query: 193.58.121.250
Source: unknownTCP traffic detected without corresponding DNS query: 193.58.121.250
Source: unknownTCP traffic detected without corresponding DNS query: 193.58.121.250
Source: unknownTCP traffic detected without corresponding DNS query: 193.58.121.250
Source: unknownTCP traffic detected without corresponding DNS query: 193.58.121.250
Source: unknownTCP traffic detected without corresponding DNS query: 193.58.121.250
Source: unknownTCP traffic detected without corresponding DNS query: 193.58.121.250
Source: unknownTCP traffic detected without corresponding DNS query: 193.58.121.250
Source: unknownTCP traffic detected without corresponding DNS query: 193.58.121.250
Source: unknownTCP traffic detected without corresponding DNS query: 193.58.121.250
Source: unknownTCP traffic detected without corresponding DNS query: 193.58.121.250
Source: unknownTCP traffic detected without corresponding DNS query: 193.58.121.250
Source: unknownTCP traffic detected without corresponding DNS query: 193.58.121.250
Source: unknownTCP traffic detected without corresponding DNS query: 193.58.121.250
Source: unknownTCP traffic detected without corresponding DNS query: 193.58.121.250
Source: unknownTCP traffic detected without corresponding DNS query: 193.58.121.250
Source: unknownTCP traffic detected without corresponding DNS query: 193.58.121.250
Source: unknownTCP traffic detected without corresponding DNS query: 193.58.121.250
Source: unknownTCP traffic detected without corresponding DNS query: 193.58.121.250
Source: unknownTCP traffic detected without corresponding DNS query: 193.58.121.250
Source: unknownTCP traffic detected without corresponding DNS query: 193.58.121.250
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global trafficDNS traffic detected: DNS query: 10.76.9.0.in-addr.arpa
Source: Amcache.hve.22.drString found in binary or memory: http://upx.sf.net
Source: AV4b38nlhN.exe, AV4b38nlhN.exe.24.dr, AV4b38nlhN.exe.8.dr, AV4b38nlhN.exe.19.dr, AV4b38nlhN.exe.4.dr, AV4b38nlhN.exe0.0.dr, AV4b38nlhN.exe.12.dr, AV4b38nlhN.exe.0.dr, AV4b38nlhN.exe.16.drString found in binary or memory: https://api.ipify.org
Source: dw20.exe, 0000001B.00000003.3046464190.00000000005C3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://watson.tU
Source: C:\Users\user\Desktop\AV4b38nlhN.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe dw20.exe -x -s 980
Source: AV4b38nlhN.exe, 00000000.00000000.2139110890.0000000000996000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameSystem.exe. vs AV4b38nlhN.exe
Source: AV4b38nlhN.exeBinary or memory string: OriginalFilenameSystem.exe. vs AV4b38nlhN.exe
Source: AV4b38nlhN.exe.24.drBinary or memory string: OriginalFilenameSystem.exe. vs AV4b38nlhN.exe
Source: AV4b38nlhN.exe.8.drBinary or memory string: OriginalFilenameSystem.exe. vs AV4b38nlhN.exe
Source: AV4b38nlhN.exe.19.drBinary or memory string: OriginalFilenameSystem.exe. vs AV4b38nlhN.exe
Source: AV4b38nlhN.exe.4.drBinary or memory string: OriginalFilenameSystem.exe. vs AV4b38nlhN.exe
Source: AV4b38nlhN.exe0.0.drBinary or memory string: OriginalFilenameSystem.exe. vs AV4b38nlhN.exe
Source: AV4b38nlhN.exe.12.drBinary or memory string: OriginalFilenameSystem.exe. vs AV4b38nlhN.exe
Source: AV4b38nlhN.exe.0.drBinary or memory string: OriginalFilenameSystem.exe. vs AV4b38nlhN.exe
Source: AV4b38nlhN.exe.16.drBinary or memory string: OriginalFilenameSystem.exe. vs AV4b38nlhN.exe
Source: classification engineClassification label: mal84.adwa.winEXE@43/38@6/1
Source: C:\Users\user\Desktop\AV4b38nlhN.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AV4b38nlhN.exeJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5356:120:WilError_03
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AV4b38nlhN.exeMutant created: NULL
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4132:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5644:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3648:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6820:120:WilError_03
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AV4b38nlhN.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5916:120:WilError_03
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5688:120:WilError_03
Source: C:\Users\user\Desktop\AV4b38nlhN.exeFile created: C:\Users\user\AppData\Local\Temp\dhk3y0j3.gg3Jump to behavior
Source: AV4b38nlhN.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: AV4b38nlhN.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\AV4b38nlhN.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: AV4b38nlhN.exeReversingLabs: Detection: 18%
Source: C:\Users\user\Desktop\AV4b38nlhN.exeFile read: C:\Users\user\Desktop\AV4b38nlhN.exeJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\AV4b38nlhN.exe "C:\Users\user\Desktop\AV4b38nlhN.exe"
Source: C:\Users\user\Desktop\AV4b38nlhN.exeProcess created: C:\Windows\System32\schtasks.exe "schtasks.exe" /create /tn "MyClientAppTask_638699391290709030" /tr "C:\Users\user\AppData\Local\Temp\dhk3y0j3.gg3\AV4b38nlhN.exe" /sc onlogon /f
Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\dhk3y0j3.gg3\AV4b38nlhN.exe C:\Users\user\AppData\Local\Temp\dhk3y0j3.gg3\AV4b38nlhN.exe
Source: C:\Users\user\AppData\Local\Temp\dhk3y0j3.gg3\AV4b38nlhN.exeProcess created: C:\Windows\System32\schtasks.exe "schtasks.exe" /create /tn "MyClientAppTask_638699391308679816" /tr "C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exe" /sc onlogon /f
Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exe "C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exe"
Source: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exeProcess created: C:\Windows\System32\schtasks.exe "schtasks.exe" /create /tn "MyClientAppTask_638699391446656104" /tr "C:\Users\user\AppData\Local\Temp\q5ax5g5h.01m\AV4b38nlhN.exe" /sc onlogon /f
Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exe "C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exe"
Source: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exeProcess created: C:\Windows\System32\schtasks.exe "schtasks.exe" /create /tn "MyClientAppTask_638699391551663456" /tr "C:\Users\user\AppData\Local\Temp\ed1yuowm.r2t\AV4b38nlhN.exe" /sc onlogon /f
Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\q5ax5g5h.01m\AV4b38nlhN.exe "C:\Users\user\AppData\Local\Temp\q5ax5g5h.01m\AV4b38nlhN.exe"
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\schtasks.exe "schtasks.exe" /create /tn "MyClientAppTask_638699391675304437" /tr "C:\Users\user\AppData\Local\Temp\f3x15nhp.vew\AV4b38nlhN.exe" /sc onlogon /f
Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\ed1yuowm.r2t\AV4b38nlhN.exe "C:\Users\user\AppData\Local\Temp\ed1yuowm.r2t\AV4b38nlhN.exe"
Source: C:\Users\user\AppData\Local\Temp\ed1yuowm.r2t\AV4b38nlhN.exeProcess created: C:\Windows\System32\schtasks.exe "schtasks.exe" /create /tn "MyClientAppTask_638699391812619093" /tr "C:\Users\user\AppData\Local\Temp\hayuutbg.cwy\AV4b38nlhN.exe" /sc onlogon /f
Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\AV4b38nlhN.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe dw20.exe -x -s 980
Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AV4b38nlhN.exe "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AV4b38nlhN.exe"
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AV4b38nlhN.exeProcess created: C:\Windows\System32\schtasks.exe "schtasks.exe" /create /tn "MyClientAppTask_638699391947448790" /tr "C:\Users\user\AppData\Local\Temp\h4ljp22h.k2l\AV4b38nlhN.exe" /sc onlogon /f
Source: C:\Windows\System32\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\dhk3y0j3.gg3\AV4b38nlhN.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe dw20.exe -x -s 1192
Source: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe dw20.exe -x -s 880
Source: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe dw20.exe -x -s 1152
Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe dw20.exe -x -s 1172
Source: C:\Users\user\AppData\Local\Temp\ed1yuowm.r2t\AV4b38nlhN.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe dw20.exe -x -s 992
Source: C:\Users\user\Desktop\AV4b38nlhN.exeProcess created: C:\Windows\System32\backgroundTaskHost.exe "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AV4b38nlhN.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe dw20.exe -x -s 1172
Source: C:\Users\user\Desktop\AV4b38nlhN.exeProcess created: C:\Windows\System32\schtasks.exe "schtasks.exe" /create /tn "MyClientAppTask_638699391290709030" /tr "C:\Users\user\AppData\Local\Temp\dhk3y0j3.gg3\AV4b38nlhN.exe" /sc onlogon /fJump to behavior
Source: C:\Users\user\Desktop\AV4b38nlhN.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe dw20.exe -x -s 980Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dhk3y0j3.gg3\AV4b38nlhN.exeProcess created: C:\Windows\System32\schtasks.exe "schtasks.exe" /create /tn "MyClientAppTask_638699391308679816" /tr "C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exe" /sc onlogon /fJump to behavior
Source: C:\Users\user\AppData\Local\Temp\dhk3y0j3.gg3\AV4b38nlhN.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe dw20.exe -x -s 1192Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exeProcess created: C:\Windows\System32\schtasks.exe "schtasks.exe" /create /tn "MyClientAppTask_638699391446656104" /tr "C:\Users\user\AppData\Local\Temp\q5ax5g5h.01m\AV4b38nlhN.exe" /sc onlogon /fJump to behavior
Source: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe dw20.exe -x -s 880Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exeProcess created: C:\Windows\System32\schtasks.exe "schtasks.exe" /create /tn "MyClientAppTask_638699391551663456" /tr "C:\Users\user\AppData\Local\Temp\ed1yuowm.r2t\AV4b38nlhN.exe" /sc onlogon /fJump to behavior
Source: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe dw20.exe -x -s 1152Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\q5ax5g5h.01m\AV4b38nlhN.exeProcess created: C:\Windows\System32\schtasks.exe "schtasks.exe" /create /tn "MyClientAppTask_638699391675304437" /tr "C:\Users\user\AppData\Local\Temp\f3x15nhp.vew\AV4b38nlhN.exe" /sc onlogon /fJump to behavior
Source: C:\Users\user\AppData\Local\Temp\q5ax5g5h.01m\AV4b38nlhN.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe dw20.exe -x -s 1172Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ed1yuowm.r2t\AV4b38nlhN.exeProcess created: C:\Windows\System32\schtasks.exe "schtasks.exe" /create /tn "MyClientAppTask_638699391812619093" /tr "C:\Users\user\AppData\Local\Temp\hayuutbg.cwy\AV4b38nlhN.exe" /sc onlogon /fJump to behavior
Source: C:\Users\user\AppData\Local\Temp\ed1yuowm.r2t\AV4b38nlhN.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe dw20.exe -x -s 992Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AV4b38nlhN.exeProcess created: C:\Windows\System32\schtasks.exe "schtasks.exe" /create /tn "MyClientAppTask_638699391947448790" /tr "C:\Users\user\AppData\Local\Temp\h4ljp22h.k2l\AV4b38nlhN.exe" /sc onlogon /f
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AV4b38nlhN.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe dw20.exe -x -s 1172
Source: C:\Users\user\Desktop\AV4b38nlhN.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Users\user\Desktop\AV4b38nlhN.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\Desktop\AV4b38nlhN.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\Desktop\AV4b38nlhN.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\Desktop\AV4b38nlhN.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\Desktop\AV4b38nlhN.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\Desktop\AV4b38nlhN.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\Desktop\AV4b38nlhN.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\Desktop\AV4b38nlhN.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\Desktop\AV4b38nlhN.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\Desktop\AV4b38nlhN.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\Desktop\AV4b38nlhN.exeSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\Desktop\AV4b38nlhN.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\Desktop\AV4b38nlhN.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Users\user\Desktop\AV4b38nlhN.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Users\user\Desktop\AV4b38nlhN.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Users\user\Desktop\AV4b38nlhN.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\user\Desktop\AV4b38nlhN.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\Desktop\AV4b38nlhN.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\Desktop\AV4b38nlhN.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Users\user\Desktop\AV4b38nlhN.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\dhk3y0j3.gg3\AV4b38nlhN.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\dhk3y0j3.gg3\AV4b38nlhN.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\dhk3y0j3.gg3\AV4b38nlhN.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\dhk3y0j3.gg3\AV4b38nlhN.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\dhk3y0j3.gg3\AV4b38nlhN.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\dhk3y0j3.gg3\AV4b38nlhN.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\dhk3y0j3.gg3\AV4b38nlhN.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\dhk3y0j3.gg3\AV4b38nlhN.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\dhk3y0j3.gg3\AV4b38nlhN.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\dhk3y0j3.gg3\AV4b38nlhN.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\dhk3y0j3.gg3\AV4b38nlhN.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\dhk3y0j3.gg3\AV4b38nlhN.exeSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\dhk3y0j3.gg3\AV4b38nlhN.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\dhk3y0j3.gg3\AV4b38nlhN.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\dhk3y0j3.gg3\AV4b38nlhN.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\dhk3y0j3.gg3\AV4b38nlhN.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\dhk3y0j3.gg3\AV4b38nlhN.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\dhk3y0j3.gg3\AV4b38nlhN.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\dhk3y0j3.gg3\AV4b38nlhN.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\dhk3y0j3.gg3\AV4b38nlhN.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\dhk3y0j3.gg3\AV4b38nlhN.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exeSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exeSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\q5ax5g5h.01m\AV4b38nlhN.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\q5ax5g5h.01m\AV4b38nlhN.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\q5ax5g5h.01m\AV4b38nlhN.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\q5ax5g5h.01m\AV4b38nlhN.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\q5ax5g5h.01m\AV4b38nlhN.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\q5ax5g5h.01m\AV4b38nlhN.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\q5ax5g5h.01m\AV4b38nlhN.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\q5ax5g5h.01m\AV4b38nlhN.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\q5ax5g5h.01m\AV4b38nlhN.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\q5ax5g5h.01m\AV4b38nlhN.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\q5ax5g5h.01m\AV4b38nlhN.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\q5ax5g5h.01m\AV4b38nlhN.exeSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\q5ax5g5h.01m\AV4b38nlhN.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\q5ax5g5h.01m\AV4b38nlhN.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\q5ax5g5h.01m\AV4b38nlhN.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\q5ax5g5h.01m\AV4b38nlhN.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\q5ax5g5h.01m\AV4b38nlhN.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\q5ax5g5h.01m\AV4b38nlhN.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\q5ax5g5h.01m\AV4b38nlhN.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\q5ax5g5h.01m\AV4b38nlhN.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\q5ax5g5h.01m\AV4b38nlhN.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\ed1yuowm.r2t\AV4b38nlhN.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\ed1yuowm.r2t\AV4b38nlhN.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\ed1yuowm.r2t\AV4b38nlhN.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\ed1yuowm.r2t\AV4b38nlhN.exeSection loaded: version.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\ed1yuowm.r2t\AV4b38nlhN.exeSection loaded: windows.storage.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\ed1yuowm.r2t\AV4b38nlhN.exeSection loaded: wldp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\ed1yuowm.r2t\AV4b38nlhN.exeSection loaded: profapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\ed1yuowm.r2t\AV4b38nlhN.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\ed1yuowm.r2t\AV4b38nlhN.exeSection loaded: rsaenh.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\ed1yuowm.r2t\AV4b38nlhN.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\ed1yuowm.r2t\AV4b38nlhN.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\ed1yuowm.r2t\AV4b38nlhN.exeSection loaded: shfolder.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\ed1yuowm.r2t\AV4b38nlhN.exeSection loaded: mswsock.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\ed1yuowm.r2t\AV4b38nlhN.exeSection loaded: napinsp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\ed1yuowm.r2t\AV4b38nlhN.exeSection loaded: pnrpnsp.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\ed1yuowm.r2t\AV4b38nlhN.exeSection loaded: wshbth.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\ed1yuowm.r2t\AV4b38nlhN.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\ed1yuowm.r2t\AV4b38nlhN.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\ed1yuowm.r2t\AV4b38nlhN.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\ed1yuowm.r2t\AV4b38nlhN.exeSection loaded: winrnr.dllJump to behavior
Source: C:\Users\user\AppData\Local\Temp\ed1yuowm.r2t\AV4b38nlhN.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dllJump to behavior
Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AV4b38nlhN.exeSection loaded: mscoree.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AV4b38nlhN.exeSection loaded: apphelp.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AV4b38nlhN.exeSection loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AV4b38nlhN.exeSection loaded: version.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AV4b38nlhN.exeSection loaded: windows.storage.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AV4b38nlhN.exeSection loaded: wldp.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AV4b38nlhN.exeSection loaded: profapi.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AV4b38nlhN.exeSection loaded: cryptsp.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AV4b38nlhN.exeSection loaded: rsaenh.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AV4b38nlhN.exeSection loaded: cryptbase.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AV4b38nlhN.exeSection loaded: ntmarta.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AV4b38nlhN.exeSection loaded: shfolder.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AV4b38nlhN.exeSection loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AV4b38nlhN.exeSection loaded: napinsp.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AV4b38nlhN.exeSection loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AV4b38nlhN.exeSection loaded: wshbth.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AV4b38nlhN.exeSection loaded: nlaapi.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AV4b38nlhN.exeSection loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AV4b38nlhN.exeSection loaded: dnsapi.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AV4b38nlhN.exeSection loaded: winrnr.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AV4b38nlhN.exeSection loaded: rasadhlp.dll
Source: C:\Windows\System32\schtasks.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exeSection loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exeSection loaded: xmllite.dll
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: kernel.appcore.dll
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: twinapi.appcore.dll
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: wintypes.dll
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: mrmcorer.dll
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: biwinrt.dll
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: windows.staterepositorycore.dll
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: sspicli.dll
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: policymanager.dll
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: slc.dll
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: wldp.dll
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: cdp.dll
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: wincorlib.dll
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: msvcp110_win.dll
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: sppc.dll
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: umpdc.dll
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: propsys.dll
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: dsreg.dll
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: cryptsp.dll
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: windows.networking.backgroundtransfer.dll
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: systemeventsbrokerclient.dll
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: wininet.dll
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: iertutil.dll
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: userenv.dll
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: profext.dll
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: profapi.dll
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: ntmarta.dll
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: windows.storage.dll
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: dpapi.dll
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: cryptbase.dll
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: windows.storage.applicationdata.dll
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: logoncli.dll
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: threadpoolwinrt.dll
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: windows.applicationmodel.background.timebroker.dll
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: windows.applicationmodel.background.systemeventsbroker.dll
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: windows.web.dll
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: windows.globalization.dll
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: bcp47langs.dll
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: bcp47mrm.dll
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: windows.security.authentication.web.core.dll
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: vaultcli.dll
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: uxtheme.dll
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: cryptowinrt.dll
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: ncrypt.dll
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: ntasn1.dll
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: ncryptprov.dll
Source: C:\Windows\System32\backgroundTaskHost.exeSection loaded: windows.services.targetedcontent.dll
Source: C:\Users\user\Desktop\AV4b38nlhN.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32Jump to behavior
Source: C:\Users\user\Desktop\AV4b38nlhN.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dllJump to behavior
Source: AV4b38nlhN.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: C:\Users\user\Desktop\AV4b38nlhN.exeFile opened: C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9672_none_88e266cb2fac7c0d\MSVCR80.dllJump to behavior
Source: AV4b38nlhN.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: AV4b38nlhN.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\Users\user\AppData\Local\Temp\dhk3y0j3.gg3\System.pdbRPROFIL source: AV4b38nlhN.exe, 00000004.00000002.3076956330.0000000000F33000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\seven\Desktop\tt\System\System\obj\Release\System.pdb source: AV4b38nlhN.exe, 00000010.00000002.3183908314.00000000007F2000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\exe\System.pdbd source: AV4b38nlhN.exe, 00000013.00000002.3305493646.0000000000DEB000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.pdb% source: AV4b38nlhN.exe, 00000000.00000002.2972265541.0000000001586000.00000004.00000020.00020000.00000000.sdmp, AV4b38nlhN.exe, 00000008.00000002.3024411839.0000000001416000.00000004.00000020.00020000.00000000.sdmp, AV4b38nlhN.exe, 0000000C.00000002.3053343087.00000000013F6000.00000004.00000020.00020000.00000000.sdmp, AV4b38nlhN.exe, 00000010.00000002.3184646982.0000000001226000.00000004.00000020.00020000.00000000.sdmp, AV4b38nlhN.exe, 00000013.00000002.3306473097.00000000015B6000.00000004.00000020.00020000.00000000.sdmp, AV4b38nlhN.exe, 00000018.00000002.3439620043.0000000001446000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\seven\Desktop\tt\System\System\obj\Release\System.pdb" source: AV4b38nlhN.exe, 00000000.00000002.2972265541.0000000001586000.00000004.00000020.00020000.00000000.sdmp, AV4b38nlhN.exe, 00000008.00000002.3024411839.0000000001416000.00000004.00000020.00020000.00000000.sdmp, AV4b38nlhN.exe, 0000000C.00000002.3053343087.00000000013F6000.00000004.00000020.00020000.00000000.sdmp, AV4b38nlhN.exe, 00000010.00000002.3184646982.0000000001226000.00000004.00000020.00020000.00000000.sdmp, AV4b38nlhN.exe, 00000013.00000002.3306473097.00000000015B6000.00000004.00000020.00020000.00000000.sdmp, AV4b38nlhN.exe, 00000018.00000002.3439620043.0000000001446000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: AV4b38nlhN.PDB source: AV4b38nlhN.exe, 00000004.00000002.3075213335.00000000008F2000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: C:\Users\seven\Desktop\tt\System\System\obj\Release\System.pdb( source: AV4b38nlhN.exe, 00000004.00000002.3076956330.0000000000F33000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\ed1yuowm.r2t\AV4b38nlhN.PDB source: AV4b38nlhN.exe, 00000013.00000002.3305493646.0000000000D98000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\exe\System.pdbq source: AV4b38nlhN.exe, 00000008.00000002.3024411839.0000000001416000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: sers\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System.pdbexe source: AV4b38nlhN.exe, 00000018.00000002.3439041588.000000000116A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: 91C:\Users\user\Desktop\AV4b38nlhN.PDB source: AV4b38nlhN.exe, 00000000.00000002.2970439481.0000000000CF2000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\AppData\Local\Temp\ed1yuowm.r2t\System.pdb: source: AV4b38nlhN.exe, 00000013.00000002.3305395115.0000000000CF2000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: hC:\Windows\System.pdb` source: AV4b38nlhN.exe, 00000000.00000002.2970439481.0000000000CF2000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\exe\System.pdb4 source: AV4b38nlhN.exe, 0000000C.00000002.3052912296.0000000001217000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdbSTEM32 source: AV4b38nlhN.exe, 00000018.00000002.3439041588.000000000116A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\System.pdbu source: AV4b38nlhN.exe, 00000018.00000002.3439620043.0000000001446000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\System.pdb=C:\Wi source: AV4b38nlhN.exe, 00000004.00000002.3076956330.0000000000F33000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\System.pdb source: AV4b38nlhN.exe, 00000008.00000002.3024411839.0000000001416000.00000004.00000020.00020000.00000000.sdmp, AV4b38nlhN.exe, 0000000C.00000002.3053343087.00000000013F6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.pdb8 source: AV4b38nlhN.exe, 00000000.00000002.2970599744.0000000000E2A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.pdb7 source: AV4b38nlhN.exe, 00000008.00000002.3021171367.000000000117A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\seven\Desktop\tt\System\System\obj\Release\System.pdbP source: AV4b38nlhN.exe, 00000013.00000002.3305395115.0000000000CF2000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\dll\System.pdbmx source: AV4b38nlhN.exe, 00000018.00000002.3439041588.00000000011B8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System.pdb source: AV4b38nlhN.exe, 00000018.00000002.3438991451.00000000010F4000.00000004.00000010.00020000.00000000.sdmp, AV4b38nlhN.exe, 00000018.00000002.3439620043.0000000001446000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.pdb0 source: AV4b38nlhN.exe, 00000004.00000002.3075899276.0000000000A0C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\dhk3y0j3.gg3\AV4b38nlhN.PDB4e089 source: AV4b38nlhN.exe, 00000004.00000002.3075899276.0000000000A0C000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\System.pdb source: AV4b38nlhN.exe, 00000000.00000002.2972265541.0000000001586000.00000004.00000020.00020000.00000000.sdmp, AV4b38nlhN.exe, 00000008.00000002.3024411839.0000000001416000.00000004.00000020.00020000.00000000.sdmp, AV4b38nlhN.exe, 00000008.00000002.3021016971.0000000000DE2000.00000004.00000010.00020000.00000000.sdmp, AV4b38nlhN.exe, 0000000C.00000002.3052694248.0000000000D72000.00000004.00000010.00020000.00000000.sdmp, AV4b38nlhN.exe, 0000000C.00000002.3053343087.00000000013F6000.00000004.00000020.00020000.00000000.sdmp, AV4b38nlhN.exe, 00000010.00000002.3183908314.00000000007F2000.00000004.00000010.00020000.00000000.sdmp, AV4b38nlhN.exe, 00000010.00000002.3184646982.0000000001226000.00000004.00000020.00020000.00000000.sdmp, AV4b38nlhN.exe, 00000013.00000002.3305395115.0000000000CF2000.00000004.00000010.00020000.00000000.sdmp, AV4b38nlhN.exe, 00000018.00000002.3439620043.0000000001446000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.pdbe source: AV4b38nlhN.exe, 00000010.00000002.3184646982.0000000001226000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\seven\Desktop\tt\System\System\obj\Release\System.pdbNGINE source: AV4b38nlhN.exe, 00000004.00000002.3076956330.0000000000F33000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\AppData\Local\Temp\ed1yuowm.r2t\System.pdb source: AV4b38nlhN.exe, 00000013.00000002.3306473097.00000000015B6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\seven\Desktop\tt\System\System\obj\Release\System.pdb`} source: AV4b38nlhN.exe, 00000004.00000002.3075213335.00000000008F2000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exe.pdb source: AV4b38nlhN.exe, 00000008.00000002.3021016971.0000000000DE2000.00000004.00000010.00020000.00000000.sdmp, AV4b38nlhN.exe, 0000000C.00000002.3052694248.0000000000D72000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: C:\Windows\dll\System.pdb source: AV4b38nlhN.exe, 00000008.00000002.3024411839.0000000001416000.00000004.00000020.00020000.00000000.sdmp, AV4b38nlhN.exe, 00000010.00000002.3184646982.0000000001226000.00000004.00000020.00020000.00000000.sdmp, AV4b38nlhN.exe, 00000013.00000002.3306473097.00000000015B6000.00000004.00000020.00020000.00000000.sdmp, AV4b38nlhN.exe, 00000018.00000002.3439620043.0000000001446000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\exe\System.pdbc source: AV4b38nlhN.exe, 00000000.00000002.2970599744.0000000000E2A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\q5ax5g5h.01m\AV4b38nlhN.PDB source: AV4b38nlhN.exe, 00000010.00000002.3184058329.0000000000C1B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\AppData\Local\Temp\ed1yuowm.r2t\AV4b38nlhN.exe.pdb source: AV4b38nlhN.exe, 00000013.00000002.3305395115.0000000000CF2000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\AppData\Local\Temp\dhk3y0j3.gg3\AV4b38nlhN.PDB source: AV4b38nlhN.exe, 00000004.00000002.3075213335.00000000008F2000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\System.pdb: source: AV4b38nlhN.exe, 00000008.00000002.3021171367.000000000117A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: AV4b38nlhN.PDBD source: AV4b38nlhN.exe, 00000018.00000002.3438991451.00000000010F4000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\Desktop\AV4b38nlhN.exe.pdb source: AV4b38nlhN.exe, 00000000.00000002.2970439481.0000000000CF2000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\System.pdbd, source: AV4b38nlhN.exe, 0000000C.00000002.3052912296.0000000001217000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: AV4b38nlhN.PDBA source: AV4b38nlhN.exe, 00000008.00000002.3021016971.0000000000DE2000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.pdb source: AV4b38nlhN.exe, 00000000.00000002.2970599744.0000000000E2A000.00000004.00000020.00020000.00000000.sdmp, AV4b38nlhN.exe, 00000004.00000002.3075899276.0000000000A0C000.00000004.00000020.00020000.00000000.sdmp, AV4b38nlhN.exe, 00000013.00000002.3305493646.0000000000D98000.00000004.00000020.00020000.00000000.sdmp, AV4b38nlhN.exe, 00000018.00000002.3439041588.000000000116A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: AV4b38nlhN.PDB? source: AV4b38nlhN.exe, 0000000C.00000002.3052694248.0000000000D72000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdb.EXEH source: AV4b38nlhN.exe, 00000013.00000002.3305493646.0000000000D98000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\exe\System.pdb source: AV4b38nlhN.exe, 00000000.00000002.2972265541.0000000001586000.00000004.00000020.00020000.00000000.sdmp, AV4b38nlhN.exe, 0000000C.00000002.3053343087.00000000013F6000.00000004.00000020.00020000.00000000.sdmp, AV4b38nlhN.exe, 00000010.00000002.3184646982.0000000001226000.00000004.00000020.00020000.00000000.sdmp, AV4b38nlhN.exe, 00000013.00000002.3306473097.00000000015B6000.00000004.00000020.00020000.00000000.sdmp, AV4b38nlhN.exe, 00000018.00000002.3439620043.0000000001446000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\Desktop\System.pdbh source: AV4b38nlhN.exe, 00000000.00000002.2970599744.0000000000E7B000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: symbols\exe\System.pdbP source: AV4b38nlhN.exe, 00000000.00000002.2970439481.0000000000CF2000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: C:\Windows\exe\System.pdbC:t source: AV4b38nlhN.exe, 00000004.00000002.3076956330.0000000000F33000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\AppData\Local\Temp\ed1yuowm.r2t\AV4b38nlhN.PDB[ source: AV4b38nlhN.exe, 00000013.00000002.3305395115.0000000000CF2000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\AppData\Local\Temp\q5ax5g5h.01m\AV4b38nlhN.exe.pdb source: AV4b38nlhN.exe, 00000010.00000002.3183908314.00000000007F2000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: System.pdb(7 source: AV4b38nlhN.exe, 0000000C.00000002.3053343087.00000000013F6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\AppData\Local\Temp\q5ax5g5h.01m\System.pdb: source: AV4b38nlhN.exe, 00000010.00000002.3183908314.00000000007F2000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\exe\System.pdbO source: AV4b38nlhN.exe, 00000008.00000002.3021171367.000000000117A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: symbols\exe\System.pdb@ source: AV4b38nlhN.exe, 00000008.00000002.3021016971.0000000000DE2000.00000004.00000010.00020000.00000000.sdmp, AV4b38nlhN.exe, 0000000C.00000002.3052694248.0000000000D72000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: AV4b38nlhN.PDB" source: AV4b38nlhN.exe, 00000010.00000002.3183908314.00000000007F2000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\Desktop\AV4b38nlhN.PDBv9.0} source: AV4b38nlhN.exe, 00000000.00000002.2970599744.0000000000E2A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\AppData\Local\Temp\q5ax5g5h.01m\System.pdb source: AV4b38nlhN.exe, 00000010.00000002.3184646982.0000000001226000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\Desktop\System.pdb source: AV4b38nlhN.exe, 00000000.00000002.2972265541.0000000001586000.00000004.00000020.00020000.00000000.sdmp, AV4b38nlhN.exe, 00000000.00000002.2970439481.0000000000CF2000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: 91C:\Users\user\AppData\Local\Temp\q5ax5g5h.01m\AV4b38nlhN.PDB:\W source: AV4b38nlhN.exe, 00000010.00000002.3183908314.00000000007F2000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: C:\Users\seven\Desktop\tt\System\System\obj\Release\System.pdbPrograms\Startup\System.pdb source: AV4b38nlhN.exe, 00000018.00000002.3438991451.00000000010F4000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: C:\Windows\System.pdb" source: AV4b38nlhN.exe, 00000013.00000002.3306473097.00000000015B6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: 91C:\Users\user\AppData\Local\Temp\ed1yuowm.r2t\AV4b38nlhN.PDB:\W source: AV4b38nlhN.exe, 00000013.00000002.3305395115.0000000000CF2000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\dhk3y0j3.gg3\System.pdb} source: AV4b38nlhN.exe, 00000004.00000002.3075899276.0000000000A5A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: XC:\Windows\System.pdb source: AV4b38nlhN.exe, 00000004.00000002.3075213335.00000000008F2000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: AV4b38nlhN.PDBX source: AV4b38nlhN.exe, 00000000.00000002.2970439481.0000000000CF2000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\System.pdbme="de source: AV4b38nlhN.exe, 00000008.00000002.3021171367.00000000011DB000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: AV4b38nlhN.PDB[ source: AV4b38nlhN.exe, 00000013.00000002.3305395115.0000000000CF2000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.PDB? source: AV4b38nlhN.exe, 0000000C.00000002.3052694248.0000000000D72000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.PDBA source: AV4b38nlhN.exe, 00000008.00000002.3021016971.0000000000DE2000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\AppData\Local\Temp\dhk3y0j3.gg3\System.pdb: source: AV4b38nlhN.exe, 00000004.00000002.3075213335.00000000008F2000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: C:\Windows\dll\System.pdb=3 source: AV4b38nlhN.exe, 0000000C.00000002.3053343087.00000000013F6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\dll\System.pdbs\, source: AV4b38nlhN.exe, 00000004.00000002.3076956330.0000000000F33000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\System.pdbR source: AV4b38nlhN.exe, 00000010.00000002.3184058329.0000000000BBA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.pdbu source: AV4b38nlhN.exe, 00000004.00000002.3076956330.0000000000F33000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\seven\Desktop\tt\System\System\obj\Release\System.pdb source: AV4b38nlhN.exe, AV4b38nlhN.exe.24.dr, AV4b38nlhN.exe.8.dr, AV4b38nlhN.exe.19.dr, AV4b38nlhN.exe.4.dr, AV4b38nlhN.exe0.0.dr, AV4b38nlhN.exe.12.dr, AV4b38nlhN.exe.0.dr, AV4b38nlhN.exe.16.dr
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\System.pdbe089E source: AV4b38nlhN.exe, 0000000C.00000002.3052912296.0000000001217000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\dll\System.pdb source: AV4b38nlhN.exe, 00000013.00000002.3305493646.0000000000DEB000.00000004.00000020.00020000.00000000.sdmp, AV4b38nlhN.exe, 00000018.00000002.3439041588.00000000011B8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\exe\System.pdbnt source: AV4b38nlhN.exe, 00000004.00000002.3075899276.00000000009C9000.00000004.00000020.00020000.00000000.sdmp, AV4b38nlhN.exe, 0000000C.00000002.3052912296.0000000001217000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.PDBm.dll source: AV4b38nlhN.exe, 00000008.00000002.3021171367.000000000117A000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdb source: AV4b38nlhN.exe, 00000004.00000002.3076956330.0000000000F33000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: 91C:\Users\user\AppData\Local\Temp\dhk3y0j3.gg3\AV4b38nlhN.PDB:\W source: AV4b38nlhN.exe, 00000004.00000002.3075213335.00000000008F2000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: C:\Windows\System.pdbZ source: AV4b38nlhN.exe, 00000018.00000002.3438991451.00000000010F4000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: C:\Windows\System.pdbpdb q source: AV4b38nlhN.exe, 00000000.00000002.2972265541.0000000001586000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\symbols\dll\System.pdbom0y source: AV4b38nlhN.exe, 00000004.00000002.3076956330.0000000000F33000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\AppData\Local\Temp\q5ax5g5h.01m\AV4b38nlhN.PDB" source: AV4b38nlhN.exe, 00000010.00000002.3183908314.00000000007F2000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: C:\Users\seven\Desktop\tt\System\System\obj\Release\System.pdb3@M@ ?@_CorExeMainmscoree.dll source: AV4b38nlhN.exe, AV4b38nlhN.exe.24.dr, AV4b38nlhN.exe.8.dr, AV4b38nlhN.exe.19.dr, AV4b38nlhN.exe.4.dr, AV4b38nlhN.exe0.0.dr, AV4b38nlhN.exe.12.dr, AV4b38nlhN.exe.0.dr, AV4b38nlhN.exe.16.dr
Source: Binary string: em.pdb source: AV4b38nlhN.exe, 00000004.00000002.3075213335.00000000008F2000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\Desktop\AV4b38nlhN.PDB source: AV4b38nlhN.exe, 00000000.00000002.2970439481.0000000000CF2000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\ed1yuowm.r2t\System.pdbe089 source: AV4b38nlhN.exe, 00000013.00000002.3305493646.0000000000DEB000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\System.pdb: source: AV4b38nlhN.exe, 00000008.00000002.3021016971.0000000000DE2000.00000004.00000010.00020000.00000000.sdmp, AV4b38nlhN.exe, 0000000C.00000002.3052694248.0000000000D72000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.pdbO source: AV4b38nlhN.exe, 00000010.00000002.3184058329.0000000000BBA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: System.pdb source: AV4b38nlhN.exe, 00000000.00000002.2972265541.0000000001586000.00000004.00000020.00020000.00000000.sdmp, AV4b38nlhN.exe, 00000008.00000002.3024411839.0000000001416000.00000004.00000020.00020000.00000000.sdmp, AV4b38nlhN.exe, 0000000C.00000002.3053343087.00000000013F6000.00000004.00000020.00020000.00000000.sdmp, AV4b38nlhN.exe, 00000010.00000002.3184646982.0000000001226000.00000004.00000020.00020000.00000000.sdmp, AV4b38nlhN.exe, 00000013.00000002.3306473097.00000000015B6000.00000004.00000020.00020000.00000000.sdmp, AV4b38nlhN.exe, 00000018.00000002.3439620043.0000000001446000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\q5ax5g5h.01m\System.pdb source: AV4b38nlhN.exe, 00000010.00000002.3184058329.0000000000BBA000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\exe\System.pdb source: AV4b38nlhN.exe, 00000004.00000002.3075899276.0000000000A00000.00000004.00000020.00020000.00000000.sdmp, AV4b38nlhN.exe, 00000010.00000002.3184058329.0000000000BBA000.00000004.00000020.00020000.00000000.sdmp, AV4b38nlhN.exe, 00000018.00000002.3439041588.00000000011B8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\seven\Desktop\tt\System\System\obj\Release\System.pdb~ source: AV4b38nlhN.exe, 0000000C.00000002.3052694248.0000000000D72000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: 91C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.PDB:\W source: AV4b38nlhN.exe, 00000008.00000002.3021016971.0000000000DE2000.00000004.00000010.00020000.00000000.sdmp, AV4b38nlhN.exe, 0000000C.00000002.3052694248.0000000000D72000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: C:\Windows\symbols\exe\System.pdb-- source: AV4b38nlhN.exe, 00000004.00000002.3076956330.0000000000F33000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: symbols\exe\System.pdb source: AV4b38nlhN.exe, 00000004.00000002.3075213335.00000000008F2000.00000004.00000010.00020000.00000000.sdmp, AV4b38nlhN.exe, 00000010.00000002.3183908314.00000000007F2000.00000004.00000010.00020000.00000000.sdmp, AV4b38nlhN.exe, 00000013.00000002.3305395115.0000000000CF2000.00000004.00000010.00020000.00000000.sdmp, AV4b38nlhN.exe, 00000018.00000002.3438991451.00000000010F4000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: \??\C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.PDB4e089, source: AV4b38nlhN.exe, 0000000C.00000002.3052912296.0000000001217000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AV4b38nlhN.PDB source: AV4b38nlhN.exe, 00000018.00000002.3438991451.00000000010F4000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: C:\Users\user\AppData\Local\Temp\dhk3y0j3.gg3\AV4b38nlhN.exe.pdb source: AV4b38nlhN.exe, 00000004.00000002.3075213335.00000000008F2000.00000004.00000010.00020000.00000000.sdmp
Source: Binary string: C:\Windows\System.pdbF source: AV4b38nlhN.exe, 00000013.00000002.3306473097.00000000015B6000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ws\System.pdbpdbtem.pdbDA source: AV4b38nlhN.exe, 00000004.00000002.3076956330.0000000000F33000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ws\System.pdbpdbtem.pdb source: AV4b38nlhN.exe, 00000000.00000002.2972265541.0000000001586000.00000004.00000020.00020000.00000000.sdmp, AV4b38nlhN.exe, 00000004.00000002.3076956330.0000000000F33000.00000004.00000020.00020000.00000000.sdmp, AV4b38nlhN.exe, 00000008.00000002.3024411839.0000000001416000.00000004.00000020.00020000.00000000.sdmp, AV4b38nlhN.exe, 0000000C.00000002.3053343087.00000000013F6000.00000004.00000020.00020000.00000000.sdmp, AV4b38nlhN.exe, 00000010.00000002.3184646982.0000000001226000.00000004.00000020.00020000.00000000.sdmp, AV4b38nlhN.exe, 00000013.00000002.3306473097.00000000015B6000.00000004.00000020.00020000.00000000.sdmp, AV4b38nlhN.exe, 00000018.00000002.3439620043.0000000001446000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\symbols\exe\System.pdb source: AV4b38nlhN.exe, 00000000.00000002.2972265541.0000000001586000.00000004.00000020.00020000.00000000.sdmp, AV4b38nlhN.exe, 00000008.00000002.3024411839.0000000001416000.00000004.00000020.00020000.00000000.sdmp, AV4b38nlhN.exe, 0000000C.00000002.3053343087.00000000013F6000.00000004.00000020.00020000.00000000.sdmp, AV4b38nlhN.exe, 00000010.00000002.3184646982.0000000001226000.00000004.00000020.00020000.00000000.sdmp, AV4b38nlhN.exe, 00000013.00000002.3306473097.00000000015B6000.00000004.00000020.00020000.00000000.sdmp, AV4b38nlhN.exe, 00000018.00000002.3439620043.0000000001446000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\symbols\exe\System.pdb source: AV4b38nlhN.exe, 00000000.00000002.2970599744.0000000000E7B000.00000004.00000020.00020000.00000000.sdmp, AV4b38nlhN.exe, 00000010.00000002.3184058329.0000000000BBA000.00000004.00000020.00020000.00000000.sdmp, AV4b38nlhN.exe, 00000018.00000002.3439041588.00000000011B8000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\System.pdb6)ProgramW6432=C:\Program FilesPSMod source: AV4b38nlhN.exe, 00000004.00000002.3076956330.0000000000F33000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: \??\C:\Windows\System.pdbs source: AV4b38nlhN.exe, 0000000C.00000002.3052912296.0000000001217000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: em.pdb-- source: AV4b38nlhN.exe, 00000004.00000002.3075213335.00000000008F2000.00000004.00000010.00020000.00000000.sdmp
Source: AV4b38nlhN.exeStatic PE information: 0xEE1C2548 [Fri Aug 3 08:46:00 2096 UTC]
Source: C:\Users\user\AppData\Local\Temp\dhk3y0j3.gg3\AV4b38nlhN.exeFile created: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exeJump to dropped file
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AV4b38nlhN.exeFile created: C:\Users\user\AppData\Local\Temp\h4ljp22h.k2l\AV4b38nlhN.exeJump to dropped file
Source: C:\Users\user\Desktop\AV4b38nlhN.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AV4b38nlhN.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\q5ax5g5h.01m\AV4b38nlhN.exeFile created: C:\Users\user\AppData\Local\Temp\f3x15nhp.vew\AV4b38nlhN.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exeFile created: C:\Users\user\AppData\Local\Temp\q5ax5g5h.01m\AV4b38nlhN.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exeFile created: C:\Users\user\AppData\Local\Temp\ed1yuowm.r2t\AV4b38nlhN.exeJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\ed1yuowm.r2t\AV4b38nlhN.exeFile created: C:\Users\user\AppData\Local\Temp\hayuutbg.cwy\AV4b38nlhN.exeJump to dropped file
Source: C:\Users\user\Desktop\AV4b38nlhN.exeFile created: C:\Users\user\AppData\Local\Temp\dhk3y0j3.gg3\AV4b38nlhN.exeJump to dropped file

Boot Survival

barindex
Creates multiple autostart registry keys
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AV4b38nlhN.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce MyClientAppOnce
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AV4b38nlhN.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MyClientApp
Drops PE files to the startup folder
Source: C:\Users\user\Desktop\AV4b38nlhN.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AV4b38nlhN.exeJump to dropped file
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\Desktop\AV4b38nlhN.exeProcess created: C:\Windows\System32\schtasks.exe "schtasks.exe" /create /tn "MyClientAppTask_638699391290709030" /tr "C:\Users\user\AppData\Local\Temp\dhk3y0j3.gg3\AV4b38nlhN.exe" /sc onlogon /f
Source: C:\Users\user\Desktop\AV4b38nlhN.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AV4b38nlhN.exeJump to behavior
Source: C:\Users\user\Desktop\AV4b38nlhN.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AV4b38nlhN.exeJump to behavior
Source: C:\Users\user\Desktop\AV4b38nlhN.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AV4b38nlhN.exe\:Zone.Identifier:$DATAJump to behavior
Source: C:\Users\user\AppData\Local\Temp\dhk3y0j3.gg3\AV4b38nlhN.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AV4b38nlhN.exe\:Zone.Identifier:$DATAJump to behavior
Source: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AV4b38nlhN.exe\:Zone.Identifier:$DATAJump to behavior
Source: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AV4b38nlhN.exe\:Zone.Identifier:$DATAJump to behavior
Source: C:\Users\user\AppData\Local\Temp\q5ax5g5h.01m\AV4b38nlhN.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AV4b38nlhN.exe\:Zone.Identifier:$DATAJump to behavior
Source: C:\Users\user\AppData\Local\Temp\ed1yuowm.r2t\AV4b38nlhN.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AV4b38nlhN.exe\:Zone.Identifier:$DATAJump to behavior
Source: C:\Users\user\Desktop\AV4b38nlhN.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MyClientAppJump to behavior
Source: C:\Users\user\Desktop\AV4b38nlhN.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MyClientAppJump to behavior
Source: C:\Users\user\Desktop\AV4b38nlhN.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce MyClientAppOnceJump to behavior
Source: C:\Users\user\Desktop\AV4b38nlhN.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce MyClientAppOnceJump to behavior
Source: C:\Users\user\Desktop\AV4b38nlhN.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce MyClientAppOnceJump to behavior
Source: C:\Users\user\Desktop\AV4b38nlhN.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce MyClientAppOnceJump to behavior
Source: C:\Users\user\AppData\Local\Temp\dhk3y0j3.gg3\AV4b38nlhN.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MyClientAppJump to behavior
Source: C:\Users\user\AppData\Local\Temp\dhk3y0j3.gg3\AV4b38nlhN.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MyClientAppJump to behavior
Source: C:\Users\user\AppData\Local\Temp\dhk3y0j3.gg3\AV4b38nlhN.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce MyClientAppOnceJump to behavior
Source: C:\Users\user\AppData\Local\Temp\dhk3y0j3.gg3\AV4b38nlhN.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce MyClientAppOnceJump to behavior
Source: C:\Users\user\AppData\Local\Temp\dhk3y0j3.gg3\AV4b38nlhN.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce MyClientAppOnceJump to behavior
Source: C:\Users\user\AppData\Local\Temp\dhk3y0j3.gg3\AV4b38nlhN.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce MyClientAppOnceJump to behavior
Source: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MyClientAppJump to behavior
Source: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MyClientAppJump to behavior
Source: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce MyClientAppOnceJump to behavior
Source: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce MyClientAppOnceJump to behavior
Source: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce MyClientAppOnceJump to behavior
Source: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce MyClientAppOnceJump to behavior
Source: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MyClientAppJump to behavior
Source: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MyClientAppJump to behavior
Source: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce MyClientAppOnceJump to behavior
Source: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce MyClientAppOnceJump to behavior
Source: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce MyClientAppOnceJump to behavior
Source: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce MyClientAppOnceJump to behavior
Source: C:\Users\user\AppData\Local\Temp\q5ax5g5h.01m\AV4b38nlhN.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MyClientAppJump to behavior
Source: C:\Users\user\AppData\Local\Temp\q5ax5g5h.01m\AV4b38nlhN.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MyClientAppJump to behavior
Source: C:\Users\user\AppData\Local\Temp\q5ax5g5h.01m\AV4b38nlhN.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce MyClientAppOnceJump to behavior
Source: C:\Users\user\AppData\Local\Temp\q5ax5g5h.01m\AV4b38nlhN.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce MyClientAppOnceJump to behavior
Source: C:\Users\user\AppData\Local\Temp\q5ax5g5h.01m\AV4b38nlhN.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce MyClientAppOnceJump to behavior
Source: C:\Users\user\AppData\Local\Temp\q5ax5g5h.01m\AV4b38nlhN.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce MyClientAppOnceJump to behavior
Source: C:\Users\user\AppData\Local\Temp\ed1yuowm.r2t\AV4b38nlhN.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MyClientAppJump to behavior
Source: C:\Users\user\AppData\Local\Temp\ed1yuowm.r2t\AV4b38nlhN.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MyClientAppJump to behavior
Source: C:\Users\user\AppData\Local\Temp\ed1yuowm.r2t\AV4b38nlhN.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce MyClientAppOnceJump to behavior
Source: C:\Users\user\AppData\Local\Temp\ed1yuowm.r2t\AV4b38nlhN.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce MyClientAppOnceJump to behavior
Source: C:\Users\user\AppData\Local\Temp\ed1yuowm.r2t\AV4b38nlhN.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce MyClientAppOnceJump to behavior
Source: C:\Users\user\AppData\Local\Temp\ed1yuowm.r2t\AV4b38nlhN.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce MyClientAppOnceJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AV4b38nlhN.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MyClientApp
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AV4b38nlhN.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run MyClientApp
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AV4b38nlhN.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce MyClientAppOnce
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AV4b38nlhN.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce MyClientAppOnce
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AV4b38nlhN.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce MyClientAppOnce
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AV4b38nlhN.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce MyClientAppOnce
Source: C:\Users\user\Desktop\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AV4b38nlhN.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AV4b38nlhN.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\AV4b38nlhN.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\dhk3y0j3.gg3\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\dhk3y0j3.gg3\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\dhk3y0j3.gg3\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\dhk3y0j3.gg3\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\dhk3y0j3.gg3\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\dhk3y0j3.gg3\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\dhk3y0j3.gg3\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\dhk3y0j3.gg3\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\dhk3y0j3.gg3\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\dhk3y0j3.gg3\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\dhk3y0j3.gg3\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\dhk3y0j3.gg3\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\dhk3y0j3.gg3\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\dhk3y0j3.gg3\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\dhk3y0j3.gg3\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\dhk3y0j3.gg3\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\dhk3y0j3.gg3\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\dhk3y0j3.gg3\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\dhk3y0j3.gg3\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\dhk3y0j3.gg3\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\dhk3y0j3.gg3\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\dhk3y0j3.gg3\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\dhk3y0j3.gg3\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\dhk3y0j3.gg3\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\dhk3y0j3.gg3\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\dhk3y0j3.gg3\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\dhk3y0j3.gg3\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\dhk3y0j3.gg3\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\dhk3y0j3.gg3\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\dhk3y0j3.gg3\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\dhk3y0j3.gg3\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\dhk3y0j3.gg3\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\dhk3y0j3.gg3\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\dhk3y0j3.gg3\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\dhk3y0j3.gg3\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\dhk3y0j3.gg3\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\dhk3y0j3.gg3\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\dhk3y0j3.gg3\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\dhk3y0j3.gg3\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\dhk3y0j3.gg3\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\dhk3y0j3.gg3\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\dhk3y0j3.gg3\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\dhk3y0j3.gg3\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\dhk3y0j3.gg3\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\dhk3y0j3.gg3\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\dhk3y0j3.gg3\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\dhk3y0j3.gg3\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\dhk3y0j3.gg3\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\dhk3y0j3.gg3\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\dhk3y0j3.gg3\AV4b38nlhN.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\dhk3y0j3.gg3\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\dhk3y0j3.gg3\AV4b38nlhN.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\dhk3y0j3.gg3\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\dhk3y0j3.gg3\AV4b38nlhN.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\schtasks.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\q5ax5g5h.01m\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\q5ax5g5h.01m\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\q5ax5g5h.01m\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\q5ax5g5h.01m\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\q5ax5g5h.01m\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\q5ax5g5h.01m\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\q5ax5g5h.01m\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\q5ax5g5h.01m\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\q5ax5g5h.01m\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\q5ax5g5h.01m\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\q5ax5g5h.01m\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\q5ax5g5h.01m\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\q5ax5g5h.01m\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\q5ax5g5h.01m\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\q5ax5g5h.01m\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\q5ax5g5h.01m\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\q5ax5g5h.01m\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\q5ax5g5h.01m\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\q5ax5g5h.01m\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\q5ax5g5h.01m\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\q5ax5g5h.01m\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\q5ax5g5h.01m\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\q5ax5g5h.01m\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\q5ax5g5h.01m\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\q5ax5g5h.01m\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\q5ax5g5h.01m\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\q5ax5g5h.01m\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\q5ax5g5h.01m\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\q5ax5g5h.01m\AV4b38nlhN.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\q5ax5g5h.01m\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\q5ax5g5h.01m\AV4b38nlhN.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\q5ax5g5h.01m\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\q5ax5g5h.01m\AV4b38nlhN.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\ed1yuowm.r2t\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\ed1yuowm.r2t\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\ed1yuowm.r2t\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\ed1yuowm.r2t\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\ed1yuowm.r2t\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\ed1yuowm.r2t\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\ed1yuowm.r2t\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\ed1yuowm.r2t\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\ed1yuowm.r2t\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\ed1yuowm.r2t\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\ed1yuowm.r2t\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\ed1yuowm.r2t\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\ed1yuowm.r2t\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\ed1yuowm.r2t\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\ed1yuowm.r2t\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\ed1yuowm.r2t\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\ed1yuowm.r2t\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\ed1yuowm.r2t\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\ed1yuowm.r2t\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\ed1yuowm.r2t\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\ed1yuowm.r2t\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\ed1yuowm.r2t\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\ed1yuowm.r2t\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\ed1yuowm.r2t\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\ed1yuowm.r2t\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\ed1yuowm.r2t\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\ed1yuowm.r2t\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\ed1yuowm.r2t\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\ed1yuowm.r2t\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\ed1yuowm.r2t\AV4b38nlhN.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\ed1yuowm.r2t\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\ed1yuowm.r2t\AV4b38nlhN.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\ed1yuowm.r2t\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\ed1yuowm.r2t\AV4b38nlhN.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AV4b38nlhN.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AV4b38nlhN.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AV4b38nlhN.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AV4b38nlhN.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\backgroundTaskHost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\backgroundTaskHost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\backgroundTaskHost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\backgroundTaskHost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\backgroundTaskHost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\backgroundTaskHost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\backgroundTaskHost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\backgroundTaskHost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\backgroundTaskHost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\backgroundTaskHost.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\AV4b38nlhN.exeMemory allocated: 10E0000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\AV4b38nlhN.exeMemory allocated: 2FE0000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\Desktop\AV4b38nlhN.exeMemory allocated: 1AFE0000 memory commit | memory reserve | memory write watchJump to behavior
Source: C:\Users\user\AppData\Local\Temp\dhk3y0j3.gg3\AV4b38nlhN.exeMemory allocated: DD0000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\AppData\Local\Temp\dhk3y0j3.gg3\AV4b38nlhN.exeMemory allocated: 2A60000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\AppData\Local\Temp\dhk3y0j3.gg3\AV4b38nlhN.exeMemory allocated: 1AA60000 memory commit | memory reserve | memory write watchJump to behavior
Source: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exeMemory allocated: 13F0000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exeMemory allocated: 31E0000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exeMemory allocated: 1B1E0000 memory commit | memory reserve | memory write watchJump to behavior
Source: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exeMemory allocated: 1380000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exeMemory allocated: 3150000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exeMemory allocated: 1B150000 memory commit | memory reserve | memory write watchJump to behavior
Source: C:\Users\user\AppData\Local\Temp\q5ax5g5h.01m\AV4b38nlhN.exeMemory allocated: D00000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\AppData\Local\Temp\q5ax5g5h.01m\AV4b38nlhN.exeMemory allocated: 2C80000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\AppData\Local\Temp\q5ax5g5h.01m\AV4b38nlhN.exeMemory allocated: 1AC80000 memory commit | memory reserve | memory write watchJump to behavior
Source: C:\Users\user\AppData\Local\Temp\ed1yuowm.r2t\AV4b38nlhN.exeMemory allocated: 1160000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\AppData\Local\Temp\ed1yuowm.r2t\AV4b38nlhN.exeMemory allocated: 2F10000 memory reserve | memory write watchJump to behavior
Source: C:\Users\user\AppData\Local\Temp\ed1yuowm.r2t\AV4b38nlhN.exeMemory allocated: 1AF10000 memory commit | memory reserve | memory write watchJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AV4b38nlhN.exeMemory allocated: 1400000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AV4b38nlhN.exeMemory allocated: 3380000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AV4b38nlhN.exeMemory allocated: 1B380000 memory commit | memory reserve | memory write watch
Source: C:\Users\user\Desktop\AV4b38nlhN.exe TID: 6528Thread sleep time: -60000s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Local\Temp\dhk3y0j3.gg3\AV4b38nlhN.exe TID: 936Thread sleep time: -60000s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exe TID: 4236Thread sleep time: -60000s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exe TID: 6600Thread sleep time: -60000s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Local\Temp\q5ax5g5h.01m\AV4b38nlhN.exe TID: 5720Thread sleep time: -60000s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Local\Temp\ed1yuowm.r2t\AV4b38nlhN.exe TID: 760Thread sleep time: -60000s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AV4b38nlhN.exe TID: 5024Thread sleep time: -60000s >= -30000s
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\AV4b38nlhN.exeThread delayed: delay time: 30000Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dhk3y0j3.gg3\AV4b38nlhN.exeThread delayed: delay time: 30000Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exeThread delayed: delay time: 30000Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exeThread delayed: delay time: 30000Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\q5ax5g5h.01m\AV4b38nlhN.exeThread delayed: delay time: 30000Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ed1yuowm.r2t\AV4b38nlhN.exeThread delayed: delay time: 30000Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AV4b38nlhN.exeThread delayed: delay time: 30000
Source: Amcache.hve.22.drBinary or memory string: VMware
Source: AV4b38nlhN.exe, 00000010.00000002.3184058329.0000000000BBA000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllY
Source: Amcache.hve.22.drBinary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.22.drBinary or memory string: vmci.syshbin
Source: Amcache.hve.22.drBinary or memory string: VMware, Inc.
Source: Amcache.hve.22.drBinary or memory string: VMware20,1hbin@
Source: Amcache.hve.22.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.22.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.22.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.22.drBinary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
Source: dw20.exe, 00000016.00000003.2963002935.000000000055A000.00000004.00000020.00020000.00000000.sdmp, dw20.exe, 00000016.00000002.3263517603.00000000004DF000.00000004.00000020.00020000.00000000.sdmp, dw20.exe, 00000016.00000002.3263517603.000000000055A000.00000004.00000020.00020000.00000000.sdmp, dw20.exe, 0000001B.00000003.3073490149.0000000000603000.00000004.00000020.00020000.00000000.sdmp, dw20.exe, 0000001B.00000002.3374294608.0000000000604000.00000004.00000020.00020000.00000000.sdmp, dw20.exe, 0000001C.00000002.3319495445.0000000000597000.00000004.00000020.00020000.00000000.sdmp, dw20.exe, 0000001C.00000003.3018877277.00000000005D2000.00000004.00000020.00020000.00000000.sdmp, dw20.exe, 0000001C.00000002.3319495445.00000000005D8000.00000004.00000020.00020000.00000000.sdmp, dw20.exe, 0000001D.00000002.3352434649.0000000000606000.00000004.00000020.00020000.00000000.sdmp, dw20.exe, 0000001D.00000003.3051733962.0000000000601000.00000004.00000020.00020000.00000000.sdmp, dw20.exe, 0000001D.00000002.3352434649.00000000005A0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: Amcache.hve.22.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: dw20.exe, 00000016.00000003.2963002935.000000000055A000.00000004.00000020.00020000.00000000.sdmp, dw20.exe, 00000016.00000002.3263517603.000000000055A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW+
Source: dw20.exe, 0000001C.00000003.3018877277.00000000005D2000.00000004.00000020.00020000.00000000.sdmp, dw20.exe, 0000001C.00000002.3319495445.00000000005D8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWl
Source: Amcache.hve.22.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: dw20.exe, 00000024.00000002.3486236998.0000000000519000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
Source: Amcache.hve.22.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.22.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: AV4b38nlhN.exe, 00000000.00000002.2970599744.0000000000E2A000.00000004.00000020.00020000.00000000.sdmp, AV4b38nlhN.exe, 00000004.00000002.3075899276.0000000000A0C000.00000004.00000020.00020000.00000000.sdmp, AV4b38nlhN.exe, 00000008.00000002.3021171367.000000000117A000.00000004.00000020.00020000.00000000.sdmp, AV4b38nlhN.exe, 0000000C.00000002.3052912296.0000000001217000.00000004.00000020.00020000.00000000.sdmp, AV4b38nlhN.exe, 00000013.00000002.3305493646.0000000000D98000.00000004.00000020.00020000.00000000.sdmp, AV4b38nlhN.exe, 00000018.00000002.3439041588.00000000011B8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.22.drBinary or memory string: vmci.sys
Source: Amcache.hve.22.drBinary or memory string: vmci.syshbin`
Source: Amcache.hve.22.drBinary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.22.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: dw20.exe, 00000024.00000003.3182630430.000000000059F000.00000004.00000020.00020000.00000000.sdmp, dw20.exe, 00000024.00000003.3182163122.000000000059F000.00000004.00000020.00020000.00000000.sdmp, dw20.exe, 00000024.00000002.3486236998.000000000059F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWtI
Source: Amcache.hve.22.drBinary or memory string: VMware20,1
Source: Amcache.hve.22.drBinary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.22.drBinary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.22.drBinary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.22.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.22.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.22.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.22.drBinary or memory string: VMware PCI VMCI Bus Device
Source: dw20.exe, 0000001D.00000002.3352434649.0000000000606000.00000004.00000020.00020000.00000000.sdmp, dw20.exe, 0000001D.00000003.3051733962.0000000000601000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWJ
Source: Amcache.hve.22.drBinary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.22.drBinary or memory string: VMware Virtual RAM
Source: Amcache.hve.22.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: dw20.exe, 0000001B.00000002.3374294608.0000000000589000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW2211
Source: Amcache.hve.22.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
Source: C:\Users\user\Desktop\AV4b38nlhN.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Users\user\Desktop\AV4b38nlhN.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\Desktop\AV4b38nlhN.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\AppData\Local\Temp\dhk3y0j3.gg3\AV4b38nlhN.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\AppData\Local\Temp\dhk3y0j3.gg3\AV4b38nlhN.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\AppData\Local\Temp\q5ax5g5h.01m\AV4b38nlhN.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\AppData\Local\Temp\q5ax5g5h.01m\AV4b38nlhN.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\AppData\Local\Temp\ed1yuowm.r2t\AV4b38nlhN.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\AppData\Local\Temp\ed1yuowm.r2t\AV4b38nlhN.exeProcess queried: DebugPortJump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AV4b38nlhN.exeProcess queried: DebugPort
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AV4b38nlhN.exeProcess queried: DebugPort
Source: C:\Users\user\Desktop\AV4b38nlhN.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\Desktop\AV4b38nlhN.exeMemory allocated: page read and write | page guardJump to behavior
Source: C:\Users\user\Desktop\AV4b38nlhN.exeProcess created: C:\Windows\System32\schtasks.exe "schtasks.exe" /create /tn "MyClientAppTask_638699391290709030" /tr "C:\Users\user\AppData\Local\Temp\dhk3y0j3.gg3\AV4b38nlhN.exe" /sc onlogon /fJump to behavior
Source: C:\Users\user\Desktop\AV4b38nlhN.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe dw20.exe -x -s 980Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\dhk3y0j3.gg3\AV4b38nlhN.exeProcess created: C:\Windows\System32\schtasks.exe "schtasks.exe" /create /tn "MyClientAppTask_638699391308679816" /tr "C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exe" /sc onlogon /fJump to behavior
Source: C:\Users\user\AppData\Local\Temp\dhk3y0j3.gg3\AV4b38nlhN.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe dw20.exe -x -s 1192Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exeProcess created: C:\Windows\System32\schtasks.exe "schtasks.exe" /create /tn "MyClientAppTask_638699391446656104" /tr "C:\Users\user\AppData\Local\Temp\q5ax5g5h.01m\AV4b38nlhN.exe" /sc onlogon /fJump to behavior
Source: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe dw20.exe -x -s 880Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exeProcess created: C:\Windows\System32\schtasks.exe "schtasks.exe" /create /tn "MyClientAppTask_638699391551663456" /tr "C:\Users\user\AppData\Local\Temp\ed1yuowm.r2t\AV4b38nlhN.exe" /sc onlogon /fJump to behavior
Source: C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe dw20.exe -x -s 1152Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\q5ax5g5h.01m\AV4b38nlhN.exeProcess created: C:\Windows\System32\schtasks.exe "schtasks.exe" /create /tn "MyClientAppTask_638699391675304437" /tr "C:\Users\user\AppData\Local\Temp\f3x15nhp.vew\AV4b38nlhN.exe" /sc onlogon /fJump to behavior
Source: C:\Users\user\AppData\Local\Temp\q5ax5g5h.01m\AV4b38nlhN.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe dw20.exe -x -s 1172Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\ed1yuowm.r2t\AV4b38nlhN.exeProcess created: C:\Windows\System32\schtasks.exe "schtasks.exe" /create /tn "MyClientAppTask_638699391812619093" /tr "C:\Users\user\AppData\Local\Temp\hayuutbg.cwy\AV4b38nlhN.exe" /sc onlogon /fJump to behavior
Source: C:\Users\user\AppData\Local\Temp\ed1yuowm.r2t\AV4b38nlhN.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe dw20.exe -x -s 992Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AV4b38nlhN.exeProcess created: C:\Windows\System32\schtasks.exe "schtasks.exe" /create /tn "MyClientAppTask_638699391947448790" /tr "C:\Users\user\AppData\Local\Temp\h4ljp22h.k2l\AV4b38nlhN.exe" /sc onlogon /f
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AV4b38nlhN.exeProcess created: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe dw20.exe -x -s 1172
Source: C:\Users\user\Desktop\AV4b38nlhN.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Source: Amcache.hve.22.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.22.drBinary or memory string: msmpeng.exe
Source: Amcache.hve.22.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.22.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.22.drBinary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
Scheduled Task/Job		1
Scheduled Task/Job		11
Process Injection		1
Masquerading		OS Credential Dumping121
Security Software Discovery		Remote ServicesData from Local System1
Non-Standard Port		Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault AccountsScheduled Task/Job221
Registry Run Keys / Startup Folder		1
Scheduled Task/Job		1
Disable or Modify Tools		LSASS Memory1
Process Discovery		Remote Desktop ProtocolData from Removable Media1
Non-Application Layer Protocol		Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain AccountsAt1
DLL Side-Loading		221
Registry Run Keys / Startup Folder		31
Virtualization/Sandbox Evasion		Security Account Manager31
Virtualization/Sandbox Evasion		SMB/Windows Admin SharesData from Network Shared Drive1
Application Layer Protocol		Automated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
DLL Side-Loading		11
Process Injection		NTDS2
System Information Discovery		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
Timestomp		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
DLL Side-Loading		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1576157 Sample: AV4b38nlhN.exe Startdate: 16/12/2024 Architecture: WINDOWS Score: 84 69 g-bing-com.ax-0001.ax-msedge.net 2->69 71 ax-0001.ax-msedge.net 2->71 73 10.76.9.0.in-addr.arpa 2->73 77 Multi AV Scanner detection for dropped file 2->77 79 Multi AV Scanner detection for submitted file 2->79 81 Sigma detected: New RUN Key Pointing to Suspicious Folder 2->81 83 3 other signatures 2->83 8 AV4b38nlhN.exe 2 9 2->8         started        13 AV4b38nlhN.exe 8 2->13         started        15 AV4b38nlhN.exe 8 2->15         started        17 4 other processes 2->17 signatures3 process4 dnsIp5 75 193.58.121.250, 49713, 49715, 49738 DCHASSELTBE Germany 8->75 51 C:\Users\user\AppData\...\AV4b38nlhN.exe, PE32 8->51 dropped 63 3 other malicious files 8->63 dropped 85 Drops PE files to the startup folder 8->85 87 Uses schtasks.exe or at.exe to add and modify task schedules 8->87 19 schtasks.exe 1 8->19         started        33 2 other processes 8->33 65 2 other malicious files 13->65 dropped 89 Multi AV Scanner detection for dropped file 13->89 91 Machine Learning detection for dropped file 13->91 21 schtasks.exe 1 13->21         started        23 dw20.exe 13->23         started        53 C:\Users\user\AppData\...\AV4b38nlhN.exe, PE32 15->53 dropped 55 C:\Users\...\AV4b38nlhN.exe:Zone.Identifier, ASCII 15->55 dropped 25 schtasks.exe 1 15->25         started        27 dw20.exe 15->27         started        57 C:\Users\user\AppData\...\AV4b38nlhN.exe, PE32 17->57 dropped 59 C:\Users\user\AppData\...\AV4b38nlhN.exe, PE32 17->59 dropped 61 C:\Users\user\AppData\...\AV4b38nlhN.exe, PE32 17->61 dropped 67 5 other malicious files 17->67 dropped 93 Creates multiple autostart registry keys 17->93 29 schtasks.exe 1 17->29         started        31 schtasks.exe 1 17->31         started        35 6 other processes 17->35 file6 signatures7 process8 process9 37 conhost.exe 19->37         started        39 conhost.exe 21->39         started        41 conhost.exe 25->41         started        43 conhost.exe 29->43         started        45 conhost.exe 31->45         started        47 conhost.exe 35->47         started        49 conhost.exe 35->49         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
AV4b38nlhN.exe18%ReversingLabs
AV4b38nlhN.exe100%Joe Sandbox ML

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\h4ljp22h.k2l\AV4b38nlhN.exe100%Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\q5ax5g5h.01m\AV4b38nlhN.exe100%Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\hayuutbg.cwy\AV4b38nlhN.exe100%Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exe100%Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\dhk3y0j3.gg3\AV4b38nlhN.exe100%Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\ed1yuowm.r2t\AV4b38nlhN.exe100%Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\dhk3y0j3.gg3\AV4b38nlhN.exe100%Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\f3x15nhp.vew\AV4b38nlhN.exe100%Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exe18%ReversingLabs
C:\Users\user\AppData\Local\Temp\dhk3y0j3.gg3\AV4b38nlhN.exe18%ReversingLabs
C:\Users\user\AppData\Local\Temp\ed1yuowm.r2t\AV4b38nlhN.exe18%ReversingLabs
C:\Users\user\AppData\Local\Temp\f3x15nhp.vew\AV4b38nlhN.exe18%ReversingLabs
C:\Users\user\AppData\Local\Temp\h4ljp22h.k2l\AV4b38nlhN.exe18%ReversingLabs
C:\Users\user\AppData\Local\Temp\hayuutbg.cwy\AV4b38nlhN.exe18%ReversingLabs
C:\Users\user\AppData\Local\Temp\q5ax5g5h.01m\AV4b38nlhN.exe18%ReversingLabs
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AV4b38nlhN.exe18%ReversingLabs

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://watson.tU0%Avira URL Cloudsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
ax-0001.ax-msedge.net
150.171.28.10
truefalse
    		high
    fp2e7a.wpc.phicdn.net
    		192.229.221.95
    		truefalse
      		high
      10.76.9.0.in-addr.arpa
      		unknown
      		unknownfalse
        		unknown

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        https://api.ipify.orgAV4b38nlhN.exe, AV4b38nlhN.exe.24.dr, AV4b38nlhN.exe.8.dr, AV4b38nlhN.exe.19.dr, AV4b38nlhN.exe.4.dr, AV4b38nlhN.exe0.0.dr, AV4b38nlhN.exe.12.dr, AV4b38nlhN.exe.0.dr, AV4b38nlhN.exe.16.drfalse
          		high
          http://upx.sf.netAmcache.hve.22.drfalse
            		high
            https://watson.tUdw20.exe, 0000001B.00000003.3046464190.00000000005C3000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown

            World Map of Contacted IPs

            • No. of IPs < 25%
            • 25% < No. of IPs < 50%
            • 50% < No. of IPs < 75%
            • 75% < No. of IPs

            Public IPs

            IPDomainCountryFlagASNASN NameMalicious
            193.58.121.250
            		unknownGermany
            		210017DCHASSELTBEfalse

            General Information

            Joe Sandbox version:41.0.0 Charoite
            Analysis ID:1576157
            Start date and time:2024-12-16 15:44:36 +01:00
            Joe Sandbox product:CloudBasic
            Overall analysis duration:0h 11m 13s
            Hypervisor based Inspection enabled:false
            Report type:full
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
            Run name:Run with higher sleep bypass
            Number of analysed new started processes analysed:47
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Sample name:AV4b38nlhN.exe
            renamed because original name is a hash value
            Original Sample Name:d6bfab9dde06d4baddec652f65c16319.exe
            Detection:MAL
            Classification:mal84.adwa.winEXE@43/38@6/1
            EGA Information:Failed
            HCA Information:
            • Successful, ratio: 97%
            • Number of executed functions: 56
            • Number of non-executed functions: 0
            Cookbook Comments:
            • Found application associated with file extension: .exe
            • Sleeps bigger than 100000000ms are automatically reduced to 1000ms
            • Sleep loops longer than 100000000ms are bypassed. Single calls with delay of 100000000ms and higher are ignored

            Warnings

            • Exclude process from analysis (whitelisted): dllhost.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, svchost.exe
            • Excluded IPs from analysis (whitelisted): 20.189.173.20, 20.42.65.92, 20.189.173.21, 23.218.208.109, 20.190.177.82, 20.31.169.57, 13.107.246.63, 172.202.163.200, 40.126.53.21, 20.74.47.205, 2.16.158.74, 20.223.35.26, 150.171.28.10, 2.16.158.179
            • Excluded domains from analysis (whitelisted): www.bing.com, client.wns.windows.com, fs.microsoft.com, otelrules.azureedge.net, slscr.update.microsoft.com, onedsblobprdwus15.westus.cloudapp.azure.com, ctldl.windowsupdate.com, tse1.mm.bing.net, g.bing.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, fe3cr.delivery.mp.microsoft.com, onedsblobprdeus17.eastus.cloudapp.azure.com, ocsp.digicert.com, login.live.com, e16604.g.akamaiedge.net, ocsp.edge.digicert.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus16.westus.cloudapp.azure.com, umwatson.events.data.microsoft.com, prod.fs.microsoft.com.akadns.net
            • Execution Graph export aborted for target AV4b38nlhN.exe, PID 2216 because it is empty
            • Execution Graph export aborted for target AV4b38nlhN.exe, PID 2936 because it is empty
            • Execution Graph export aborted for target AV4b38nlhN.exe, PID 3544 because it is empty
            • Execution Graph export aborted for target AV4b38nlhN.exe, PID 4788 because it is empty
            • Execution Graph export aborted for target AV4b38nlhN.exe, PID 5916 because it is empty
            • Execution Graph export aborted for target AV4b38nlhN.exe, PID 612 because it is empty
            • Execution Graph export aborted for target AV4b38nlhN.exe, PID 7004 because it is empty
            • Not all processes where analyzed, report is missing behavior information
            • Report size exceeded maximum capacity and may have missing behavior information.
            • Report size getting too big, too many NtOpenKeyEx calls found.
            • Report size getting too big, too many NtProtectVirtualMemory calls found.
            • Report size getting too big, too many NtQueryValueKey calls found.
            • VT rate limit hit for: AV4b38nlhN.exe

            Simulations

            Behavior and APIs

            TimeTypeDescription
            15:45:30Task SchedulerRun new task: MyClientAppTask_638699391290709030 path: C:\Users\user\AppData\Local\Temp\dhk3y0j3.gg3\AV4b38nlhN.exe
            15:45:34AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce MyClientAppOnce C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exe
            15:45:43AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run MyClientApp C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exe
            15:45:55AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce MyClientAppOnce C:\Users\user\AppData\Local\Temp\q5ax5g5h.01m\AV4b38nlhN.exe
            15:46:07AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run MyClientApp C:\Users\user\AppData\Local\Temp\ed1yuowm.r2t\AV4b38nlhN.exe
            15:46:21AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AV4b38nlhN.exe

            Joe Sandbox View / Context

            IPs

            No context

            Domains

            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            fp2e7a.wpc.phicdn.netfm2r286nqT.exeGet hashmaliciousLummaCBrowse
            • 192.229.221.95
            msimg32.dllGet hashmaliciousRHADAMANTHYSBrowse
            • 192.229.221.95
            YBkzZEtVcK.exeGet hashmaliciousUnknownBrowse
            • 192.229.221.95
            xGW5bGPCIg.exeGet hashmaliciousCryptbotBrowse
            • 192.229.221.95
            SOjID1t3un.exeGet hashmaliciousLummaCBrowse
            • 192.229.221.95
            https://t.co/eSJUUrWOcOGet hashmaliciousHTMLPhisherBrowse
            • 192.229.221.95
            CrSpoof.exeGet hashmaliciousUnknownBrowse
            • 192.229.221.95
            Microsoft_Hardware_Launch.exeGet hashmaliciousNjratBrowse
            • 192.229.221.95
            temp.exeGet hashmaliciousAsyncRATBrowse
            • 192.229.221.95
            p4je1wuZSx.exeGet hashmaliciousUnknownBrowse
            • 192.229.221.95
            ax-0001.ax-msedge.netfm2r286nqT.exeGet hashmaliciousLummaCBrowse
            • 150.171.27.10
            FT876567090.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
            • 150.171.28.10
            https://t.co/eSJUUrWOcOGet hashmaliciousHTMLPhisherBrowse
            • 150.171.27.10
            Payment_swift_copy.xlsGet hashmaliciousUnknownBrowse
            • 150.171.27.10
            InvoiceNr274728.pdf.lnkGet hashmaliciousUnknownBrowse
            • 150.171.28.10
            TNT AWB TRACKING DETAILS.exeGet hashmaliciousFormBookBrowse
            • 150.171.28.10
            spectrum.exeGet hashmaliciousQuasarBrowse
            • 150.171.27.10
            USJFMdzoFi.docGet hashmaliciousUnknownBrowse
            • 150.171.27.10
            https://go.eu.sparkpostmail1.com/f/a/IgPiUnQgGsgttR90IQc-hw~~/AAGCxAA~/RgRpOpvrP0QqaHR0cHM6Ly9tYXNzd29vZHBvbGlzaC5pbi93YXRlci9jb2xkL2luZGV4VwVzcGNldUIKZ1XrFlhnca8zKlISemFyZ2FyQGZhcmlkZWEuY29tWAQAAAAB#YmlsbC5ob2l0dEBwYXJ0bmVyc21ndS5jb20=Get hashmaliciousHTMLPhisherBrowse
            • 150.171.27.10
            tnGNUbHCAK.docGet hashmaliciousUnknownBrowse
            • 150.171.28.10

            ASNs

            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            DCHASSELTBEWYU9WnEMkg.elfGet hashmaliciousMiraiBrowse
            • 193.58.122.184
            NHe8WKGQ7U.elfGet hashmaliciousMiraiBrowse
            • 193.58.122.195
            5i1SGTKIslGet hashmaliciousMiraiBrowse
            • 193.58.122.195

            JA3 Fingerprints

            No context

            Dropped Files

            No context

            Created / dropped Files

            C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_av4b38nlhn.exe_a619c9bc7211142233f84233922f36db92d8eed0_00000000_0da3578c-460f-4464-8782-9da679cb7e80\Report.wer

            Download File
            Process:C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
            Category:dropped
            Size (bytes):65536
            Entropy (8bit):1.0023218287098747
            Encrypted:false
            SSDEEP:192:bCs2q6cRQqLR8aB89oHcmB6iTkeMDVW6zuiFqZ24lO8K:L2qxRkacmJmzuiFqY4lO8
            MD5:1A3811DC442486986478CE15C06A096F
            SHA1:E38F0CD60E00C9F0DB66A5C4BC727F2158073612
            SHA-256:5751B716183EFD92ACA3B5A371C7FEF5873493A0C309F97214BD5932985749ED
            SHA-512:6CE2E46F15873E417F9AB85B8AB01BF705D693E51246D41EA49E811AA267BEABDFDBA66343D9F33195C6E349C52B33271B5D737CE7F550629B9DF2F1B7007ECD
            Malicious:false
            Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.8.8.3.4.0.1.2.3.1.2.7.3.3.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.8.8.3.4.0.1.9.0.0.0.2.4.2.0.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.d.a.3.5.7.8.c.-.4.6.0.f.-.4.4.6.4.-.8.7.8.2.-.9.d.a.6.7.9.c.b.7.e.8.0.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.S.y.s.t.e.m...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.8.a.8.-.0.0.0.1.-.0.0.1.5.-.8.0.6.2.-.6.3.2.7.c.9.4.f.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.1.1.5.2.e.8.f.9.a.3.4.c.7.7.8.d.9.c.7.7.0.0.3.4.c.6.5.b.8.8.c.e.0.0.0.0.0.0.0.0.!.0.0.0.0.c.5.1.e.9.1.1.3.1.0.8.8.a.f.d.8.3.2.6.2.f.5.a.a.7.b.a.8.d.f.9.8.3.9.9.e.c.2.2.5.!.A.V.4.b.3.8.n.l.h.N...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.9.6././.0.8././.0.3.:.0.8.:.4.6.:.0.0.!.0.!.A.V.4.b.3.8.n.l.h.N...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....T.a.r.g.e.t.A.s.I.d.=.4.3.6.....

            C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_av4b38nlhn.exe_a619c9bc7211142233f84233922f36db92d8eed0_00000000_b66cf82e-a582-435a-a088-8b6b717327df\Report.wer

            Download File
            Process:C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
            Category:dropped
            Size (bytes):65536
            Entropy (8bit):1.001743585618824
            Encrypted:false
            SSDEEP:192:xXHYRQqHT2aB89oHcmB6iTkeMDVW6zuiF6Z24lO8Q:xHYRtT2acmJmzuiF6Y4lO8Q
            MD5:AFDCC7D94698F7D5EAC11F4D790208BF
            SHA1:C47B84F6E0DAABF4D5BDD0481A23FF1299142C24
            SHA-256:DFFBADFE3A2D9ED51A546A69402EEA792EACA2EA18608C42425A4B88C6D99099
            SHA-512:702C1759EE42E5646C9E2CA79CB3DFE8EB78209024D1DC0107750EC424F67CEB1F1EAC8FA1A6A3C0D9648E380076B6AE9F7A3C920AC9B9947E2DB2C0110FDFE9
            Malicious:false
            Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.8.8.3.4.0.4.1.9.7.9.5.8.5.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.8.8.3.4.0.4.2.3.3.8.9.5.7.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.6.6.c.f.8.2.e.-.a.5.8.2.-.4.3.5.a.-.a.0.8.8.-.8.b.6.b.7.1.7.3.2.7.d.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.S.y.s.t.e.m...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.5.c.-.0.0.0.1.-.0.0.1.5.-.1.a.2.8.-.4.c.4.4.c.9.4.f.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.1.1.5.2.e.8.f.9.a.3.4.c.7.7.8.d.9.c.7.7.0.0.3.4.c.6.5.b.8.8.c.e.0.0.0.0.0.0.0.0.!.0.0.0.0.c.5.1.e.9.1.1.3.1.0.8.8.a.f.d.8.3.2.6.2.f.5.a.a.7.b.a.8.d.f.9.8.3.9.9.e.c.2.2.5.!.A.V.4.b.3.8.n.l.h.N...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.9.6././.0.8././.0.3.:.0.8.:.4.6.:.0.0.!.0.!.A.V.4.b.3.8.n.l.h.N...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....T.a.r.g.e.t.A.s.I.d.=.4.5.1.....

            C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_av4b38nlhn.exe_a619c9bc7211142233f84233922f36db92d8eed0_00000000_c90c3843-e282-43d8-87a8-174043589578\Report.wer

            Download File
            Process:C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
            Category:dropped
            Size (bytes):65536
            Entropy (8bit):1.002573231989977
            Encrypted:false
            SSDEEP:192:YRmooRQqMIGaB89oHcmB6iTkeMDVW6zuiFqZ24lO8j:booRmIGacmJmzuiFqY4lO8j
            MD5:BB8CB400949C8A08AF120A77C5901BB0
            SHA1:264EA7C6FC5EDB400398E454DDB42B731E8A85B4
            SHA-256:282C951E46AADE0510A18EED8B96A3F5508C3E3340D36A05AA27C47F5AE29DE1
            SHA-512:2BD1A42C9C943CD629586E3428F1DA044D86004C48C91EAC0EFDF79D2C330F4620B6C71B154A685765677AE1F3A1A3F2981B134856065BDDF918E775E8EBC63C
            Malicious:false
            Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.8.8.3.4.0.3.0.0.7.5.1.5.0.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.8.8.3.4.0.3.0.5.4.3.8.9.2.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.c.9.0.c.3.8.4.3.-.e.2.8.2.-.4.3.d.8.-.8.7.a.8.-.1.7.4.0.4.3.5.8.9.5.7.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.S.y.s.t.e.m...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.7.1.c.-.0.0.0.1.-.0.0.1.5.-.7.3.0.0.-.b.5.3.c.c.9.4.f.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.1.1.5.2.e.8.f.9.a.3.4.c.7.7.8.d.9.c.7.7.0.0.3.4.c.6.5.b.8.8.c.e.0.0.0.0.0.0.0.0.!.0.0.0.0.c.5.1.e.9.1.1.3.1.0.8.8.a.f.d.8.3.2.6.2.f.5.a.a.7.b.a.8.d.f.9.8.3.9.9.e.c.2.2.5.!.A.V.4.b.3.8.n.l.h.N...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.9.6././.0.8././.0.3.:.0.8.:.4.6.:.0.0.!.0.!.A.V.4.b.3.8.n.l.h.N...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....T.a.r.g.e.t.A.s.I.d.=.4.4.8.....

            C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_av4b38nlhn.exe_a619c9bc7211142233f84233922f36db92d8eed0_00000000_d6deb3d3-f488-4122-b8a9-bb8140667291\Report.wer

            Download File
            Process:C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
            Category:dropped
            Size (bytes):65536
            Entropy (8bit):1.0022726413644476
            Encrypted:false
            SSDEEP:192:Ye3QRQqc6gaB89oHcmB6iTkeMDVW6zuiFqZ24lO8z:l3QRkacmJmzuiFqY4lO8
            MD5:CF7DD60823B4F7068EAAE0C8554BCB09
            SHA1:FCD6E4D5DD01B82C68D858DE769C142FC1E1CD70
            SHA-256:4976414913DA0F1B67C25D1AC259603698E97B389A4BE13488C174296585C0F3
            SHA-512:EA45BD66F92CF1CDDB3C2B48EEA4B96B57C9D58318545D0E3D014AD64B9D26D63232E79824510D90E0C817F3EC33D7BC267AF57C2558E4E7071AE432184D01C7
            Malicious:false
            Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.8.8.3.4.0.0.7.7.3.3.7.9.0.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.8.8.3.4.0.1.1.7.1.8.1.5.6.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.d.6.d.e.b.3.d.3.-.f.4.8.8.-.4.1.2.2.-.b.8.a.9.-.b.b.8.1.4.0.6.6.7.2.9.1.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.S.y.s.t.e.m...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.b.7.8.-.0.0.0.1.-.0.0.1.5.-.8.a.f.7.-.c.1.2.e.c.9.4.f.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.1.1.5.2.e.8.f.9.a.3.4.c.7.7.8.d.9.c.7.7.0.0.3.4.c.6.5.b.8.8.c.e.0.0.0.0.0.0.0.0.!.0.0.0.0.c.5.1.e.9.1.1.3.1.0.8.8.a.f.d.8.3.2.6.2.f.5.a.a.7.b.a.8.d.f.9.8.3.9.9.e.c.2.2.5.!.A.V.4.b.3.8.n.l.h.N...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.9.6././.0.8././.0.3.:.0.8.:.4.6.:.0.0.!.0.!.A.V.4.b.3.8.n.l.h.N...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....T.a.r.g.e.t.A.s.I.d.=.4.4.0.....

            C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_av4b38nlhn.exe_a619c9bc7211142233f84233922f36db92d8eed0_00000000_e4c3666d-0f5b-4907-a230-1169eb89e7cf\Report.wer

            Download File
            Process:C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
            Category:dropped
            Size (bytes):65536
            Entropy (8bit):0.9959219946881676
            Encrypted:false
            SSDEEP:192:s4c/0RQqc6gapS9LMcmLjlWHxMIV87zuiFqZ24lO8z:sb/0RkaqmtHzuiFqY4lO8
            MD5:86FCCF025F5839A677D68F412E853600
            SHA1:7A827F571EE09DE42CD3E3858EA94A032314C054
            SHA-256:913EFB54B23047614BC97AEAA0BE34CF49196A8A5582AB2332FA2DC6A89C6E7B
            SHA-512:593AEAAC1F8CEC83B45998AE231BE1B976E04D646D5EC33ED7FE13550D5B55B945D19C5D0A7E0BA0191B441FC37B4575927C2A374AA28223444783BA5A94BF2B
            Malicious:false
            Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.8.8.3.4.0.1.7.1.2.3.5.4.3.9.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.8.8.3.4.0.1.7.6.0.7.9.0.9.1.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.e.4.c.3.6.6.6.d.-.0.f.5.b.-.4.9.0.7.-.a.2.3.0.-.1.1.6.9.e.b.8.9.e.7.c.f.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.S.y.s.t.e.m...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.2.b.4.-.0.0.0.1.-.0.0.1.5.-.9.8.4.a.-.6.a.3.5.c.9.4.f.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.1.1.5.2.e.8.f.9.a.3.4.c.7.7.8.d.9.c.7.7.0.0.3.4.c.6.5.b.8.8.c.e.0.0.0.0.0.0.0.0.!.0.0.0.0.c.5.1.e.9.1.1.3.1.0.8.8.a.f.d.8.3.2.6.2.f.5.a.a.7.b.a.8.d.f.9.8.3.9.9.e.c.2.2.5.!.A.V.4.b.3.8.n.l.h.N...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.9.6././.0.8././.0.3.:.0.8.:.4.6.:.0.0.!.0.!.A.V.4.b.3.8.n.l.h.N...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....T.a.r.g.e.t.A.s.I.d.=.4.4.4.....

            C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_av4b38nlhn.exe_a619c9bc7211142233f84233922f36db92d8eed0_00000000_f3141d6f-b59c-484f-a3f3-4667fddd196c\Report.wer

            Download File
            Process:C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
            Category:dropped
            Size (bytes):65536
            Entropy (8bit):1.013776792651968
            Encrypted:false
            SSDEEP:192:MUsa3RQqCaB89oHcmB6iTkeMDVW6zuiF6Z24lO8:lsa3R0acmJmzuiF6Y4lO8
            MD5:A811A5E1AAAE5AA27CE02EBDDD49DAE3
            SHA1:E5D4F144147607A22A380799E5E5EAC8529FE957
            SHA-256:77348F5537FE2629A8C9CDA946928C4256C7415F2F302B4F4CB74C3D1066D599
            SHA-512:A1AC9E9413F9CEC64882FE020B4CB97DD53DD669A89A8D21D63BD34CC9D8895BDAD795DDA8C3F1E1082AD4A5339C5D0CFFEC453B76CB8E2C4674B8882F188516
            Malicious:false
            Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.8.8.3.4.0.5.5.3.7.0.3.4.8.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.8.8.3.4.0.5.5.8.2.3.4.6.6.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.3.1.4.1.d.6.f.-.b.5.9.c.-.4.8.4.f.-.a.3.f.3.-.4.6.6.7.f.d.d.d.1.9.6.c.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.S.y.s.t.e.m...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.2.6.4.-.0.0.0.1.-.0.0.1.5.-.f.e.8.d.-.f.2.4.b.c.9.4.f.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.1.1.5.2.e.8.f.9.a.3.4.c.7.7.8.d.9.c.7.7.0.0.3.4.c.6.5.b.8.8.c.e.0.0.0.0.0.0.0.0.!.0.0.0.0.c.5.1.e.9.1.1.3.1.0.8.8.a.f.d.8.3.2.6.2.f.5.a.a.7.b.a.8.d.f.9.8.3.9.9.e.c.2.2.5.!.A.V.4.b.3.8.n.l.h.N...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.9.6././.0.8././.0.3.:.0.8.:.4.6.:.0.0.!.0.!.A.V.4.b.3.8.n.l.h.N...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....T.a.r.g.e.t.A.s.I.d.=.4.5.6.....

            C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_av4b38nlhn.exe_a619c9bc7211142233f84233922f36db92d8eed0_00000000_f95f1d01-290d-4839-823a-4ebe4c9f1eae\Report.wer

            Download File
            Process:C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
            File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
            Category:dropped
            Size (bytes):65536
            Entropy (8bit):0.9917489797152177
            Encrypted:false
            SSDEEP:192:ePp64RQqyaB89oHcmB6iTkeMDVW6zuiFqZ24lO8:OpVRkacmJmzuiFqY4lO8
            MD5:5C2DC7B455A899DC62BB4DA2525D9656
            SHA1:B60AC0408A87750C7B43FFC365F122E75C306564
            SHA-256:8F54887F01F8E853482DE0AECE222283B2F4BDB58A04A2FC211A0451113A765D
            SHA-512:B898AE0DA4DA50C2804A00D020D124C1E8D08F2763667FB3CB909C3F8FF835E5A73DE7C4F42E6C3A0B03BB891EA57C22EF380289E73749F5FF51B5599702691F
            Malicious:false
            Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.8.8.3.3.9.9.0.7.2.5.8.7.0.6.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.8.8.3.4.0.0.0.3.9.7.7.4.4.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.f.9.5.f.1.d.0.1.-.2.9.0.d.-.4.8.3.9.-.8.2.3.a.-.4.e.b.e.4.c.9.f.1.e.a.e.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.S.y.s.t.e.m...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.d.d.8.-.0.0.0.1.-.0.0.1.5.-.e.6.4.4.-.1.8.2.6.c.9.4.f.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.1.1.5.2.e.8.f.9.a.3.4.c.7.7.8.d.9.c.7.7.0.0.3.4.c.6.5.b.8.8.c.e.0.0.0.0.0.0.0.0.!.0.0.0.0.c.5.1.e.9.1.1.3.1.0.8.8.a.f.d.8.3.2.6.2.f.5.a.a.7.b.a.8.d.f.9.8.3.9.9.e.c.2.2.5.!.A.V.4.b.3.8.n.l.h.N...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.9.6././.0.8././.0.3.:.0.8.:.4.6.:.0.0.!.0.!.A.V.4.b.3.8.n.l.h.N...e.x.e.....B.o.o.t.I.d.=.4.2.9.4.9.6.7.2.9.5.....T.a.r.g.e.t.A.s.I.d.=.4.3.2.....

            C:\ProgramData\Microsoft\Windows\WER\Temp\WER2E67.tmp.WERInternalMetadata.xml

            Download File
            Process:C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
            File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
            Category:dropped
            Size (bytes):8124
            Entropy (8bit):3.7049311801614393
            Encrypted:false
            SSDEEP:192:R6l7wVeJp6CcQe6Y2DZ0gmfZFhp19Dhfwg/m:R6lXJp/a6Yk0gmfrt9Ffw
            MD5:E0086522FFC00543A24469895ADB9676
            SHA1:C7B1C16E97F5AEC3ACC0F4CEA6F8D49143E7C050
            SHA-256:D86498B5D2377322E1FF1E54A9C24A6B499B451D63FEB499693C4653EDD57C00
            SHA-512:7E6E4556C8DA0CC14EF5F76B9444D9BD5C390BDEAE715741E61F3F1FC6C2E08057F324E62BDCB30DA0374A21E0F4DCA4D184214DADABFE00E9949ACC4BDCCF4B
            Malicious:false
            Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.9.1.6.<./.P.i.

            C:\ProgramData\Microsoft\Windows\WER\Temp\WER2F24.tmp.xml

            Download File
            Process:C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):4731
            Entropy (8bit):4.45586569792896
            Encrypted:false
            SSDEEP:48:cvIwWl8zsKJg771I9GJWpW8VYbYm8M4JFKyyFqCczoyq8v95TynibK7d:uIjfYI7d47VvJFKWC0oW7TCiG7d
            MD5:82CF261836B9790BFD14BEA0BAA283A0
            SHA1:1B8B37E77CF1C4CC7B0D1BFBC1A07D9F1BE8D88F
            SHA-256:10FAC08897BB09C1BA161566D8D914A00EA5E9A1EB48062E9941F0B8FCEDC59D
            SHA-512:F4513B4FFD06354E1C08BEAAD06879BC47489E9DBE8CFE3076882603DE39B2AA4E680BE4849D80FEE4E98B5DFC0EFADDD83224764EC701185CA893CF6EEA063A
            Malicious:false
            Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="633949" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

            C:\ProgramData\Microsoft\Windows\WER\Temp\WER5CE9.tmp.WERInternalMetadata.xml

            Download File
            Process:C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
            File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
            Category:dropped
            Size (bytes):8124
            Entropy (8bit):3.707074179585093
            Encrypted:false
            SSDEEP:192:R6l7wVeJlWhK6Y2DDCzgmfZFhp18zhfS0m:R6lXJSK6YO+gmfrt81fw
            MD5:4D914D2D626D7BA720D88B6B3C3D3687
            SHA1:2028578F21754A8977787221954A7C4F195BD5DB
            SHA-256:B091D714AB374489EC34E00ECA282B50A90976F74DBF27BBF7958D33C98B0DE0
            SHA-512:A8CCA37C37C358158A2E9E3FDC6540950AEAB4CD5B82B3793704DD826C007A8C2404B8D5D06E7E84ADFA58614D8CF529C3BAD108C0212851ECA189EC2F12509B
            Malicious:false
            Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.0.0.4.<./.P.i.

            C:\ProgramData\Microsoft\Windows\WER\Temp\WER5D48.tmp.xml

            Download File
            Process:C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):4731
            Entropy (8bit):4.455628388812724
            Encrypted:false
            SSDEEP:48:cvIwWl8zs4Jg771I9GJWpW8VY8Ym8M4JFKyyFhWyq8v9eTynibKtd:uIjf+I7d47VsJFK9WWsTCiGtd
            MD5:CD36D656942CACACCD5F231F3682F9FA
            SHA1:52C277B103BEC5F6BF20BA28AFE1AFE9AE38DCB5
            SHA-256:FA5386B879CAF8E8D555F4FB2153F386C2AE0B2CA215335387E52852590881FF
            SHA-512:A5F2988B977FCF417ECDEDA3F5409415E132117FBD4AD936D9F0B14B571F4FBC32A570F10A278F41B03F03D64C7159D92C314A1AA537F87F24FB1FB2266FBA1C
            Malicious:false
            Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="633950" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

            C:\ProgramData\Microsoft\Windows\WER\Temp\WER9167.tmp.WERInternalMetadata.xml

            Download File
            Process:C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
            File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
            Category:dropped
            Size (bytes):8132
            Entropy (8bit):3.7055802268366747
            Encrypted:false
            SSDEEP:192:R6l7wVeJKWXn6Y2D32sKgmfZFhp1yfSef9iGm:R6lXJb36Ya2sKgmfrtyfLf9q
            MD5:6893F360C1FECDC67597090C5D22E90A
            SHA1:A9A22007E819B363D112AFDF0E1883BD82971BD7
            SHA-256:7A96A9A92BCAAB2A0B3FEFB48A14287E1FF49D8DB0CD7A20FE23B351FED98859
            SHA-512:BC512490E26F59442C5BDEE5084FF068F2E148789729E8F230DEE1F1D9DE13F178ECE0914328230179B9998642890A78AB8C1000309DB130DD9C16C4470F6FDC
            Malicious:false
            Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.1.2.<./.P.i.d.

            C:\ProgramData\Microsoft\Windows\WER\Temp\WER91C6.tmp.xml

            Download File
            Process:C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):4731
            Entropy (8bit):4.458696715914493
            Encrypted:false
            SSDEEP:48:cvIwWl8zs4Jg771I9GJWpW8VYTYm8M4JFKyyF8yq8v9Ym1TynibKId:uIjf+I7d47VDJFKIWjTCiGId
            MD5:50D171BC32082B5F15814B76D522FEF1
            SHA1:F220B295ACD4B31C46ADC3882BB58C19CA712EFD
            SHA-256:BD26D355C37AC4D53041AD9AAA72ED9228C5FF9BBB640DC24CC1BA9BCD14ACF4
            SHA-512:9B4387C20548A8A86B80AE86AC5F8D10C164D98F7E52477F810058A7BC94CD68F92C36CF39E9D9AC1435EC0B7D36F2ADFA6FF9FE44ED739B7FD1C806C3439B50
            Malicious:false
            Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="633950" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

            C:\ProgramData\Microsoft\Windows\WER\Temp\WER95D1.tmp.WERInternalMetadata.xml

            Download File
            Process:C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
            File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
            Category:dropped
            Size (bytes):8126
            Entropy (8bit):3.7040503787706314
            Encrypted:false
            SSDEEP:192:R6l7wVeJpnee6Y2D/LmgmfZFhp13LvVf6dm:R6lXJJv6YOmgmfrt3DVfp
            MD5:7484F734C1465415E7FFC55F1CF0D074
            SHA1:70C01F3B625E3DF7D78FB120B587123D9F5C4FF6
            SHA-256:F4FFD09C30183F9E03B2E9922DDE81086EF8DF8CEB94496B80DBA5437F2651E1
            SHA-512:4F699AE9F46B97B7C343261CD66341A91528085208DA6EF364E89D2350B0593DD513FEFC437055DE8A48FBBA633B74181F9FEF8C109728A8AD54E60E62F52A15
            Malicious:false
            Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.3.5.4.4.<./.P.i.

            C:\ProgramData\Microsoft\Windows\WER\Temp\WER97F4.tmp.xml

            Download File
            Process:C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):4731
            Entropy (8bit):4.454556969184351
            Encrypted:false
            SSDEEP:48:cvIwWl8zsKJg771I9GJWpW8VYOYm8M4JFKyyFoaMyq8v9sTynibKed:uIjfYI7d47VWJFKvMWmTCiGed
            MD5:607E95B77A8566DE14DE044974FBD2B6
            SHA1:D8F3E74A8CC218443AB1831B198C0A3DC48AC3AA
            SHA-256:91B778C67C68EB209003403400B8C97BB60D03CAC7D65175EFDBF2704A434D4D
            SHA-512:3FA3BBD8960BBEA6328063CF91D6B14ECB6E03752B256160E6F647881D1EB7BABF37D4362335CC7A764958973BB31936A8A72672B6BA7E10CFE212AFC6A3104A
            Malicious:false
            Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="633949" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

            C:\ProgramData\Microsoft\Windows\WER\Temp\WERDA2D.tmp.WERInternalMetadata.xml

            Download File
            Process:C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
            File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
            Category:dropped
            Size (bytes):8124
            Entropy (8bit):3.7058437441678613
            Encrypted:false
            SSDEEP:192:R6l7wVeJBdXE+6Y2Dddg2gmfZFhp1xWSfL7m:R6lXJb0+6YAdg2gmfrtxzfW
            MD5:0C88A5DCBF678AB539D81049C0AF68CE
            SHA1:76136C3ECBC6BA34BFE3F924CD0870E6ECA33C08
            SHA-256:4FCC6443C4FD31E071C2BD44A7D957591FE9678BD119ABCC6BFAFBA2AB03BD4D
            SHA-512:A545B2917F9F9BC114608D190D857644F22211AE6C9F626D8227C80227F1F3184760A89A31D1727A584026883F8FB6DC208AFCB57B70E93F17BB458893534429
            Malicious:false
            Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.9.3.6.<./.P.i.

            C:\ProgramData\Microsoft\Windows\WER\Temp\WERE113.tmp.xml

            Download File
            Process:C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):4731
            Entropy (8bit):4.454963012048
            Encrypted:false
            SSDEEP:48:cvIwWl8zsKJg771I9GJWpW8VYMYm8M4JFKyyFjyq8v9sTynibKTd:uIjfYI7d47V4JFKXWqTCiGTd
            MD5:86229E523072AA4DCFCC7117046E097A
            SHA1:FC2BAEE175215D82424BC3D931B6ECD91C58499F
            SHA-256:6CAD8D064F0BC52ED5D7BB06A39EE502BEA4348536DD0029AEF0B4CA980502ED
            SHA-512:EF79DD349FFC4A9C76D892E2390F4BE48C429F4988E32912F42E172FF54CD9623F51A6A9F619696E51849B3026A82F571F6C4AC66E88427858063188994D6FEF
            Malicious:false
            Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="633949" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

            C:\ProgramData\Microsoft\Windows\WER\Temp\WERFB22.tmp.WERInternalMetadata.xml

            Download File
            Process:C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
            File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
            Category:dropped
            Size (bytes):6108
            Entropy (8bit):3.732600881816505
            Encrypted:false
            SSDEEP:96:RSIU6o7wVetbwM8NYZF0OB5aM1P/XfWwjqvOfNw9vm:R6l7wVeJwMuYZFhp1nu+SOfNwNm
            MD5:E55669F70F49607FFAA4276C539D8070
            SHA1:B980A20980394428D036D2C6171AA1BA9BF68A2E
            SHA-256:9131A8788D962573FF7ABAF32C2AFBE85D2CA134548991799CD2E9457473E787
            SHA-512:19289D770D733425FFC35ADF3CDB0060B4D416C877062F4FA7F304ABBE678A6A0273BAA2C20885535353A29F40259299F13E21051E43F1A791A75D78C4080D03
            Malicious:false
            Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.2.1.6.<./.P.i.

            C:\ProgramData\Microsoft\Windows\WER\Temp\WERFBAF.tmp.WERInternalMetadata.xml

            Download File
            Process:C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
            File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
            Category:dropped
            Size (bytes):8124
            Entropy (8bit):3.707063313690591
            Encrypted:false
            SSDEEP:192:R6l7wVeJMEC6Y2DH3SgmfZFhp1nHgfVNm:R6lXJvC6YKCgmfrtnAfu
            MD5:3C783C31E6A96633E133AE8BEADE4FBA
            SHA1:678225ACF5F78FDE0CB0AEC60AAE6D8F41A43A69
            SHA-256:0A425CB0DC65A0E9BA8DF7CF1CCBAF8637B8800243E010B12A10F4BD66FA6396
            SHA-512:7C667776D2230168AD10F48B76C5D2359DB45C2B2680BE052994EE28F07FF853D5AC8ED9C9216BAB5759C7F3EC448B3C11F30A4F9BD067DC71F7E27654C16EE5
            Malicious:false
            Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.4.7.8.8.<./.P.i.

            C:\ProgramData\Microsoft\Windows\WER\Temp\WERFC1D.tmp.xml

            Download File
            Process:C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):4731
            Entropy (8bit):4.455603281892209
            Encrypted:false
            SSDEEP:48:cvIwWl8zsKJg771I9GJWpW8VYNYm8M4JFKyyFTyq8v9iTynibKHd:uIjfYI7d47VBJFK/WITCiGHd
            MD5:46933A74DC437CC4459BFD944CFDEC6F
            SHA1:099C6121C184200F4B0CF6D9853E337089916BEE
            SHA-256:EA83A324E7C2F3FF1F2687CA3CC3A56C2F5390F87F3D4813ADCF1D0908D2570C
            SHA-512:E810713023C94D1DE48770632DA655904195937F7AA1B722F3C63D60FA570BE2B071A1D0BEB821218336E39440A7A4A874C90014C6E5D7D61B9ACF40961D255D
            Malicious:false
            Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="633949" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

            C:\ProgramData\Microsoft\Windows\WER\Temp\WERFE30.tmp.xml

            Download File
            Process:C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):4731
            Entropy (8bit):4.455553762018334
            Encrypted:false
            SSDEEP:48:cvIwWl8zsKJg771I9GJWpW8VYQYm8M4JFKyyFJKyq8v9BTynibKCd:uIjfYI7d47VAJFKtKW/TCiGCd
            MD5:C7FE6234DDD9AC7D63113DB76D2AA0D8
            SHA1:AFCE2373C9E9D2B07557976AAFF56C931B58A446
            SHA-256:503591C0D8BA57AFC99E65C0FE7FB5CD9E7377A48BDD7D9B9082EDDDE98B74F4
            SHA-512:3868EB68F43D09DF55C316780B5E53FD4E674C49E9BE6DCCA002A140781922BD45EC65A80F33FE4FCBD644ADBCF60B7307A788CBB932A6842A1C631D7B7680DF
            Malicious:false
            Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="633949" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

            C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exe

            Download File
            Process:C:\Users\user\AppData\Local\Temp\dhk3y0j3.gg3\AV4b38nlhN.exe
            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):11264
            Entropy (8bit):5.045010438088567
            Encrypted:false
            SSDEEP:96:fitke0F170CZzubtu0005hO/VxnEyzT3fC72nBzNUYYknRmX9vC0MiUCIHSVyepC:CW70ACbDUtfM2nNNUYYImX9xUpSVyL5
            MD5:D6BFAB9DDE06D4BADDEC652F65C16319
            SHA1:C51E91131088AFD83262F5AA7BA8DF98399EC225
            SHA-256:CD5383086089A354036D4404547ADDC916F98422817E5FE53606D7FC7113610D
            SHA-512:DD58B5C291023ABD2D2FD5ACC0C4537EB40F1A4189A0F61EC30021916B3907E4D3D8211A5AB0B120110323C5AE4998D49B9A307DE612FC417BA3997AF70D7D3D
            Malicious:true
            Antivirus:
            • Antivirus: Joe Sandbox ML, Detection: 100%
            • Antivirus: ReversingLabs, Detection: 18%
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...H%............"...0.."..........^@... ...`....@.. ....................................@..................................@..O....`..............................|?..8............................................ ............... ..H............text...d ... ...".................. ..`.rsrc........`.......$..............@..@.reloc...............*..............@..B................?@......H........%...............>...............................................0..........s.....(....(....o....o....(....%(....%(....%(....(....(.....r...p ....s.......o....}....(.....o......{........io...........s....s....(....(....r...po.......{..........io.... 0u..(....+.J(....o.....(....&*.0..].......(....( ...(!...%.("...(!....(#...&..($...r#..p.(%...(&........r}..p.o'...(%...(&...~(.......*...........==.......0..K.......~)...r...p.o*.....,..r...p.o+....o,...r/..p(&......rw..p

            C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exe:Zone.Identifier

            Download File
            Process:C:\Users\user\AppData\Local\Temp\dhk3y0j3.gg3\AV4b38nlhN.exe
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):26
            Entropy (8bit):3.95006375643621
            Encrypted:false
            SSDEEP:3:ggPYV:rPYV
            MD5:187F488E27DB4AF347237FE461A079AD
            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
            Malicious:true
            Preview:[ZoneTransfer]....ZoneId=0

            C:\Users\user\AppData\Local\Temp\dhk3y0j3.gg3\AV4b38nlhN.exe

            Download File
            Process:C:\Users\user\Desktop\AV4b38nlhN.exe
            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):11264
            Entropy (8bit):5.045010438088567
            Encrypted:false
            SSDEEP:96:fitke0F170CZzubtu0005hO/VxnEyzT3fC72nBzNUYYknRmX9vC0MiUCIHSVyepC:CW70ACbDUtfM2nNNUYYImX9xUpSVyL5
            MD5:D6BFAB9DDE06D4BADDEC652F65C16319
            SHA1:C51E91131088AFD83262F5AA7BA8DF98399EC225
            SHA-256:CD5383086089A354036D4404547ADDC916F98422817E5FE53606D7FC7113610D
            SHA-512:DD58B5C291023ABD2D2FD5ACC0C4537EB40F1A4189A0F61EC30021916B3907E4D3D8211A5AB0B120110323C5AE4998D49B9A307DE612FC417BA3997AF70D7D3D
            Malicious:true
            Antivirus:
            • Antivirus: Joe Sandbox ML, Detection: 100%
            • Antivirus: Joe Sandbox ML, Detection: 100%
            • Antivirus: ReversingLabs, Detection: 18%
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...H%............"...0.."..........^@... ...`....@.. ....................................@..................................@..O....`..............................|?..8............................................ ............... ..H............text...d ... ...".................. ..`.rsrc........`.......$..............@..@.reloc...............*..............@..B................?@......H........%...............>...............................................0..........s.....(....(....o....o....(....%(....%(....%(....(....(.....r...p ....s.......o....}....(.....o......{........io...........s....s....(....(....r...po.......{..........io.... 0u..(....+.J(....o.....(....&*.0..].......(....( ...(!...%.("...(!....(#...&..($...r#..p.(%...(&........r}..p.o'...(%...(&...~(.......*...........==.......0..K.......~)...r...p.o*.....,..r...p.o+....o,...r/..p(&......rw..p

            C:\Users\user\AppData\Local\Temp\dhk3y0j3.gg3\AV4b38nlhN.exe:Zone.Identifier

            Download File
            Process:C:\Users\user\Desktop\AV4b38nlhN.exe
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):26
            Entropy (8bit):3.95006375643621
            Encrypted:false
            SSDEEP:3:ggPYV:rPYV
            MD5:187F488E27DB4AF347237FE461A079AD
            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
            Malicious:true
            Preview:[ZoneTransfer]....ZoneId=0

            C:\Users\user\AppData\Local\Temp\ed1yuowm.r2t\AV4b38nlhN.exe

            Download File
            Process:C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exe
            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):11264
            Entropy (8bit):5.045010438088567
            Encrypted:false
            SSDEEP:96:fitke0F170CZzubtu0005hO/VxnEyzT3fC72nBzNUYYknRmX9vC0MiUCIHSVyepC:CW70ACbDUtfM2nNNUYYImX9xUpSVyL5
            MD5:D6BFAB9DDE06D4BADDEC652F65C16319
            SHA1:C51E91131088AFD83262F5AA7BA8DF98399EC225
            SHA-256:CD5383086089A354036D4404547ADDC916F98422817E5FE53606D7FC7113610D
            SHA-512:DD58B5C291023ABD2D2FD5ACC0C4537EB40F1A4189A0F61EC30021916B3907E4D3D8211A5AB0B120110323C5AE4998D49B9A307DE612FC417BA3997AF70D7D3D
            Malicious:true
            Antivirus:
            • Antivirus: Joe Sandbox ML, Detection: 100%
            • Antivirus: ReversingLabs, Detection: 18%
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...H%............"...0.."..........^@... ...`....@.. ....................................@..................................@..O....`..............................|?..8............................................ ............... ..H............text...d ... ...".................. ..`.rsrc........`.......$..............@..@.reloc...............*..............@..B................?@......H........%...............>...............................................0..........s.....(....(....o....o....(....%(....%(....%(....(....(.....r...p ....s.......o....}....(.....o......{........io...........s....s....(....(....r...po.......{..........io.... 0u..(....+.J(....o.....(....&*.0..].......(....( ...(!...%.("...(!....(#...&..($...r#..p.(%...(&........r}..p.o'...(%...(&...~(.......*...........==.......0..K.......~)...r...p.o*.....,..r...p.o+....o,...r/..p(&......rw..p

            C:\Users\user\AppData\Local\Temp\ed1yuowm.r2t\AV4b38nlhN.exe:Zone.Identifier

            Download File
            Process:C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exe
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):26
            Entropy (8bit):3.95006375643621
            Encrypted:false
            SSDEEP:3:ggPYV:rPYV
            MD5:187F488E27DB4AF347237FE461A079AD
            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
            Malicious:true
            Preview:[ZoneTransfer]....ZoneId=0

            C:\Users\user\AppData\Local\Temp\f3x15nhp.vew\AV4b38nlhN.exe

            Download File
            Process:C:\Users\user\AppData\Local\Temp\q5ax5g5h.01m\AV4b38nlhN.exe
            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):11264
            Entropy (8bit):5.045010438088567
            Encrypted:false
            SSDEEP:96:fitke0F170CZzubtu0005hO/VxnEyzT3fC72nBzNUYYknRmX9vC0MiUCIHSVyepC:CW70ACbDUtfM2nNNUYYImX9xUpSVyL5
            MD5:D6BFAB9DDE06D4BADDEC652F65C16319
            SHA1:C51E91131088AFD83262F5AA7BA8DF98399EC225
            SHA-256:CD5383086089A354036D4404547ADDC916F98422817E5FE53606D7FC7113610D
            SHA-512:DD58B5C291023ABD2D2FD5ACC0C4537EB40F1A4189A0F61EC30021916B3907E4D3D8211A5AB0B120110323C5AE4998D49B9A307DE612FC417BA3997AF70D7D3D
            Malicious:true
            Antivirus:
            • Antivirus: Joe Sandbox ML, Detection: 100%
            • Antivirus: ReversingLabs, Detection: 18%
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...H%............"...0.."..........^@... ...`....@.. ....................................@..................................@..O....`..............................|?..8............................................ ............... ..H............text...d ... ...".................. ..`.rsrc........`.......$..............@..@.reloc...............*..............@..B................?@......H........%...............>...............................................0..........s.....(....(....o....o....(....%(....%(....%(....(....(.....r...p ....s.......o....}....(.....o......{........io...........s....s....(....(....r...po.......{..........io.... 0u..(....+.J(....o.....(....&*.0..].......(....( ...(!...%.("...(!....(#...&..($...r#..p.(%...(&........r}..p.o'...(%...(&...~(.......*...........==.......0..K.......~)...r...p.o*.....,..r...p.o+....o,...r/..p(&......rw..p

            C:\Users\user\AppData\Local\Temp\f3x15nhp.vew\AV4b38nlhN.exe:Zone.Identifier

            Download File
            Process:C:\Users\user\AppData\Local\Temp\q5ax5g5h.01m\AV4b38nlhN.exe
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):26
            Entropy (8bit):3.95006375643621
            Encrypted:false
            SSDEEP:3:ggPYV:rPYV
            MD5:187F488E27DB4AF347237FE461A079AD
            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
            Malicious:true
            Preview:[ZoneTransfer]....ZoneId=0

            C:\Users\user\AppData\Local\Temp\h4ljp22h.k2l\AV4b38nlhN.exe

            Download File
            Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AV4b38nlhN.exe
            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):11264
            Entropy (8bit):5.045010438088567
            Encrypted:false
            SSDEEP:96:fitke0F170CZzubtu0005hO/VxnEyzT3fC72nBzNUYYknRmX9vC0MiUCIHSVyepC:CW70ACbDUtfM2nNNUYYImX9xUpSVyL5
            MD5:D6BFAB9DDE06D4BADDEC652F65C16319
            SHA1:C51E91131088AFD83262F5AA7BA8DF98399EC225
            SHA-256:CD5383086089A354036D4404547ADDC916F98422817E5FE53606D7FC7113610D
            SHA-512:DD58B5C291023ABD2D2FD5ACC0C4537EB40F1A4189A0F61EC30021916B3907E4D3D8211A5AB0B120110323C5AE4998D49B9A307DE612FC417BA3997AF70D7D3D
            Malicious:true
            Antivirus:
            • Antivirus: Joe Sandbox ML, Detection: 100%
            • Antivirus: ReversingLabs, Detection: 18%
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...H%............"...0.."..........^@... ...`....@.. ....................................@..................................@..O....`..............................|?..8............................................ ............... ..H............text...d ... ...".................. ..`.rsrc........`.......$..............@..@.reloc...............*..............@..B................?@......H........%...............>...............................................0..........s.....(....(....o....o....(....%(....%(....%(....(....(.....r...p ....s.......o....}....(.....o......{........io...........s....s....(....(....r...po.......{..........io.... 0u..(....+.J(....o.....(....&*.0..].......(....( ...(!...%.("...(!....(#...&..($...r#..p.(%...(&........r}..p.o'...(%...(&...~(.......*...........==.......0..K.......~)...r...p.o*.....,..r...p.o+....o,...r/..p(&......rw..p

            C:\Users\user\AppData\Local\Temp\h4ljp22h.k2l\AV4b38nlhN.exe:Zone.Identifier

            Download File
            Process:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AV4b38nlhN.exe
            File Type:ASCII text, with CRLF line terminators
            Category:modified
            Size (bytes):26
            Entropy (8bit):3.95006375643621
            Encrypted:false
            SSDEEP:3:ggPYV:rPYV
            MD5:187F488E27DB4AF347237FE461A079AD
            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
            Malicious:true
            Preview:[ZoneTransfer]....ZoneId=0

            C:\Users\user\AppData\Local\Temp\hayuutbg.cwy\AV4b38nlhN.exe

            Download File
            Process:C:\Users\user\AppData\Local\Temp\ed1yuowm.r2t\AV4b38nlhN.exe
            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):11264
            Entropy (8bit):5.045010438088567
            Encrypted:false
            SSDEEP:96:fitke0F170CZzubtu0005hO/VxnEyzT3fC72nBzNUYYknRmX9vC0MiUCIHSVyepC:CW70ACbDUtfM2nNNUYYImX9xUpSVyL5
            MD5:D6BFAB9DDE06D4BADDEC652F65C16319
            SHA1:C51E91131088AFD83262F5AA7BA8DF98399EC225
            SHA-256:CD5383086089A354036D4404547ADDC916F98422817E5FE53606D7FC7113610D
            SHA-512:DD58B5C291023ABD2D2FD5ACC0C4537EB40F1A4189A0F61EC30021916B3907E4D3D8211A5AB0B120110323C5AE4998D49B9A307DE612FC417BA3997AF70D7D3D
            Malicious:true
            Antivirus:
            • Antivirus: Joe Sandbox ML, Detection: 100%
            • Antivirus: ReversingLabs, Detection: 18%
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...H%............"...0.."..........^@... ...`....@.. ....................................@..................................@..O....`..............................|?..8............................................ ............... ..H............text...d ... ...".................. ..`.rsrc........`.......$..............@..@.reloc...............*..............@..B................?@......H........%...............>...............................................0..........s.....(....(....o....o....(....%(....%(....%(....(....(.....r...p ....s.......o....}....(.....o......{........io...........s....s....(....(....r...po.......{..........io.... 0u..(....+.J(....o.....(....&*.0..].......(....( ...(!...%.("...(!....(#...&..($...r#..p.(%...(&........r}..p.o'...(%...(&...~(.......*...........==.......0..K.......~)...r...p.o*.....,..r...p.o+....o,...r/..p(&......rw..p

            C:\Users\user\AppData\Local\Temp\hayuutbg.cwy\AV4b38nlhN.exe:Zone.Identifier

            Download File
            Process:C:\Users\user\AppData\Local\Temp\ed1yuowm.r2t\AV4b38nlhN.exe
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):26
            Entropy (8bit):3.95006375643621
            Encrypted:false
            SSDEEP:3:ggPYV:rPYV
            MD5:187F488E27DB4AF347237FE461A079AD
            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
            Malicious:true
            Preview:[ZoneTransfer]....ZoneId=0

            C:\Users\user\AppData\Local\Temp\q5ax5g5h.01m\AV4b38nlhN.exe

            Download File
            Process:C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exe
            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):11264
            Entropy (8bit):5.045010438088567
            Encrypted:false
            SSDEEP:96:fitke0F170CZzubtu0005hO/VxnEyzT3fC72nBzNUYYknRmX9vC0MiUCIHSVyepC:CW70ACbDUtfM2nNNUYYImX9xUpSVyL5
            MD5:D6BFAB9DDE06D4BADDEC652F65C16319
            SHA1:C51E91131088AFD83262F5AA7BA8DF98399EC225
            SHA-256:CD5383086089A354036D4404547ADDC916F98422817E5FE53606D7FC7113610D
            SHA-512:DD58B5C291023ABD2D2FD5ACC0C4537EB40F1A4189A0F61EC30021916B3907E4D3D8211A5AB0B120110323C5AE4998D49B9A307DE612FC417BA3997AF70D7D3D
            Malicious:true
            Antivirus:
            • Antivirus: Joe Sandbox ML, Detection: 100%
            • Antivirus: ReversingLabs, Detection: 18%
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...H%............"...0.."..........^@... ...`....@.. ....................................@..................................@..O....`..............................|?..8............................................ ............... ..H............text...d ... ...".................. ..`.rsrc........`.......$..............@..@.reloc...............*..............@..B................?@......H........%...............>...............................................0..........s.....(....(....o....o....(....%(....%(....%(....(....(.....r...p ....s.......o....}....(.....o......{........io...........s....s....(....(....r...po.......{..........io.... 0u..(....+.J(....o.....(....&*.0..].......(....( ...(!...%.("...(!....(#...&..($...r#..p.(%...(&........r}..p.o'...(%...(&...~(.......*...........==.......0..K.......~)...r...p.o*.....,..r...p.o+....o,...r/..p(&......rw..p

            C:\Users\user\AppData\Local\Temp\q5ax5g5h.01m\AV4b38nlhN.exe:Zone.Identifier

            Download File
            Process:C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exe
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):26
            Entropy (8bit):3.95006375643621
            Encrypted:false
            SSDEEP:3:ggPYV:rPYV
            MD5:187F488E27DB4AF347237FE461A079AD
            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
            Malicious:true
            Preview:[ZoneTransfer]....ZoneId=0

            C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AV4b38nlhN.exe

            Download File
            Process:C:\Users\user\Desktop\AV4b38nlhN.exe
            File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
            Category:dropped
            Size (bytes):11264
            Entropy (8bit):5.045010438088567
            Encrypted:false
            SSDEEP:96:fitke0F170CZzubtu0005hO/VxnEyzT3fC72nBzNUYYknRmX9vC0MiUCIHSVyepC:CW70ACbDUtfM2nNNUYYImX9xUpSVyL5
            MD5:D6BFAB9DDE06D4BADDEC652F65C16319
            SHA1:C51E91131088AFD83262F5AA7BA8DF98399EC225
            SHA-256:CD5383086089A354036D4404547ADDC916F98422817E5FE53606D7FC7113610D
            SHA-512:DD58B5C291023ABD2D2FD5ACC0C4537EB40F1A4189A0F61EC30021916B3907E4D3D8211A5AB0B120110323C5AE4998D49B9A307DE612FC417BA3997AF70D7D3D
            Malicious:true
            Antivirus:
            • Antivirus: ReversingLabs, Detection: 18%
            Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...H%............"...0.."..........^@... ...`....@.. ....................................@..................................@..O....`..............................|?..8............................................ ............... ..H............text...d ... ...".................. ..`.rsrc........`.......$..............@..@.reloc...............*..............@..B................?@......H........%...............>...............................................0..........s.....(....(....o....o....(....%(....%(....%(....(....(.....r...p ....s.......o....}....(.....o......{........io...........s....s....(....(....r...po.......{..........io.... 0u..(....+.J(....o.....(....&*.0..].......(....( ...(!...%.("...(!....(#...&..($...r#..p.(%...(&........r}..p.o'...(%...(&...~(.......*...........==.......0..K.......~)...r...p.o*.....,..r...p.o+....o,...r/..p(&......rw..p

            C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AV4b38nlhN.exe:Zone.Identifier

            Download File
            Process:C:\Users\user\Desktop\AV4b38nlhN.exe
            File Type:ASCII text, with CRLF line terminators
            Category:modified
            Size (bytes):26
            Entropy (8bit):3.95006375643621
            Encrypted:false
            SSDEEP:3:ggPYV:rPYV
            MD5:187F488E27DB4AF347237FE461A079AD
            SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
            SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
            SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
            Malicious:true
            Preview:[ZoneTransfer]....ZoneId=0

            C:\Windows\appcompat\Programs\Amcache.hve

            Download File
            Process:C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
            File Type:MS Windows registry file, NT/2000 or above
            Category:dropped
            Size (bytes):1835008
            Entropy (8bit):4.468513644859198
            Encrypted:false
            SSDEEP:6144:ozZfpi6ceLPx9skLmb0fqZWSP3aJG8nAgeiJRMMhA2zX4WABluuNfjDH5S:+ZHtqZWOKnMM6bFp5j4
            MD5:2064D73BC4F557CF3586E53D3205E132
            SHA1:2FE720A3A6315400982E2877507A607BFFDCBCFB
            SHA-256:5C5092C27E609C213557B0DA255FAB3C2DC4299DE0339CA3BDCB18FC87039269
            SHA-512:69F81A0386D8472BA6F9FDD6451A60DDB698551D028DCC3E492C0339CE36A2F55BDC8884405EA51305FC91FADF5E4F08A19DA8A165FA562034D4D5EF0C9B04CB
            Malicious:false
            Preview:regfH...H....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm..=K.O..............................................................................................................................................................................................................................................................................................................................................q.+.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

            Static File Info

            General

            File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
            Entropy (8bit):5.045010438088567
            TrID:
            • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
            • Win32 Executable (generic) a (10002005/4) 49.78%
            • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
            • Generic Win/DOS Executable (2004/3) 0.01%
            • DOS Executable Generic (2002/1) 0.01%
            File name:AV4b38nlhN.exe
            File size:11'264 bytes
            MD5:d6bfab9dde06d4baddec652f65c16319
            SHA1:c51e91131088afd83262f5aa7ba8df98399ec225
            SHA256:cd5383086089a354036d4404547addc916f98422817e5fe53606d7fc7113610d
            SHA512:dd58b5c291023abd2d2fd5acc0c4537eb40f1a4189a0f61ec30021916b3907e4d3d8211a5ab0b120110323c5ae4998d49b9a307de612fc417ba3997af70d7d3d
            SSDEEP:96:fitke0F170CZzubtu0005hO/VxnEyzT3fC72nBzNUYYknRmX9vC0MiUCIHSVyepC:CW70ACbDUtfM2nNNUYYImX9xUpSVyL5
            TLSH:1332FA07B7A88335D63E0E760D7293801172BB45D923DAAE68C6280F5E663F457227F5
            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...H%............"...0.."..........^@... ...`....@.. ....................................@................................

            File Icon

            Icon Hash:00928e8e8686b000

            Static PE Info

            General

            Entrypoint:0x40405e
            Entrypoint Section:.text
            Digitally signed:false
            Imagebase:0x400000
            Subsystem:windows gui
            Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
            DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
            Time Stamp:0xEE1C2548 [Fri Aug 3 08:46:00 2096 UTC]
            TLS Callbacks:
            CLR (.Net) Version:
            OS Version Major:4
            OS Version Minor:0
            File Version Major:4
            File Version Minor:0
            Subsystem Version Major:4
            Subsystem Version Minor:0
            Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

            Entrypoint Preview

            Instruction
            jmp dword ptr [00402000h]
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al
            add byte ptr [eax], al

            Data Directories

            NameVirtual AddressVirtual Size Is in Section
            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IMPORT0x400b0x4f.text
            IMAGE_DIRECTORY_ENTRY_RESOURCE0x60000x59c.rsrc
            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
            IMAGE_DIRECTORY_ENTRY_BASERELOC0x80000xc.reloc
            IMAGE_DIRECTORY_ENTRY_DEBUG0x3f7c0x38.text
            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

            Sections

            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
            .text0x20000x20640x22004341101872ce114189c180d10267db33False0.5012637867647058data5.433185225260254IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            .rsrc0x60000x59c0x60079cea792a0559f83e1fb2f0d8a9f7865False0.4134114583333333data4.024991342643555IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
            .reloc0x80000xc0x200576f8683441067a677f1f3bae16b9876False0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

            Resources

            NameRVASizeTypeLanguageCountryZLIB Complexity
            RT_VERSION0x60900x30cdata0.4282051282051282
            RT_MANIFEST0x63ac0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

            Imports

            DLLImport
            mscoree.dll_CorExeMain

            Network Behavior

            Network Port Distribution

            TCP Packets

            TimestampSource PortDest PortSource IPDest IP
            Dec 16, 2024 15:45:30.892621040 CET497137174192.168.2.6193.58.121.250
            Dec 16, 2024 15:45:31.014004946 CET717449713193.58.121.250192.168.2.6
            Dec 16, 2024 15:45:31.014095068 CET497137174192.168.2.6193.58.121.250
            Dec 16, 2024 15:45:31.016535997 CET497137174192.168.2.6193.58.121.250
            Dec 16, 2024 15:45:31.136815071 CET717449713193.58.121.250192.168.2.6
            Dec 16, 2024 15:45:31.136903048 CET497137174192.168.2.6193.58.121.250
            Dec 16, 2024 15:45:31.256871939 CET717449713193.58.121.250192.168.2.6
            Dec 16, 2024 15:45:32.351515055 CET497157174192.168.2.6193.58.121.250
            Dec 16, 2024 15:45:32.471771002 CET717449715193.58.121.250192.168.2.6
            Dec 16, 2024 15:45:32.471883059 CET497157174192.168.2.6193.58.121.250
            Dec 16, 2024 15:45:32.472263098 CET497157174192.168.2.6193.58.121.250
            Dec 16, 2024 15:45:32.592200041 CET717449715193.58.121.250192.168.2.6
            Dec 16, 2024 15:45:32.592262983 CET497157174192.168.2.6193.58.121.250
            Dec 16, 2024 15:45:32.712119102 CET717449715193.58.121.250192.168.2.6
            Dec 16, 2024 15:45:33.193728924 CET717449713193.58.121.250192.168.2.6
            Dec 16, 2024 15:45:33.193814039 CET497137174192.168.2.6193.58.121.250
            Dec 16, 2024 15:45:34.749175072 CET717449715193.58.121.250192.168.2.6
            Dec 16, 2024 15:45:34.749330997 CET497157174192.168.2.6193.58.121.250
            Dec 16, 2024 15:45:46.567936897 CET497387174192.168.2.6193.58.121.250
            Dec 16, 2024 15:45:46.688222885 CET717449738193.58.121.250192.168.2.6
            Dec 16, 2024 15:45:46.688293934 CET497387174192.168.2.6193.58.121.250
            Dec 16, 2024 15:45:46.688637972 CET497387174192.168.2.6193.58.121.250
            Dec 16, 2024 15:45:46.808352947 CET717449738193.58.121.250192.168.2.6
            Dec 16, 2024 15:45:46.808401108 CET497387174192.168.2.6193.58.121.250
            Dec 16, 2024 15:45:46.928265095 CET717449738193.58.121.250192.168.2.6
            Dec 16, 2024 15:45:48.863503933 CET717449738193.58.121.250192.168.2.6
            Dec 16, 2024 15:45:48.863604069 CET497387174192.168.2.6193.58.121.250
            Dec 16, 2024 15:45:57.711009026 CET497567174192.168.2.6193.58.121.250
            Dec 16, 2024 15:45:57.831105947 CET717449756193.58.121.250192.168.2.6
            Dec 16, 2024 15:45:57.831202984 CET497567174192.168.2.6193.58.121.250
            Dec 16, 2024 15:45:57.883735895 CET497567174192.168.2.6193.58.121.250
            Dec 16, 2024 15:45:58.003953934 CET717449756193.58.121.250192.168.2.6
            Dec 16, 2024 15:45:58.004040003 CET497567174192.168.2.6193.58.121.250
            Dec 16, 2024 15:45:58.124242067 CET717449756193.58.121.250192.168.2.6
            Dec 16, 2024 15:46:00.004683971 CET717449756193.58.121.250192.168.2.6
            Dec 16, 2024 15:46:00.005160093 CET497567174192.168.2.6193.58.121.250
            Dec 16, 2024 15:46:01.076056957 CET497137174192.168.2.6193.58.121.250
            Dec 16, 2024 15:46:01.196369886 CET717449713193.58.121.250192.168.2.6
            Dec 16, 2024 15:46:07.340621948 CET497157174192.168.2.6193.58.121.250
            Dec 16, 2024 15:46:07.462488890 CET717449715193.58.121.250192.168.2.6
            Dec 16, 2024 15:46:10.437227964 CET497807174192.168.2.6193.58.121.250
            Dec 16, 2024 15:46:10.557195902 CET717449780193.58.121.250192.168.2.6
            Dec 16, 2024 15:46:10.557280064 CET497807174192.168.2.6193.58.121.250
            Dec 16, 2024 15:46:10.558010101 CET497807174192.168.2.6193.58.121.250
            Dec 16, 2024 15:46:10.678098917 CET717449780193.58.121.250192.168.2.6
            Dec 16, 2024 15:46:10.678186893 CET497807174192.168.2.6193.58.121.250
            Dec 16, 2024 15:46:10.799223900 CET717449780193.58.121.250192.168.2.6
            Dec 16, 2024 15:46:12.754111052 CET717449780193.58.121.250192.168.2.6
            Dec 16, 2024 15:46:12.755383015 CET497807174192.168.2.6193.58.121.250
            Dec 16, 2024 15:46:16.760678053 CET497387174192.168.2.6193.58.121.250
            Dec 16, 2024 15:46:16.880460978 CET717449738193.58.121.250192.168.2.6
            Dec 16, 2024 15:46:23.052239895 CET498037174192.168.2.6193.58.121.250
            Dec 16, 2024 15:46:23.172128916 CET717449803193.58.121.250192.168.2.6
            Dec 16, 2024 15:46:23.172213078 CET498037174192.168.2.6193.58.121.250
            Dec 16, 2024 15:46:23.172797918 CET498037174192.168.2.6193.58.121.250
            Dec 16, 2024 15:46:23.292735100 CET717449803193.58.121.250192.168.2.6
            Dec 16, 2024 15:46:23.293677092 CET498037174192.168.2.6193.58.121.250
            Dec 16, 2024 15:46:23.413652897 CET717449803193.58.121.250192.168.2.6
            Dec 16, 2024 15:46:25.348339081 CET717449803193.58.121.250192.168.2.6
            Dec 16, 2024 15:46:25.348438025 CET498037174192.168.2.6193.58.121.250
            Dec 16, 2024 15:46:28.246501923 CET497567174192.168.2.6193.58.121.250
            Dec 16, 2024 15:46:28.366959095 CET717449756193.58.121.250192.168.2.6
            Dec 16, 2024 15:46:36.444751978 CET498247174192.168.2.6193.58.121.250
            Dec 16, 2024 15:46:36.564824104 CET717449824193.58.121.250192.168.2.6
            Dec 16, 2024 15:46:36.564914942 CET498247174192.168.2.6193.58.121.250
            Dec 16, 2024 15:46:36.565393925 CET498247174192.168.2.6193.58.121.250
            Dec 16, 2024 15:46:36.685934067 CET717449824193.58.121.250192.168.2.6
            Dec 16, 2024 15:46:36.686016083 CET498247174192.168.2.6193.58.121.250
            Dec 16, 2024 15:46:36.807382107 CET717449824193.58.121.250192.168.2.6
            Dec 16, 2024 15:46:38.739057064 CET717449824193.58.121.250192.168.2.6
            Dec 16, 2024 15:46:38.739121914 CET498247174192.168.2.6193.58.121.250
            Dec 16, 2024 15:46:41.372836113 CET497807174192.168.2.6193.58.121.250
            Dec 16, 2024 15:46:41.492877960 CET717449780193.58.121.250192.168.2.6
            Dec 16, 2024 15:46:53.289853096 CET498037174192.168.2.6193.58.121.250
            Dec 16, 2024 15:46:53.409610033 CET717449803193.58.121.250192.168.2.6
            Dec 16, 2024 15:47:06.630179882 CET498247174192.168.2.6193.58.121.250
            Dec 16, 2024 15:47:06.756728888 CET717449824193.58.121.250192.168.2.6

            UDP Packets

            TimestampSource PortDest PortSource IPDest IP
            Dec 16, 2024 15:45:30.743014097 CET6041253192.168.2.61.1.1.1
            Dec 16, 2024 15:45:30.885026932 CET53604121.1.1.1192.168.2.6
            Dec 16, 2024 15:45:46.400408030 CET5284853192.168.2.61.1.1.1
            Dec 16, 2024 15:45:46.537311077 CET53528481.1.1.1192.168.2.6
            Dec 16, 2024 15:45:57.537548065 CET4983153192.168.2.61.1.1.1
            Dec 16, 2024 15:45:57.675396919 CET53498311.1.1.1192.168.2.6
            Dec 16, 2024 15:46:10.210450888 CET6512953192.168.2.61.1.1.1
            Dec 16, 2024 15:46:10.348335981 CET53651291.1.1.1192.168.2.6
            Dec 16, 2024 15:46:22.857481956 CET5434553192.168.2.61.1.1.1
            Dec 16, 2024 15:46:22.995904922 CET53543451.1.1.1192.168.2.6
            Dec 16, 2024 15:46:36.220364094 CET5233853192.168.2.61.1.1.1
            Dec 16, 2024 15:46:36.358831882 CET53523381.1.1.1192.168.2.6

            DNS Queries

            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
            Dec 16, 2024 15:45:30.743014097 CET192.168.2.61.1.1.10x200fStandard query (0)10.76.9.0.in-addr.arpaPTR (Pointer record)IN (0x0001)false
            Dec 16, 2024 15:45:46.400408030 CET192.168.2.61.1.1.10xa93bStandard query (0)10.76.9.0.in-addr.arpaPTR (Pointer record)IN (0x0001)false
            Dec 16, 2024 15:45:57.537548065 CET192.168.2.61.1.1.10x8faaStandard query (0)10.76.9.0.in-addr.arpaPTR (Pointer record)IN (0x0001)false
            Dec 16, 2024 15:46:10.210450888 CET192.168.2.61.1.1.10xca2aStandard query (0)10.76.9.0.in-addr.arpaPTR (Pointer record)IN (0x0001)false
            Dec 16, 2024 15:46:22.857481956 CET192.168.2.61.1.1.10xbcd1Standard query (0)10.76.9.0.in-addr.arpaPTR (Pointer record)IN (0x0001)false
            Dec 16, 2024 15:46:36.220364094 CET192.168.2.61.1.1.10xfaddStandard query (0)10.76.9.0.in-addr.arpaPTR (Pointer record)IN (0x0001)false

            DNS Answers

            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
            Dec 16, 2024 15:45:26.565861940 CET1.1.1.1192.168.2.60xe305No error (0)fp2e7a.wpc.2be4.phicdn.netfp2e7a.wpc.phicdn.netCNAME (Canonical name)IN (0x0001)false
            Dec 16, 2024 15:45:26.565861940 CET1.1.1.1192.168.2.60xe305No error (0)fp2e7a.wpc.phicdn.net192.229.221.95A (IP address)IN (0x0001)false
            Dec 16, 2024 15:45:30.885026932 CET1.1.1.1192.168.2.60x200fName error (3)10.76.9.0.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false
            Dec 16, 2024 15:45:46.537311077 CET1.1.1.1192.168.2.60xa93bName error (3)10.76.9.0.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false
            Dec 16, 2024 15:45:57.675396919 CET1.1.1.1192.168.2.60x8faaName error (3)10.76.9.0.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false
            Dec 16, 2024 15:46:10.348335981 CET1.1.1.1192.168.2.60xca2aName error (3)10.76.9.0.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false
            Dec 16, 2024 15:46:22.995904922 CET1.1.1.1192.168.2.60xbcd1Name error (3)10.76.9.0.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false
            Dec 16, 2024 15:46:36.358831882 CET1.1.1.1192.168.2.60xfaddName error (3)10.76.9.0.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false
            Dec 16, 2024 15:47:48.643728971 CET1.1.1.1192.168.2.60xbc79No error (0)g-bing-com.ax-0001.ax-msedge.netax-0001.ax-msedge.netCNAME (Canonical name)IN (0x0001)false
            Dec 16, 2024 15:47:48.643728971 CET1.1.1.1192.168.2.60xbc79No error (0)ax-0001.ax-msedge.net150.171.28.10A (IP address)IN (0x0001)false
            Dec 16, 2024 15:47:48.643728971 CET1.1.1.1192.168.2.60xbc79No error (0)ax-0001.ax-msedge.net150.171.27.10A (IP address)IN (0x0001)false

            Statistics

            CPU Usage

            Click to jump to process

            Memory Usage

            Click to jump to process

            High Level Behavior Distribution

            Click to dive into process behavior distribution

            Behavior

            Click to jump to process

            System Behavior

            General

            Target ID:0
            Start time:09:45:28
            Start date:16/12/2024
            Path:C:\Users\user\Desktop\AV4b38nlhN.exe
            Wow64 process (32bit):false
            Commandline:"C:\Users\user\Desktop\AV4b38nlhN.exe"
            Imagebase:0x990000
            File size:11'264 bytes
            MD5 hash:D6BFAB9DDE06D4BADDEC652F65C16319
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:low
            Has exited:true

            General

            Target ID:2
            Start time:09:45:29
            Start date:16/12/2024
            Path:C:\Windows\System32\schtasks.exe
            Wow64 process (32bit):false
            Commandline:"schtasks.exe" /create /tn "MyClientAppTask_638699391290709030" /tr "C:\Users\user\AppData\Local\Temp\dhk3y0j3.gg3\AV4b38nlhN.exe" /sc onlogon /f
            Imagebase:0x7ff78c590000
            File size:235'008 bytes
            MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            General

            Target ID:3
            Start time:09:45:29
            Start date:16/12/2024
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff66e660000
            File size:862'208 bytes
            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            General

            Target ID:4
            Start time:09:45:30
            Start date:16/12/2024
            Path:C:\Users\user\AppData\Local\Temp\dhk3y0j3.gg3\AV4b38nlhN.exe
            Wow64 process (32bit):false
            Commandline:C:\Users\user\AppData\Local\Temp\dhk3y0j3.gg3\AV4b38nlhN.exe
            Imagebase:0x580000
            File size:11'264 bytes
            MD5 hash:D6BFAB9DDE06D4BADDEC652F65C16319
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Antivirus matches:
            • Detection: 100%, Joe Sandbox ML
            • Detection: 100%, Joe Sandbox ML
            • Detection: 18%, ReversingLabs
            Reputation:low
            Has exited:true

            General

            Target ID:5
            Start time:09:45:30
            Start date:16/12/2024
            Path:C:\Windows\System32\schtasks.exe
            Wow64 process (32bit):false
            Commandline:"schtasks.exe" /create /tn "MyClientAppTask_638699391308679816" /tr "C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exe" /sc onlogon /f
            Imagebase:0x7ff66e660000
            File size:235'008 bytes
            MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            General

            Target ID:6
            Start time:09:45:30
            Start date:16/12/2024
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff66e660000
            File size:862'208 bytes
            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            General

            Target ID:8
            Start time:09:45:42
            Start date:16/12/2024
            Path:C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exe
            Wow64 process (32bit):false
            Commandline:"C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exe"
            Imagebase:0xca0000
            File size:11'264 bytes
            MD5 hash:D6BFAB9DDE06D4BADDEC652F65C16319
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Antivirus matches:
            • Detection: 100%, Joe Sandbox ML
            • Detection: 18%, ReversingLabs
            Reputation:low
            Has exited:true

            General

            Target ID:9
            Start time:09:45:44
            Start date:16/12/2024
            Path:C:\Windows\System32\schtasks.exe
            Wow64 process (32bit):false
            Commandline:"schtasks.exe" /create /tn "MyClientAppTask_638699391446656104" /tr "C:\Users\user\AppData\Local\Temp\q5ax5g5h.01m\AV4b38nlhN.exe" /sc onlogon /f
            Imagebase:0x7ff78c590000
            File size:235'008 bytes
            MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            General

            Target ID:11
            Start time:09:45:45
            Start date:16/12/2024
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff66e660000
            File size:862'208 bytes
            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Reputation:high
            Has exited:true

            General

            Target ID:12
            Start time:09:45:54
            Start date:16/12/2024
            Path:C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exe
            Wow64 process (32bit):false
            Commandline:"C:\Users\user\AppData\Local\Temp\1034xjxu.lsz\AV4b38nlhN.exe"
            Imagebase:0xc30000
            File size:11'264 bytes
            MD5 hash:D6BFAB9DDE06D4BADDEC652F65C16319
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Reputation:low
            Has exited:true

            General

            Target ID:13
            Start time:09:45:55
            Start date:16/12/2024
            Path:C:\Windows\System32\schtasks.exe
            Wow64 process (32bit):false
            Commandline:"schtasks.exe" /create /tn "MyClientAppTask_638699391551663456" /tr "C:\Users\user\AppData\Local\Temp\ed1yuowm.r2t\AV4b38nlhN.exe" /sc onlogon /f
            Imagebase:0x7ff78c590000
            File size:235'008 bytes
            MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Has exited:true

            General

            Target ID:14
            Start time:09:45:56
            Start date:16/12/2024
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff66e660000
            File size:862'208 bytes
            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Has exited:true

            General

            Target ID:16
            Start time:09:46:06
            Start date:16/12/2024
            Path:C:\Users\user\AppData\Local\Temp\q5ax5g5h.01m\AV4b38nlhN.exe
            Wow64 process (32bit):false
            Commandline:"C:\Users\user\AppData\Local\Temp\q5ax5g5h.01m\AV4b38nlhN.exe"
            Imagebase:0x6b0000
            File size:11'264 bytes
            MD5 hash:D6BFAB9DDE06D4BADDEC652F65C16319
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Antivirus matches:
            • Detection: 100%, Joe Sandbox ML
            • Detection: 18%, ReversingLabs
            Has exited:true

            General

            Target ID:17
            Start time:09:46:07
            Start date:16/12/2024
            Path:C:\Windows\System32\schtasks.exe
            Wow64 process (32bit):false
            Commandline:"schtasks.exe" /create /tn "MyClientAppTask_638699391675304437" /tr "C:\Users\user\AppData\Local\Temp\f3x15nhp.vew\AV4b38nlhN.exe" /sc onlogon /f
            Imagebase:0x7ff78c590000
            File size:235'008 bytes
            MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Has exited:true

            General

            Target ID:18
            Start time:09:46:08
            Start date:16/12/2024
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff66e660000
            File size:862'208 bytes
            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Has exited:true

            General

            Target ID:19
            Start time:09:46:19
            Start date:16/12/2024
            Path:C:\Users\user\AppData\Local\Temp\ed1yuowm.r2t\AV4b38nlhN.exe
            Wow64 process (32bit):false
            Commandline:"C:\Users\user\AppData\Local\Temp\ed1yuowm.r2t\AV4b38nlhN.exe"
            Imagebase:0x910000
            File size:11'264 bytes
            MD5 hash:D6BFAB9DDE06D4BADDEC652F65C16319
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Antivirus matches:
            • Detection: 100%, Joe Sandbox ML
            • Detection: 18%, ReversingLabs
            Has exited:true

            General

            Target ID:20
            Start time:09:46:21
            Start date:16/12/2024
            Path:C:\Windows\System32\schtasks.exe
            Wow64 process (32bit):false
            Commandline:"schtasks.exe" /create /tn "MyClientAppTask_638699391812619093" /tr "C:\Users\user\AppData\Local\Temp\hayuutbg.cwy\AV4b38nlhN.exe" /sc onlogon /f
            Imagebase:0x7ff78c590000
            File size:235'008 bytes
            MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Has exited:true

            General

            Target ID:21
            Start time:09:46:21
            Start date:16/12/2024
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff66e660000
            File size:862'208 bytes
            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Has exited:true

            General

            Target ID:22
            Start time:09:46:30
            Start date:16/12/2024
            Path:C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
            Wow64 process (32bit):false
            Commandline:dw20.exe -x -s 980
            Imagebase:0x10000000
            File size:46'208 bytes
            MD5 hash:29F49B77C60A7F0A6A614C167FE64E3C
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Has exited:true

            General

            Target ID:24
            Start time:09:46:31
            Start date:16/12/2024
            Path:C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AV4b38nlhN.exe
            Wow64 process (32bit):false
            Commandline:"C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AV4b38nlhN.exe"
            Imagebase:0xcc0000
            File size:11'264 bytes
            MD5 hash:D6BFAB9DDE06D4BADDEC652F65C16319
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Antivirus matches:
            • Detection: 18%, ReversingLabs
            Has exited:true

            General

            Target ID:25
            Start time:09:46:34
            Start date:16/12/2024
            Path:C:\Windows\System32\schtasks.exe
            Wow64 process (32bit):false
            Commandline:"schtasks.exe" /create /tn "MyClientAppTask_638699391947448790" /tr "C:\Users\user\AppData\Local\Temp\h4ljp22h.k2l\AV4b38nlhN.exe" /sc onlogon /f
            Imagebase:0x7ff7a84e0000
            File size:235'008 bytes
            MD5 hash:76CD6626DD8834BD4A42E6A565104DC2
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Has exited:true

            General

            Target ID:26
            Start time:09:46:34
            Start date:16/12/2024
            Path:C:\Windows\System32\conhost.exe
            Wow64 process (32bit):false
            Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Imagebase:0x7ff66e660000
            File size:862'208 bytes
            MD5 hash:0D698AF330FD17BEE3BF90011D49251D
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Has exited:true

            General

            Target ID:27
            Start time:09:46:36
            Start date:16/12/2024
            Path:C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
            Wow64 process (32bit):false
            Commandline:dw20.exe -x -s 1192
            Imagebase:0x10000000
            File size:46'208 bytes
            MD5 hash:29F49B77C60A7F0A6A614C167FE64E3C
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Has exited:true

            General

            Target ID:28
            Start time:09:46:46
            Start date:16/12/2024
            Path:C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
            Wow64 process (32bit):false
            Commandline:dw20.exe -x -s 880
            Imagebase:0x10000000
            File size:46'208 bytes
            MD5 hash:29F49B77C60A7F0A6A614C167FE64E3C
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Has exited:true

            General

            Target ID:29
            Start time:09:46:57
            Start date:16/12/2024
            Path:C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
            Wow64 process (32bit):false
            Commandline:dw20.exe -x -s 1152
            Imagebase:0x10000000
            File size:46'208 bytes
            MD5 hash:29F49B77C60A7F0A6A614C167FE64E3C
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Has exited:true

            General

            Target ID:36
            Start time:09:47:10
            Start date:16/12/2024
            Path:C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
            Wow64 process (32bit):false
            Commandline:dw20.exe -x -s 1172
            Imagebase:0x10000000
            File size:46'208 bytes
            MD5 hash:29F49B77C60A7F0A6A614C167FE64E3C
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Has exited:true

            General

            Target ID:39
            Start time:09:47:21
            Start date:16/12/2024
            Path:C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
            Wow64 process (32bit):false
            Commandline:dw20.exe -x -s 992
            Imagebase:0x10000000
            File size:46'208 bytes
            MD5 hash:29F49B77C60A7F0A6A614C167FE64E3C
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Has exited:true

            General

            Target ID:40
            Start time:09:47:23
            Start date:16/12/2024
            Path:C:\Windows\System32\backgroundTaskHost.exe
            Wow64 process (32bit):false
            Commandline:"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
            Imagebase:0x7ff7f1560000
            File size:19'776 bytes
            MD5 hash:DA7063B17DBB8BBB3015351016868006
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Has exited:true

            General

            Target ID:44
            Start time:09:47:35
            Start date:16/12/2024
            Path:C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
            Wow64 process (32bit):false
            Commandline:dw20.exe -x -s 1172
            Imagebase:0x10000000
            File size:46'208 bytes
            MD5 hash:29F49B77C60A7F0A6A614C167FE64E3C
            Has elevated privileges:false
            Has administrator privileges:false
            Programmed in:C, C++ or other language
            Has exited:true

            Disassembly

            Reset < >

              Executed Functions

              Function 00007FFD3484000B Relevance: 1.5, Strings: 1, Instructions: 278COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000000.00000002.2992043388.00007FFD34840000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34840000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffd34840000_AV4b38nlhN.jbxd
              Similarity
              • API ID:
              • String ID: (6p4
              • API String ID: 0-1789873324
              • Opcode ID: 0b95e0007120f60a84599d8af0d025f18db3fe5e44236a931fd97e7c694c0c04
              • Instruction ID: 00fd8b951c56f15e597f9a989c7b97ff7512b9727ef438c2ec49bb241beb5f54
              • Opcode Fuzzy Hash: 0b95e0007120f60a84599d8af0d025f18db3fe5e44236a931fd97e7c694c0c04
              • Instruction Fuzzy Hash: 80816B51B1E7C54FEB47A77848B96693FA19F5B204B0A04FBD589CB2E3DC1C6C088362
              Function 00007FFD34840885 Relevance: .2, Instructions: 188COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2992043388.00007FFD34840000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34840000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffd34840000_AV4b38nlhN.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 1a523824e5daf58ce87c08b64c6b876a9ff2d5c5595e8360852f00646f58e424
              • Instruction ID: c51bb34adf8afbdc5a63da943f679cca4f11ad2a59e840b903a7dcfedde5238d
              • Opcode Fuzzy Hash: 1a523824e5daf58ce87c08b64c6b876a9ff2d5c5595e8360852f00646f58e424
              • Instruction Fuzzy Hash: 25513821B18B484FE756EB2C88A57A97BE1EF5A300F4541FAE14EC72D3DD38A9048751
              Function 00007FFD34840ABA Relevance: .1, Instructions: 126COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2992043388.00007FFD34840000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34840000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffd34840000_AV4b38nlhN.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 11b7fecbb04713ff3dbb532e007fa7d95897c34b6ef3b8d952f3eccb2c932f98
              • Instruction ID: 3781b05728aab4d744d41890e8b35aa6c9015b99f293a7d317d0491855414bf4
              • Opcode Fuzzy Hash: 11b7fecbb04713ff3dbb532e007fa7d95897c34b6ef3b8d952f3eccb2c932f98
              • Instruction Fuzzy Hash: 4A31042060DB825FD717973888A9A757FE1EF5B300F4A45EAD08ACF1A3DA1CD845C752
              Function 00007FFD34840BD4 Relevance: .1, Instructions: 105COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2992043388.00007FFD34840000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34840000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffd34840000_AV4b38nlhN.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9e12065708b5469e3c989bbaa36868b80b4fca61a5ba89b5e28129b624d8d77e
              • Instruction ID: 915ea7a4dc7ecb085b2b1027f12f6e7c4d048e9411567d21c59be292e3d36e11
              • Opcode Fuzzy Hash: 9e12065708b5469e3c989bbaa36868b80b4fca61a5ba89b5e28129b624d8d77e
              • Instruction Fuzzy Hash: 8A21F971B18E0D8FD794FF6C88A97B973D1FB5A301F004179E54DC7292DE28A8468781
              Function 00007FFD348404A9 Relevance: .1, Instructions: 102COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2992043388.00007FFD34840000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34840000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffd34840000_AV4b38nlhN.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: bfbb870ba469a8716988d56666cd740372765adbb1d7ec58bc1b027a012ba6aa
              • Instruction ID: 989b78cb71978f6f5baf47a31b173b9bee2730c460176c75e531d0b75b4b2136
              • Opcode Fuzzy Hash: bfbb870ba469a8716988d56666cd740372765adbb1d7ec58bc1b027a012ba6aa
              • Instruction Fuzzy Hash: 2931B121A0D7C94FE7479B2888A57653FE1EF4B314F4A41FAD189CF193CA289C098752
              Function 00007FFD348405F1 Relevance: .1, Instructions: 101COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2992043388.00007FFD34840000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34840000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffd34840000_AV4b38nlhN.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 717423a779f8b89a26016cb152d8e0500c4dfa244014741c9ba55699d9d00024
              • Instruction ID: 6a7ddf8e237e284543750f503c96af30463e0f2c0c9094443b6e48adf4540b82
              • Opcode Fuzzy Hash: 717423a779f8b89a26016cb152d8e0500c4dfa244014741c9ba55699d9d00024
              • Instruction Fuzzy Hash: F321F672B0D7884FE743CB2898647A53FA0EF4B304F5A00E7E54DCB2A3C9285D048362
              Function 00007FFD34840375 Relevance: .1, Instructions: 91COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2992043388.00007FFD34840000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34840000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffd34840000_AV4b38nlhN.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e1e87dd89dc3fd019fedc38f5cda3790363c916cf3425907adf8e6027deaa059
              • Instruction ID: a47a9a199084c9058b99f96e83a5ad2c3cd74c93c8136892a1f66e8b228c4aa2
              • Opcode Fuzzy Hash: e1e87dd89dc3fd019fedc38f5cda3790363c916cf3425907adf8e6027deaa059
              • Instruction Fuzzy Hash: 1821D420B0CA4C4FDB92EB7844A53B97BE2EF8E254F5481BAE00DC7283DE3898058741
              Function 00007FFD34840741 Relevance: .1, Instructions: 90COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000000.00000002.2992043388.00007FFD34840000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34840000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_0_2_7ffd34840000_AV4b38nlhN.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 08ebda5ec5a99740a04eac6aadb6d1acebe2d78c446796a446f8fd6ed7fbf1c3
              • Instruction ID: 0777d5fd01cf6250e1c540bc8923b58ffcecdf26d52152cb0877975b2dfa4954
              • Opcode Fuzzy Hash: 08ebda5ec5a99740a04eac6aadb6d1acebe2d78c446796a446f8fd6ed7fbf1c3
              • Instruction Fuzzy Hash: AD210771B086484FEB45EB6888693F93BF1EF5E300F5600F6E50DCB293DA3899058752

              Executed Functions

              Function 00007FFD3484000B Relevance: 1.5, Strings: 1, Instructions: 277COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.3079569506.00007FFD34840000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34840000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_7ffd34840000_AV4b38nlhN.jbxd
              Similarity
              • API ID:
              • String ID: (6p4
              • API String ID: 0-1789873324
              • Opcode ID: 51cbff4020fea9449e292db9a2d21ee009b5dbea6ea5c034431fec95f0887c58
              • Instruction ID: a181103a842a8284125eb5d31b444b37c38153b4604681d9a4ee4f2b6da9296f
              • Opcode Fuzzy Hash: 51cbff4020fea9449e292db9a2d21ee009b5dbea6ea5c034431fec95f0887c58
              • Instruction Fuzzy Hash: BC814850B1EBC54FEB47A77848B56697FA19F5B204B0A04FBD189CB2E3DC1C6C088362
              Function 00007FFD34840885 Relevance: .2, Instructions: 188COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.3079569506.00007FFD34840000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34840000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_7ffd34840000_AV4b38nlhN.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8936b0fe33b6b0b069422fd5038da92ab510b8930a860ce8b840a6034dd748ac
              • Instruction ID: 7893e6612cc230cf3f378afcc15794e5560eff646e643b100b1190e70b2ed154
              • Opcode Fuzzy Hash: 8936b0fe33b6b0b069422fd5038da92ab510b8930a860ce8b840a6034dd748ac
              • Instruction Fuzzy Hash: AA512921B1CB484FE756EB2C88A57A97BE1EF5A300F4541BAE44EC72D3DD3868098751
              Function 00007FFD34840ABA Relevance: .1, Instructions: 126COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.3079569506.00007FFD34840000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34840000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_7ffd34840000_AV4b38nlhN.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4cbcb3b4810136ac41f462be4e71be82e9ab18755e326918c202952469d9c634
              • Instruction ID: 53822c3d8bd400c2e50cb36cf6b5b2057d2b95d2c95e6b3d4864ac454e93f9fe
              • Opcode Fuzzy Hash: 4cbcb3b4810136ac41f462be4e71be82e9ab18755e326918c202952469d9c634
              • Instruction Fuzzy Hash: C031042060DB825FD716973888A5A757FE1EF5B300F4A45EAD089CF1A3DA1CD845C792
              Function 00007FFD34840BD4 Relevance: .1, Instructions: 105COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.3079569506.00007FFD34840000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34840000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_7ffd34840000_AV4b38nlhN.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 9e12065708b5469e3c989bbaa36868b80b4fca61a5ba89b5e28129b624d8d77e
              • Instruction ID: 915ea7a4dc7ecb085b2b1027f12f6e7c4d048e9411567d21c59be292e3d36e11
              • Opcode Fuzzy Hash: 9e12065708b5469e3c989bbaa36868b80b4fca61a5ba89b5e28129b624d8d77e
              • Instruction Fuzzy Hash: 8A21F971B18E0D8FD794FF6C88A97B973D1FB5A301F004179E54DC7292DE28A8468781
              Function 00007FFD348404A9 Relevance: .1, Instructions: 102COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.3079569506.00007FFD34840000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34840000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_7ffd34840000_AV4b38nlhN.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 0724be72984e548e4e3639e308c3c0cdee7037f1867ed1a9dc788af72b51326a
              • Instruction ID: fdf133ce007a2386748ddaf14f9c3334ca4aa0786ef4799a6f309155727b3b76
              • Opcode Fuzzy Hash: 0724be72984e548e4e3639e308c3c0cdee7037f1867ed1a9dc788af72b51326a
              • Instruction Fuzzy Hash: 02318461A0DBC94FE7479B6888A57657FE1EF4B314F4A41FAD048CF193CA2898098752
              Function 00007FFD348405F1 Relevance: .1, Instructions: 101COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.3079569506.00007FFD34840000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34840000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_7ffd34840000_AV4b38nlhN.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 688e8942bddbaf3c913753e1a4ad3e531a0bb0bfe7b87ab2255dc90b71b98413
              • Instruction ID: 7691cf2efbbdfcfe494ea7a58ba31aec7f8f76b2796c915101ba729ff7db01cd
              • Opcode Fuzzy Hash: 688e8942bddbaf3c913753e1a4ad3e531a0bb0bfe7b87ab2255dc90b71b98413
              • Instruction Fuzzy Hash: 2621E771B0DB885FE7429B689C647A53FA5EF4B340F5A00E7E44DCF293CA285D098362
              Function 00007FFD34840375 Relevance: .1, Instructions: 91COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.3079569506.00007FFD34840000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34840000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_7ffd34840000_AV4b38nlhN.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: f5a6be3064d8485eba16cc12de983278fa2f42ca77d14cdf3521e63a7b2477ce
              • Instruction ID: d6ad96f6ac2194b80e0e59a8033a0246cab14bc74dab041cbcfa50930746bff4
              • Opcode Fuzzy Hash: f5a6be3064d8485eba16cc12de983278fa2f42ca77d14cdf3521e63a7b2477ce
              • Instruction Fuzzy Hash: DC21D420B0CA4C4FDB91EB7844A53B97BE2EF8F254F5481BAE00DC7283DE3898058741
              Function 00007FFD34840741 Relevance: .1, Instructions: 90COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000004.00000002.3079569506.00007FFD34840000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34840000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_7ffd34840000_AV4b38nlhN.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 20f6d094843d5de4777fe9ab8c337a7da51bf96d138389c619eccf1876efb691
              • Instruction ID: 3209a9310a8fe2895c279d03667a06f0fc03e696e738597bf4098cd7a4dc99b1
              • Opcode Fuzzy Hash: 20f6d094843d5de4777fe9ab8c337a7da51bf96d138389c619eccf1876efb691
              • Instruction Fuzzy Hash: 93210771B08A484FEB45EB6888693F93BF1EF5E300F5600F6E40DCB293DA3899098751

              Executed Functions

              Function 00007FFD3483000B Relevance: 1.5, Strings: 1, Instructions: 281COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000008.00000002.3032970476.00007FFD34830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34830000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_7ffd34830000_AV4b38nlhN.jbxd
              Similarity
              • API ID:
              • String ID: (6o4
              • API String ID: 0-2817868338
              • Opcode ID: ea01f10dfe0650efe16351bd50408f1978ea6cc6f9177f2407f95604a2748434
              • Instruction ID: 096f6dc5e9a0699f290346b953196a0405902fbc02e5bc03c4b1ef99a63774fb
              • Opcode Fuzzy Hash: ea01f10dfe0650efe16351bd50408f1978ea6cc6f9177f2407f95604a2748434
              • Instruction Fuzzy Hash: 3C813611B0E7C54FEB57AB7848B96693FA19F57200B0A04FBD589CB1E3DD1CAC099362
              Function 00007FFD34830885 Relevance: .2, Instructions: 188COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.3032970476.00007FFD34830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34830000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_7ffd34830000_AV4b38nlhN.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 69a003ae0afc0d7f6036225d039fe7ffbe3dfc97a829989d3bf72e19dfd60622
              • Instruction ID: d5530b2974d9148228df45972f61e5776052d677646f26d1f918a4b9f110c23d
              • Opcode Fuzzy Hash: 69a003ae0afc0d7f6036225d039fe7ffbe3dfc97a829989d3bf72e19dfd60622
              • Instruction Fuzzy Hash: 92512721B18B484FE756EB2C88A57A97BE2EF5A301F4541FAE44EC72D3DD38A8048751
              Function 00007FFD34830ABA Relevance: .1, Instructions: 126COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.3032970476.00007FFD34830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34830000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_7ffd34830000_AV4b38nlhN.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3eb3b1e33869d69e0b4ad3cfc216124534f4570bc9e419ec85ae833c215e421d
              • Instruction ID: e72a54bf3dd19f74ed48ea83cfdcfbf56a9ce964c99f2765a33b7cd8b6d8e7ee
              • Opcode Fuzzy Hash: 3eb3b1e33869d69e0b4ad3cfc216124534f4570bc9e419ec85ae833c215e421d
              • Instruction Fuzzy Hash: 0431F02060DBC65FD717973888A5A757FE1EF1B200F4A45EAD089CF1A3EA1CD845C792
              Function 00007FFD34830BD4 Relevance: .1, Instructions: 105COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.3032970476.00007FFD34830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34830000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_7ffd34830000_AV4b38nlhN.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 57b3c94e0d7c0f4c69d4a9bc34173bb38c44a22cc55ef0916ae601b8fb38f9a8
              • Instruction ID: d12c18a0168fa7601bfe0286449c1da81af4713fdcd1bf7cc09451d77c08b3d8
              • Opcode Fuzzy Hash: 57b3c94e0d7c0f4c69d4a9bc34173bb38c44a22cc55ef0916ae601b8fb38f9a8
              • Instruction Fuzzy Hash: CA21F620718E098FD794EB6C88A97B973D1FB5A301F004179E58DC7283DE28A8068781
              Function 00007FFD348304A9 Relevance: .1, Instructions: 102COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.3032970476.00007FFD34830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34830000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_7ffd34830000_AV4b38nlhN.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 434ffedc3d15a1a6aebcf8dd6cd0cbdcb4072e218b0da82086a3b4b241696bba
              • Instruction ID: c288830634f0347790dc27f9373125dbe16a000d94166ebbb7c4fa0abdcd4501
              • Opcode Fuzzy Hash: 434ffedc3d15a1a6aebcf8dd6cd0cbdcb4072e218b0da82086a3b4b241696bba
              • Instruction Fuzzy Hash: 5831816160DBC94FE7579B2888A57647FE1EF4B314F4941FAD088CF197CA2898098752
              Function 00007FFD348305F1 Relevance: .1, Instructions: 101COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.3032970476.00007FFD34830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34830000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_7ffd34830000_AV4b38nlhN.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 019bcfd15b9212978ff5a0d9d96ca23ee9b70b7b12c055402696f1e31ee7aa50
              • Instruction ID: 8df76b4ff1b3687b00b4b4fc5c354a83cb0f032e719673358d958ccfbeea30cc
              • Opcode Fuzzy Hash: 019bcfd15b9212978ff5a0d9d96ca23ee9b70b7b12c055402696f1e31ee7aa50
              • Instruction Fuzzy Hash: B221D67170DB885FE743DB6898647A53FA1EF4B340F5A01E7E44CCB297C9289D058362
              Function 00007FFD34830375 Relevance: .1, Instructions: 91COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.3032970476.00007FFD34830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34830000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_7ffd34830000_AV4b38nlhN.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: efea00a1d523924d3421717ba5ea19e879ecec3fbbeb43cc13eaad673968f408
              • Instruction ID: 3e29716db2dbc8cedf4051a5be4644dd13fd55e402667302fb450b01f06db2a7
              • Opcode Fuzzy Hash: efea00a1d523924d3421717ba5ea19e879ecec3fbbeb43cc13eaad673968f408
              • Instruction Fuzzy Hash: A621D420B0CA4C4FDB91EB7844A53B87BE2EF8A255F5481FAE04DC7283DE3899158741
              Function 00007FFD34830741 Relevance: .1, Instructions: 90COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000008.00000002.3032970476.00007FFD34830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34830000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_8_2_7ffd34830000_AV4b38nlhN.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 3edb7f21632295c67d6b2ac5b5b2f5d1d0c699206e3f6b5cc4ae633aff246d31
              • Instruction ID: 616a4989f9fbe8a391e4c9e0c267728c42d0f7ba2402b6a6fe3194ed60273336
              • Opcode Fuzzy Hash: 3edb7f21632295c67d6b2ac5b5b2f5d1d0c699206e3f6b5cc4ae633aff246d31
              • Instruction Fuzzy Hash: 88210770B08B484FEB56EB6888693F937E1EF5A301F5600F6E44CCB293CA3898058751

              Executed Functions

              Function 00007FFD3485000B Relevance: 1.5, Strings: 1, Instructions: 286COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 0000000C.00000002.3054844167.00007FFD34850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34850000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_7ffd34850000_AV4b38nlhN.jbxd
              Similarity
              • API ID:
              • String ID: (6q4
              • API String ID: 0-1941208557
              • Opcode ID: 505e84081fb15237ab9da274f54934337e315396839fc7045522dd61dc468273
              • Instruction ID: e7aea7717a2d19d5b32ab22b6c22690efbba209178a3120edd8b4da6ed4c325e
              • Opcode Fuzzy Hash: 505e84081fb15237ab9da274f54934337e315396839fc7045522dd61dc468273
              • Instruction Fuzzy Hash: 39813550B0E7C54FEB47A77848B96687FB19F5B200B0A04FBE589CB1E3DD1C68099362
              Function 00007FFD34850885 Relevance: .2, Instructions: 189COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000C.00000002.3054844167.00007FFD34850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34850000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_7ffd34850000_AV4b38nlhN.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 985ebcc3f21df24731ab6c39cb6f5277fba2776282b2767bcd00f160834b5876
              • Instruction ID: 9544853000b064d479d0fdfed594c34188b35700213469a30dc5becf7a1cde15
              • Opcode Fuzzy Hash: 985ebcc3f21df24731ab6c39cb6f5277fba2776282b2767bcd00f160834b5876
              • Instruction Fuzzy Hash: B2511861B18B484FE756EB2C88A57A97BE1EF5B300F4541FAE44EC72D3DD38A8088751
              Function 00007FFD34850ABA Relevance: .1, Instructions: 127COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000C.00000002.3054844167.00007FFD34850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34850000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_7ffd34850000_AV4b38nlhN.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: da3f3e6011db9a08e977386af6c09e5546459d876931285244bcd79fd4102d34
              • Instruction ID: 02f5c0b82414f3463bac4596611ac4d5b790719c1b041527fb02441a330fc807
              • Opcode Fuzzy Hash: da3f3e6011db9a08e977386af6c09e5546459d876931285244bcd79fd4102d34
              • Instruction Fuzzy Hash: 1831012060D7864FD7139738C8E9A757FE0DF5B200F5A45EAE08ACF0A3EA18D845C792
              Function 00007FFD34850BD4 Relevance: .1, Instructions: 106COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000C.00000002.3054844167.00007FFD34850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34850000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_7ffd34850000_AV4b38nlhN.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d553e63d81235c6193439d5df4b990fcc6e5fa94d640bf093b085ece1d810f26
              • Instruction ID: 28c34f45ab8facc03ad0ef365904b221f977b6929218cd935d997eeaef995161
              • Opcode Fuzzy Hash: d553e63d81235c6193439d5df4b990fcc6e5fa94d640bf093b085ece1d810f26
              • Instruction Fuzzy Hash: CD21E560B18E4D9FDBA4EB6C88A97B977D1FB5A301F00417AE54DC3293DE28AC458781
              Function 00007FFD348504A9 Relevance: .1, Instructions: 102COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000C.00000002.3054844167.00007FFD34850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34850000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_7ffd34850000_AV4b38nlhN.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d11bbf4b96ec46cd4ddc4461543993e2e28491218715fa10fe333671eac169c9
              • Instruction ID: 23e675bc36b70887d03dbc0b4d870fd3642fabe3913110e9a782a4842ff21a1a
              • Opcode Fuzzy Hash: d11bbf4b96ec46cd4ddc4461543993e2e28491218715fa10fe333671eac169c9
              • Instruction Fuzzy Hash: 8A318F6160D7C94FE7479B2888A57647FE1EF4B354F4941EAE089CF1A3CA2898098752
              Function 00007FFD348505F1 Relevance: .1, Instructions: 101COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000C.00000002.3054844167.00007FFD34850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34850000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_7ffd34850000_AV4b38nlhN.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 30168365f3caac1fb5bb3f274a0313f38698cbfb8ebb4d58dde779bb16850e99
              • Instruction ID: 48c3e584c343b740e108985a8d033bf246f5be0ea97cca3997e52f43ce0ddb8d
              • Opcode Fuzzy Hash: 30168365f3caac1fb5bb3f274a0313f38698cbfb8ebb4d58dde779bb16850e99
              • Instruction Fuzzy Hash: 3821D67170D7885FE7429B6898647A53FE1EF4B340F5A01E7E44CCB293CA285C058362
              Function 00007FFD34850375 Relevance: .1, Instructions: 91COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000C.00000002.3054844167.00007FFD34850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34850000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_7ffd34850000_AV4b38nlhN.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: eb952359c8b295738318e561746d1353a316311ea55cbc11183b54145f748972
              • Instruction ID: d2503f4075031d095efda01efff60c0252f59d069d4c972be30a9d9eef69c190
              • Opcode Fuzzy Hash: eb952359c8b295738318e561746d1353a316311ea55cbc11183b54145f748972
              • Instruction Fuzzy Hash: D121F620B0CA4C4FDB91EB7844A53B87BE2EF8B254F5485FAE00DC7183DE3898058741
              Function 00007FFD34850741 Relevance: .1, Instructions: 91COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 0000000C.00000002.3054844167.00007FFD34850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34850000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_12_2_7ffd34850000_AV4b38nlhN.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 55e398fc342604717d592dba9e23e7bb4033977844e0f52adfaacfe3e0debbef
              • Instruction ID: 19a9f0c59fdfa6c3410d564b53bbb1b774dca3a0dc0b1a9b011e4c1e31bb789c
              • Opcode Fuzzy Hash: 55e398fc342604717d592dba9e23e7bb4033977844e0f52adfaacfe3e0debbef
              • Instruction Fuzzy Hash: 3D210471B0874C4FEB46EB6898697E93BE1EF5A300F5600F6E44CCB293CE3898098751

              Executed Functions

              Function 00007FFD3483000B Relevance: 1.5, Strings: 1, Instructions: 282COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000010.00000002.3186665211.00007FFD34830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34830000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_7ffd34830000_AV4b38nlhN.jbxd
              Similarity
              • API ID:
              • String ID: (6o4
              • API String ID: 0-2817868338
              • Opcode ID: e6e9ff8b96d167640639a54d112541f1ec469354ad08d3eda9ceefdf7d963631
              • Instruction ID: 5ef3c33eddaa8f20230a2c33e134b8ed809f263c867871a8c8b172c990e0d1e9
              • Opcode Fuzzy Hash: e6e9ff8b96d167640639a54d112541f1ec469354ad08d3eda9ceefdf7d963631
              • Instruction Fuzzy Hash: F9814711B0E7C54FEB47AB7848B96693FA1AF57200B0A04FBD589CB1E3DD1C6C099362
              Function 00007FFD34830885 Relevance: .2, Instructions: 188COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.3186665211.00007FFD34830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34830000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_7ffd34830000_AV4b38nlhN.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: cc16194932fc877b5ac59a1dfd5e93db55933ffc06537ab94ab2c5083f62bc35
              • Instruction ID: cd2af53edf27ebdd514204037bdfc68adfc14eca0dbdd2ad461bbf1d89b4e495
              • Opcode Fuzzy Hash: cc16194932fc877b5ac59a1dfd5e93db55933ffc06537ab94ab2c5083f62bc35
              • Instruction Fuzzy Hash: B1512721B18B484FE756EB2C88A57A97BE1EF5A301F4541FAE44EC72E3DD38A8048751
              Function 00007FFD34830ABA Relevance: .1, Instructions: 126COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.3186665211.00007FFD34830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34830000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_7ffd34830000_AV4b38nlhN.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 568d00972d6cb85a9f1e769703993e05d018f576467292d5b04c256b2444a03a
              • Instruction ID: cb55e8668d8bb56d77f7e5144d037aaf5b541e1567498f4307ddae30c8ce2a86
              • Opcode Fuzzy Hash: 568d00972d6cb85a9f1e769703993e05d018f576467292d5b04c256b2444a03a
              • Instruction Fuzzy Hash: BC31EF2060D7865FD7179738C8A5A657FE1EF1B200F4A85EAD089CF1A3EA1CD845C392
              Function 00007FFD34830BD4 Relevance: .1, Instructions: 105COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.3186665211.00007FFD34830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34830000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_7ffd34830000_AV4b38nlhN.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 57b3c94e0d7c0f4c69d4a9bc34173bb38c44a22cc55ef0916ae601b8fb38f9a8
              • Instruction ID: d12c18a0168fa7601bfe0286449c1da81af4713fdcd1bf7cc09451d77c08b3d8
              • Opcode Fuzzy Hash: 57b3c94e0d7c0f4c69d4a9bc34173bb38c44a22cc55ef0916ae601b8fb38f9a8
              • Instruction Fuzzy Hash: CA21F620718E098FD794EB6C88A97B973D1FB5A301F004179E58DC7283DE28A8068781
              Function 00007FFD348304A9 Relevance: .1, Instructions: 102COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.3186665211.00007FFD34830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34830000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_7ffd34830000_AV4b38nlhN.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 27a2f5e57840d5ee1ba572ea92e0cbb04c11ec1224d305c3b07c23e1fab6328d
              • Instruction ID: 3ee18726e79ace8d54a4177f926dccac7e0526dd56e73802bb332687d49b71db
              • Opcode Fuzzy Hash: 27a2f5e57840d5ee1ba572ea92e0cbb04c11ec1224d305c3b07c23e1fab6328d
              • Instruction Fuzzy Hash: DA31BF21A0D7C94FE7469B2888A57643FE1EF4B314F4941EAD188CF2A7CA2888098752
              Function 00007FFD348305F1 Relevance: .1, Instructions: 101COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.3186665211.00007FFD34830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34830000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_7ffd34830000_AV4b38nlhN.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d474188937ed8b6a57b2aefbaf6e47966d3cfc8cd32e5270a37526655b71842a
              • Instruction ID: 7bb241c2736824952c49f6d7c9ba348ebe67beafbd3fdf7b2db56a93041a9f10
              • Opcode Fuzzy Hash: d474188937ed8b6a57b2aefbaf6e47966d3cfc8cd32e5270a37526655b71842a
              • Instruction Fuzzy Hash: 0521D671B0D7885FE742DB6898647A53FA1EF4B344F5A00E7E54CCB2A7CA289D058362
              Function 00007FFD34830375 Relevance: .1, Instructions: 91COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.3186665211.00007FFD34830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34830000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_7ffd34830000_AV4b38nlhN.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a4e6f89b59b4915b78a381f83f403a3b3657e5ef57af877683cbe44b3e9aab60
              • Instruction ID: 314e911ad624cf08c941144b4cf4523a9b82d91fc77250a544fe83f0e25a14e2
              • Opcode Fuzzy Hash: a4e6f89b59b4915b78a381f83f403a3b3657e5ef57af877683cbe44b3e9aab60
              • Instruction Fuzzy Hash: 0521F620B0CA4C4FDB91EB7884A53B87BE2EF8B254F5491FAE04DC7283DE3899158741
              Function 00007FFD34830741 Relevance: .1, Instructions: 90COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000010.00000002.3186665211.00007FFD34830000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34830000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_16_2_7ffd34830000_AV4b38nlhN.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 4c95c8a8f215a336a3f6967fd36bffad5c777639330825379709a5699641d444
              • Instruction ID: 9adb43321c1f1de66ea38d7ebadb29df3c49c249c2bc308c584fed49097bbc45
              • Opcode Fuzzy Hash: 4c95c8a8f215a336a3f6967fd36bffad5c777639330825379709a5699641d444
              • Instruction Fuzzy Hash: 3B210771B08A484FEB55EB6888693E93BE1EF5A300F5640F6E44CCB293CA3899058751

              Executed Functions

              Function 00007FFD3486000B Relevance: 1.5, Strings: 1, Instructions: 282COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000013.00000002.3309836820.00007FFD34860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34860000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_19_2_7ffd34860000_AV4b38nlhN.jbxd
              Similarity
              • API ID:
              • String ID: (6r4
              • API String ID: 0-1486433838
              • Opcode ID: 7eb2e93df80ab0d6024b05320c8b5d0c84fb2fb5aafd7942541f6bfc8c3b4d0f
              • Instruction ID: 27ec267e67e8ead7a97fbb18e93a184c41f510fd01220c6e0ff7afa7dd44898c
              • Opcode Fuzzy Hash: 7eb2e93df80ab0d6024b05320c8b5d0c84fb2fb5aafd7942541f6bfc8c3b4d0f
              • Instruction Fuzzy Hash: 2C816710B0EBC54FEB97A77848B96687FA19F57200B0A04FBD189CB1E3DD1C6C099762
              Function 00007FFD34860885 Relevance: .2, Instructions: 189COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000013.00000002.3309836820.00007FFD34860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34860000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_19_2_7ffd34860000_AV4b38nlhN.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: a9fad84ea9f81c62545b1b46d15f2d5f3d0a61114e9b407bf0e09eecd63d381c
              • Instruction ID: d758822e926851ff9e2e20e69f10b386a9c9208afef7fc5c53417cd66a20c670
              • Opcode Fuzzy Hash: a9fad84ea9f81c62545b1b46d15f2d5f3d0a61114e9b407bf0e09eecd63d381c
              • Instruction Fuzzy Hash: C3513B21B18B484FE756EB2C88A57A57BE1EF5B300F8541BAE54DCB2D3CD38A8048751
              Function 00007FFD34860ABA Relevance: .1, Instructions: 127COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000013.00000002.3309836820.00007FFD34860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34860000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_19_2_7ffd34860000_AV4b38nlhN.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 8e2c11ee8cb3845aee62e8042cdc6b4cc9df15db2c835846f55bcdabfc53422b
              • Instruction ID: d4f8af51e3a442926d9d1643fb7ce96aa60b3cc5f3894e57e266f837fc63f2cb
              • Opcode Fuzzy Hash: 8e2c11ee8cb3845aee62e8042cdc6b4cc9df15db2c835846f55bcdabfc53422b
              • Instruction Fuzzy Hash: 4131542060D7864FD7129728C8A5A753FE0EF1B310F4A41EAE08ACF0A3EA1DD845C791
              Function 00007FFD34860BD4 Relevance: .1, Instructions: 106COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000013.00000002.3309836820.00007FFD34860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34860000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_19_2_7ffd34860000_AV4b38nlhN.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 246d5b9a71b3d1c99e1444fb8e680830d66c0dd082599ed31dc9eee76f3be391
              • Instruction ID: 50bdf62190a530bdfcc822f0abc3196ea112f39bff81312a99c0d7852ebb26d6
              • Opcode Fuzzy Hash: 246d5b9a71b3d1c99e1444fb8e680830d66c0dd082599ed31dc9eee76f3be391
              • Instruction Fuzzy Hash: A1212730B18E0D8FD7A4EF6C88A97B977D1FF5A301F00417AE54DC3282DE28A8018B81
              Function 00007FFD348605F1 Relevance: .1, Instructions: 102COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000013.00000002.3309836820.00007FFD34860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34860000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_19_2_7ffd34860000_AV4b38nlhN.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: b88176ff89fe2de2904211b433203117940a9e25c128218ffce84034ea9f9f8a
              • Instruction ID: c68390dd3ccbe661a4d92ef4ae8a946f87cb778bda17fdd2b51efc94e9782fa3
              • Opcode Fuzzy Hash: b88176ff89fe2de2904211b433203117940a9e25c128218ffce84034ea9f9f8a
              • Instruction Fuzzy Hash: 5821A262A097885FE742DB6898A47A53FA1EF4B354F9A00E7E548CF193CA285D058362
              Function 00007FFD348604A9 Relevance: .1, Instructions: 102COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000013.00000002.3309836820.00007FFD34860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34860000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_19_2_7ffd34860000_AV4b38nlhN.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 6734d01b86f56be71417fb60563502ec2666bef5e209c9ab9368486427c405bc
              • Instruction ID: d2f302abc05628412733aea1c83948a8f74a1d68f92585d540caee014592d5e1
              • Opcode Fuzzy Hash: 6734d01b86f56be71417fb60563502ec2666bef5e209c9ab9368486427c405bc
              • Instruction Fuzzy Hash: AE318461A0D7C94FE7569B2898A57643FE1EF4B314F8941EAD288CF193CA2C98098752
              Function 00007FFD34860741 Relevance: .1, Instructions: 92COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000013.00000002.3309836820.00007FFD34860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34860000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_19_2_7ffd34860000_AV4b38nlhN.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 67d31b630b04d86d8605cc63a2dc776b4eb0a2fc463035cfa19fd9b80d6ca733
              • Instruction ID: 0191306031235f0a0ca4b81e0d5d9dfd1ebecfcbd26a843e434264c5a90a05d0
              • Opcode Fuzzy Hash: 67d31b630b04d86d8605cc63a2dc776b4eb0a2fc463035cfa19fd9b80d6ca733
              • Instruction Fuzzy Hash: E9210771B087484FEB51EB6888697E93BE1EF5A310F5600F6E50DCB293CE3899058751
              Function 00007FFD34860375 Relevance: .1, Instructions: 91COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000013.00000002.3309836820.00007FFD34860000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34860000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_19_2_7ffd34860000_AV4b38nlhN.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 5ea5a92628c14f6344febc4a63bcbb715258d1d298c1eca51cbafe9909451b1c
              • Instruction ID: c738dac343f922f46fcf8f347c69e493212927c0bfef0472e330b517ef6d2203
              • Opcode Fuzzy Hash: 5ea5a92628c14f6344febc4a63bcbb715258d1d298c1eca51cbafe9909451b1c
              • Instruction Fuzzy Hash: FA21D421B0CA4C4FDB92EB7844A53B87BE2EF8A255F9481BAE40DC7183DE3899158741

              Executed Functions

              Function 00007FFD3485000B Relevance: 1.5, Strings: 1, Instructions: 285COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000018.00000002.3441959262.00007FFD34850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34850000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_24_2_7ffd34850000_AV4b38nlhN.jbxd
              Similarity
              • API ID:
              • String ID: (6q4
              • API String ID: 0-1941208557
              • Opcode ID: b4b94f27714ab4c1ec0aca42395e19eab05154de88d350cf5152971a1e70c391
              • Instruction ID: 3ce2390f4b0768a110f107916364cfbd0efe08e6e3c31777aaaae03d3ecaba99
              • Opcode Fuzzy Hash: b4b94f27714ab4c1ec0aca42395e19eab05154de88d350cf5152971a1e70c391
              • Instruction Fuzzy Hash: 1F813550B0E7C54FEB47A77848B96687FB19F5B200B0A04FBE589CB1E3DD1C68099362
              Function 00007FFD34850885 Relevance: .2, Instructions: 189COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000018.00000002.3441959262.00007FFD34850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34850000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_24_2_7ffd34850000_AV4b38nlhN.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: e5886e9e059b7d01b06b1b04aa481d700c6c05df4c92644b0b19a4d9ffd9a0fa
              • Instruction ID: 5fc6ce415ac25637a9517e42b10eebd91cc316bf6448e63904e73bbbd60ae0ee
              • Opcode Fuzzy Hash: e5886e9e059b7d01b06b1b04aa481d700c6c05df4c92644b0b19a4d9ffd9a0fa
              • Instruction Fuzzy Hash: 32512961718B484FE756EB2C88A57A97BE1EF5B300F4541FAE44EC72E3DD38A8088751
              Function 00007FFD34850ABA Relevance: .1, Instructions: 127COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000018.00000002.3441959262.00007FFD34850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34850000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_24_2_7ffd34850000_AV4b38nlhN.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 7768b8ceb4b368e221bc38d60b56358d65d7281c4ae61b360da8167777e19ea3
              • Instruction ID: a324436c0048f8578a72a3cea4783f922967e1deeeba6dcf88e85392eb41454b
              • Opcode Fuzzy Hash: 7768b8ceb4b368e221bc38d60b56358d65d7281c4ae61b360da8167777e19ea3
              • Instruction Fuzzy Hash: 2031042060D7864FD7139738C8E5A757FE0DF5B200F5A45EAD08ACF1A3EA18D845C392
              Function 00007FFD34850BD4 Relevance: .1, Instructions: 106COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000018.00000002.3441959262.00007FFD34850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34850000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_24_2_7ffd34850000_AV4b38nlhN.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: d553e63d81235c6193439d5df4b990fcc6e5fa94d640bf093b085ece1d810f26
              • Instruction ID: 28c34f45ab8facc03ad0ef365904b221f977b6929218cd935d997eeaef995161
              • Opcode Fuzzy Hash: d553e63d81235c6193439d5df4b990fcc6e5fa94d640bf093b085ece1d810f26
              • Instruction Fuzzy Hash: CD21E560B18E4D9FDBA4EB6C88A97B977D1FB5A301F00417AE54DC3293DE28AC458781
              Function 00007FFD348504A9 Relevance: .1, Instructions: 102COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000018.00000002.3441959262.00007FFD34850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34850000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_24_2_7ffd34850000_AV4b38nlhN.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: ed71426e69c3b20db853de897993575c1d2192206701d552c652b2f31dc748b1
              • Instruction ID: 8dc6f6d73cbaf6ba866d763d40d33ca9977c5040b90d1ddab37c138f2a033034
              • Opcode Fuzzy Hash: ed71426e69c3b20db853de897993575c1d2192206701d552c652b2f31dc748b1
              • Instruction Fuzzy Hash: 8131BF6161D7C94FE7469B2888A57647FE1EF4B314F4941EAD089CF1A3CA2888098752
              Function 00007FFD348505F1 Relevance: .1, Instructions: 101COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000018.00000002.3441959262.00007FFD34850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34850000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_24_2_7ffd34850000_AV4b38nlhN.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: db29db69aec10e85c7c3e69890320f8fb26b968ce4a7719ecdade9539ac3fd00
              • Instruction ID: 7043b9a0caa0f111a57c44d7c4baef4082481f3b1f1343d9daf64e6b8b6567dc
              • Opcode Fuzzy Hash: db29db69aec10e85c7c3e69890320f8fb26b968ce4a7719ecdade9539ac3fd00
              • Instruction Fuzzy Hash: 7F21D67171D7885FE7429B6898647A53FE1EF4B350F5A01E7E44DCB2A3C9285C098362
              Function 00007FFD34850375 Relevance: .1, Instructions: 91COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000018.00000002.3441959262.00007FFD34850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34850000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_24_2_7ffd34850000_AV4b38nlhN.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: dd91d7ea37ca146e0205448945cdf1e89c1684856481e13ec7c50a98530bfbc3
              • Instruction ID: 348889216dbe3e06e56c0640bc52355b59c64832a8ad7d9235a898d2af7fca2e
              • Opcode Fuzzy Hash: dd91d7ea37ca146e0205448945cdf1e89c1684856481e13ec7c50a98530bfbc3
              • Instruction Fuzzy Hash: 1021F620B1CA4C4FDB91EB7884A53B87BE2EF8A254F5481FAE00DC7283DE3898058741
              Function 00007FFD34850741 Relevance: .1, Instructions: 91COMMON
              Download Yara Rule
              Memory Dump Source
              • Source File: 00000018.00000002.3441959262.00007FFD34850000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD34850000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_24_2_7ffd34850000_AV4b38nlhN.jbxd
              Similarity
              • API ID:
              • String ID:
              • API String ID:
              • Opcode ID: 414fa2a578445f9b703bdfe1d95cd9ef4c133bc43aa499412c8fb3bbfb6f47f2
              • Instruction ID: 72904a3e7364d275d45dc7f87be842de4dbf44c69419f31138e9b9857d830219
              • Opcode Fuzzy Hash: 414fa2a578445f9b703bdfe1d95cd9ef4c133bc43aa499412c8fb3bbfb6f47f2
              • Instruction Fuzzy Hash: 40210470B087484FEB42EB6898697E93BE1EF5A300F5600F6E44DCB293CE3898098751